71 lines
3.0 KiB
Diff
71 lines
3.0 KiB
Diff
From e5db7c1f5738c7874e73869a2f4511193f956b81 Mon Sep 17 00:00:00 2001
|
|
From: Simo Sorce <simo@redhat.com>
|
|
Date: Mon, 30 Mar 2015 12:48:30 -0400
|
|
Subject: [PATCH] Handle authentication on subrequests
|
|
|
|
In some cases (like during directory listing) Apache will re-run the
|
|
authentication code. Many GSSAPI mechanism have replay detection so
|
|
we cannot simply rerun the accept_sec_context phase. Others require
|
|
multiple steps. When authntication has already been estalished just
|
|
implicitly consider the authentication successfully performed and
|
|
copy the user name. Otherwise fail.
|
|
If a subrequest hits a location with a different mod_auth_gssapi
|
|
configuration warn but do not error off right away.
|
|
|
|
Fixes #15
|
|
---
|
|
src/mod_auth_gssapi.c | 35 ++++++++++++++++++++++++++++++-----
|
|
1 file changed, 30 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
|
index c7881bf9e149bb190ad73741250d94541abfd0e8..e2331107b89734bd5da3a742a884c6a92489d5a8 100644
|
|
--- a/src/mod_auth_gssapi.c
|
|
+++ b/src/mod_auth_gssapi.c
|
|
@@ -245,13 +245,38 @@ static int mag_auth(request_rec *req)
|
|
return DECLINED;
|
|
}
|
|
|
|
- /* ignore auth for subrequests */
|
|
- if (!ap_is_initial_req(req)) {
|
|
- return OK;
|
|
- }
|
|
-
|
|
cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
|
|
|
|
+ /* implicit auth for subrequests if main auth already happened */
|
|
+ if (!ap_is_initial_req(req)) {
|
|
+ type = ap_auth_type(req->main);
|
|
+ if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
|
|
+ /* warn if the subrequest location and the main request
|
|
+ * location have different configs */
|
|
+ if (cfg != ap_get_module_config(req->main->per_dir_config,
|
|
+ &auth_gssapi_module)) {
|
|
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0,
|
|
+ req, "Subrequest authentication bypass on "
|
|
+ "location with different configuration!");
|
|
+ }
|
|
+ if (req->main->user) {
|
|
+ req->user = apr_pstrdup(req->pool, req->main->user);
|
|
+ return OK;
|
|
+ } else {
|
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
|
|
+ "The main request is tasked to establish the "
|
|
+ "security context, can't proceed!");
|
|
+ return HTTP_UNAUTHORIZED;
|
|
+ }
|
|
+ } else {
|
|
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
|
|
+ "Subrequest GSSAPI auth with no auth on the main "
|
|
+ "request. This operation may fail if other "
|
|
+ "subrequests already established a context or the "
|
|
+ "mechanism requires multiple roundtrips.");
|
|
+ }
|
|
+ }
|
|
+
|
|
if (cfg->ssl_only) {
|
|
if (!mag_conn_is_https(req->connection)) {
|
|
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
|
|
--
|
|
2.1.0
|
|
|