diff options
| author | Simo Sorce <simo@redhat.com> | 2015-03-30 12:48:30 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-03-31 12:18:05 -0400 |
| commit | e5db7c1f5738c7874e73869a2f4511193f956b81 (patch) | |
| tree | 330afe698ef7592211c8517cb513654095d6c8fd /src | |
| parent | 286e3dac69c3d4b32db93de1f9937f434383588f (diff) | |
| download | mod_auth_gssapi-e5db7c1f5738c7874e73869a2f4511193f956b81.tar.gz mod_auth_gssapi-e5db7c1f5738c7874e73869a2f4511193f956b81.tar.xz mod_auth_gssapi-e5db7c1f5738c7874e73869a2f4511193f956b81.zip | |
Handle authentication on subrequests
In some cases (like during directory listing) Apache will re-run the
authentication code. Many GSSAPI mechanism have replay detection so
we cannot simply rerun the accept_sec_context phase. Others require
multiple steps. When authntication has already been estalished just
implicitly consider the authentication successfully performed and
copy the user name. Otherwise fail.
If a subrequest hits a location with a different mod_auth_gssapi
configuration warn but do not error off right away.
Fixes #15
Diffstat (limited to 'src')
| -rw-r--r-- | src/mod_auth_gssapi.c | 33 |
1 files changed, 29 insertions, 4 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index c7881bf..e233110 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -245,13 +245,38 @@ static int mag_auth(request_rec *req) return DECLINED; } - /* ignore auth for subrequests */ + cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); + + /* implicit auth for subrequests if main auth already happened */ if (!ap_is_initial_req(req)) { - return OK; + type = ap_auth_type(req->main); + if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) { + /* warn if the subrequest location and the main request + * location have different configs */ + if (cfg != ap_get_module_config(req->main->per_dir_config, + &auth_gssapi_module)) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0, + req, "Subrequest authentication bypass on " + "location with different configuration!"); + } + if (req->main->user) { + req->user = apr_pstrdup(req->pool, req->main->user); + return OK; + } else { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, + "The main request is tasked to establish the " + "security context, can't proceed!"); + return HTTP_UNAUTHORIZED; + } + } else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, + "Subrequest GSSAPI auth with no auth on the main " + "request. This operation may fail if other " + "subrequests already established a context or the " + "mechanism requires multiple roundtrips."); + } } - cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); - if (cfg->ssl_only) { if (!mag_conn_is_https(req->connection)) { ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, |