Remove forward basic auth and fix docs

Fixes #8
author: Simo Sorce <simo@redhat.com> 2015-03-06 09:30:51 -0500
committer: Simo Sorce <simo@redhat.com> 2015-03-06 09:55:37 -0500
commit: e6d9a30c889fe042cf3ad5073519f348dbe924f0 (patch)
tree: 33e0f2c237b83f246bd03573f51cf85784249407
parent: 7407b64481bc49ad552f9ba0ff2efe1f6fb0982e (diff)
download: mod_auth_gssapi-e6d9a30c889fe042cf3ad5073519f348dbe924f0.tar.gz
mod_auth_gssapi-e6d9a30c889fe042cf3ad5073519f348dbe924f0.tar.xz
mod_auth_gssapi-e6d9a30c889fe042cf3ad5073519f348dbe924f0.zip
3 files changed, 21 insertions, 35 deletions
diff --git a/README b/README
index 903d199..6c37412 100644
--- a/README
+++ b/README
@@ -176,9 +176,19 @@ Example:
 
 ### GssapiBasicAuth
 Allows the use of Basic Auth in conjunction with Negotiate.
-Two modes are supported, direct usage of the received username and password
-to try to acquire credentials via GSSAPI, or forwarding to following apache
-module.
+If the browser fails to use Negotiate is will instead fallback to Basic and
+the username and password will be used to try to acquire credentials in the
+module via GSSAPI. If credentials are acquire successfully then they are
+validated agaist the server's keytab.
+
+Enable with: GssapiBasicAuth On
+Default: GssapiBasicAuth Off
 
 Example:
-    GssapiBasicAuth Forward
+<Location /gssapi>
+  AuthType GSSAPI
+  AuthName "Login"
+  GssapiBasicAuth On
+  GssapiCredStore keytab:/etc/httpd/http.keytab
+  Require valid-user
+</Location>
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 4ba543e..aed0c3b 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -255,26 +255,14 @@ static int mag_auth(request_rec *req)
         input.value = apr_pcalloc(req->pool, input.length);
         if (!input.value) goto done;
         input.length = apr_base64_decode(input.value, auth_header_value);
-    } else if (strcasecmp(auth_header_type, "Basic") == 0) {
+    } else if ((strcasecmp(auth_header_type, "Basic") == 0) &&
+               (cfg->use_basic_auth == true)) {
         auth_type = "Basic";
         is_basic = true;
 
         gss_buffer_desc ba_user;
         gss_buffer_desc ba_pwd;
 
-        switch (cfg->basic_auth) {
-        case BA_ON:
-            /* handle directly */
-            break;
-        case BA_FORWARD:
-            /* decline to handle ourselves, let other modules do it */
-            ret = DECLINED;
-            goto done;
-        case BA_OFF:
-            goto done;
-        default:
-            goto done;
-        }
         ba_pwd.value = ap_pbase64decode(req->pool, auth_header);
         if (!ba_pwd.value) goto done;
         ba_user.value = ap_getword_nulls_nc(req->pool,
@@ -483,7 +471,7 @@ done:
         } else {
             apr_table_add(req->err_headers_out,
                           "WWW-Authenticate", "Negotiate");
-            if (cfg->basic_auth != BA_OFF) {
+            if (cfg->use_basic_auth) {
                 apr_table_add(req->err_headers_out,
                               "WWW-Authenticate",
                               apr_psprintf(req->pool, "Basic realm=\"%s\"",
@@ -674,19 +662,11 @@ static const char *mag_deleg_ccache_dir(cmd_parms *parms, void *mconfig,
     return NULL;
 }
 
-static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig,
-                                      const char *value)
+static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig, int on)
 {
     struct mag_config *cfg = (struct mag_config *)mconfig;
 
-    if (strcasecmp(value, "on") == 0) {
-        cfg->basic_auth = BA_ON;
-    } else if (strcasecmp(value, "forward") == 0) {
-        cfg->basic_auth = BA_FORWARD;
-    } else {
-        cfg->basic_auth = BA_OFF;
-    }
-
+    cfg->use_basic_auth = on ? true : false;
     return NULL;
 }
 
@@ -712,7 +692,7 @@ static const command_rec mag_commands[] = {
                      OR_AUTHCFG, "Directory to store delegated credentials"),
 #endif
 #ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD
-    AP_INIT_TAKE1("GssapiBasicAuth", mag_use_basic_auth, NULL, OR_AUTHCFG,
+    AP_INIT_FLAG("GssapiBasicAuth", mag_use_basic_auth, NULL, OR_AUTHCFG,
                      "Allows use of Basic Auth for authentication"),
 #endif
     { NULL }
diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h
index 9ebadcc..efe230d 100644
--- a/src/mod_auth_gssapi.h
+++ b/src/mod_auth_gssapi.h
@@ -43,11 +43,7 @@ struct mag_config {
     char *deleg_ccache_dir;
     gss_key_value_set_desc *cred_store;
     struct seal_key *mag_skey;
-    enum {
-        BA_OFF = 0,
-        BA_FORWARD = 1,
-        BA_ON = 2
-    } basic_auth;
+    bool use_basic_auth;
 };
 
 struct mag_conn {
author	Simo Sorce <simo@redhat.com>	2015-03-06 09:30:51 -0500
committer	Simo Sorce <simo@redhat.com>	2015-03-06 09:55:37 -0500
commit	e6d9a30c889fe042cf3ad5073519f348dbe924f0 (patch)
tree	33e0f2c237b83f246bd03573f51cf85784249407
parent	7407b64481bc49ad552f9ba0ff2efe1f6fb0982e (diff)
download	mod_auth_gssapi-e6d9a30c889fe042cf3ad5073519f348dbe924f0.tar.gz mod_auth_gssapi-e6d9a30c889fe042cf3ad5073519f348dbe924f0.tar.xz mod_auth_gssapi-e6d9a30c889fe042cf3ad5073519f348dbe924f0.zip