diff options
| author | James Groffen <james.groffen@dsto.defence.gov.au> | 2016-01-08 17:01:50 +1030 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2016-02-17 18:59:31 -0500 |
| commit | f9cc36700c95a88ff7d7489167094556ac0e75cc (patch) | |
| tree | 030e0fa04d5e075e13620f2480409984996c07c0 /src | |
| parent | f29a1574c94ad8875626d4d707cc712a6f68ee29 (diff) | |
| download | mod_auth_gssapi-f9cc36700c95a88ff7d7489167094556ac0e75cc.tar.gz mod_auth_gssapi-f9cc36700c95a88ff7d7489167094556ac0e75cc.tar.xz mod_auth_gssapi-f9cc36700c95a88ff7d7489167094556ac0e75cc.zip | |
Add option to not send a Negotiate headers
If negotiation was attempted but failed do not send a new Negotiate header.
Useful when only one single sign on mechanism is allowed and to avoid
misleading login prompts in some browsers.
Added a test of the GssapiDontReauth option to the test suite.
Also added SPNEGO no auth test.
[SS: reworded and fixed commit subject/comment]
[SS: fixed whitespace errors and 80 column wrappings]
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #65
Diffstat (limited to 'src')
| -rw-r--r-- | src/mod_auth_gssapi.c | 27 | ||||
| -rw-r--r-- | src/mod_auth_gssapi.h | 1 |
2 files changed, 23 insertions, 5 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 088fb88..dd4e6bc 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -674,6 +674,7 @@ static int mag_auth(request_rec *req) gss_buffer_desc lname = GSS_C_EMPTY_BUFFER; struct mag_conn *mc = NULL; int i; + bool send_auth_header = true; type = ap_auth_type(req); if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) { @@ -765,6 +766,9 @@ static int mag_auth(request_rec *req) auth_header_type = ap_getword_white(req->pool, &auth_header); if (!auth_header_type) goto done; + /* We got auth header, sending auth header would mean re-auth */ + send_auth_header = !cfg->negotiate_once; + for (i = 0; auth_types[i] != NULL; i++) { if (strcasecmp(auth_header_type, auth_types[i]) == 0) { auth_type = i; @@ -957,11 +961,14 @@ done: apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply); } } else if (ret == HTTP_UNAUTHORIZED) { - apr_table_add(req->err_headers_out, req_cfg->rep_proto, "Negotiate"); - - if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp, - cfg->gss_conn_ctx)) { - apr_table_add(req->err_headers_out, req_cfg->rep_proto, "NTLM"); + if (send_auth_header) { + apr_table_add(req->err_headers_out, + req_cfg->rep_proto, "Negotiate"); + if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp, + cfg->gss_conn_ctx)) { + apr_table_add(req->err_headers_out, req_cfg->rep_proto, + "NTLM"); + } } if (cfg->use_basic_auth) { apr_table_add(req->err_headers_out, req_cfg->rep_proto, @@ -1229,6 +1236,14 @@ static const char *mag_allow_mech(cmd_parms *parms, void *mconfig, return NULL; } +static const char *mag_negotiate_once(cmd_parms *parms, void *mconfig, int on) +{ + struct mag_config *cfg = (struct mag_config *)mconfig; + + cfg->negotiate_once = on ? true : false; + return NULL; +} + #define GSS_NAME_ATTR_USERDATA "GSS Name Attributes Userdata" static apr_status_t mag_name_attrs_cleanup(void *data) @@ -1360,6 +1375,8 @@ static const command_rec mag_commands[] = { #endif AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG, "Allowed Mechanisms"), + AP_INIT_FLAG("GssapiNegotiateOnce", mag_negotiate_once, NULL, OR_AUTHCFG, + "Don't resend negotiate header on negotiate failure"), AP_INIT_RAW_ARGS("GssapiNameAttributes", mag_name_attrs, NULL, OR_AUTHCFG, "Name Attributes to be exported as environ variables"), { NULL } diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h index 4e9fdf3..ea563ec 100644 --- a/src/mod_auth_gssapi.h +++ b/src/mod_auth_gssapi.h @@ -74,6 +74,7 @@ struct mag_config { bool use_basic_auth; gss_OID_set_desc *allowed_mechs; gss_OID_set_desc *basic_mechs; + bool negotiate_once; struct mag_name_attributes *name_attributes; }; |