diff options
| author | olavmrk <olavmrk@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2013-03-06 12:53:38 +0000 |
|---|---|---|
| committer | olavmrk <olavmrk@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2013-03-06 12:53:38 +0000 |
| commit | 81cf686843634f2e2ff70db6553ef712c531ced0 (patch) | |
| tree | 6073c55be0e7b1564886a72f9710a56829a94dda | |
| parent | 5ba60b7ad9f9eff2a7eabcf39c05de6e3e6d8437 (diff) | |
| download | mod_auth_mellon-81cf686843634f2e2ff70db6553ef712c531ced0.tar.gz mod_auth_mellon-81cf686843634f2e2ff70db6553ef712c531ced0.tar.xz mod_auth_mellon-81cf686843634f2e2ff70db6553ef712c531ced0.zip | |
Disable replay of POST request by default.
Since we are going to disable autocreation of the POST data directory,
we will need to disable POST replay by default. This patch adds the
MellonPostReplay option, which can be used to enable and disable the
POST replay functionality on a per-location basis.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@177 a716ebb1-153a-0410-b759-cfb97c6a1b53
| -rw-r--r-- | README | 9 | ||||
| -rw-r--r-- | auth_mellon.h | 7 | ||||
| -rw-r--r-- | auth_mellon_config.c | 9 | ||||
| -rw-r--r-- | auth_mellon_handler.c | 10 |
4 files changed, 33 insertions, 2 deletions
@@ -464,6 +464,15 @@ MellonPostCount 100 # Does not check signature on logout messages exchanges with idp1 # MellonDoNotVerifyLogoutSignature http://idp1.example.com/saml/metadata + + # Whether to enable replay of POST requests after authentication. When this option is + # enabled, POST requests that trigger authentication will be saved until the + # authentication is completed, and then replayed. If this option isn't enabled, + # the requests will be turned into normal GET requests after authentication. + # + # The default is that it is "Off". + # MellonPostReplay Off + </Location> diff --git a/auth_mellon.h b/auth_mellon.h index 12ff5a9..176b2f6 100644 --- a/auth_mellon.h +++ b/auth_mellon.h @@ -224,6 +224,9 @@ typedef struct am_dir_cfg_rec { /* MellonDoNotVerifyLogoutSignature idp set */ apr_hash_t *do_not_verify_logout_signature; + /* Whether we should replay POST data after authentication. */ + int post_replay; + /* Cached lasso server object. */ LassoServer *server; } am_dir_cfg_rec; @@ -278,6 +281,10 @@ extern const command_rec auth_mellon_commands[]; static const int default_subject_confirmation_data_address_check = 1; static const int inherit_subject_confirmation_data_address_check = -1; +/* Default and inherit values for MellonPostReplay option. */ +static const int default_post_replay = 0; +static const int inherit_post_replay = -1; + void *auth_mellon_dir_config(apr_pool_t *p, char *d); void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add); diff --git a/auth_mellon_config.c b/auth_mellon_config.c index 7e103cc..6a1eb2d 100644 --- a/auth_mellon_config.c +++ b/auth_mellon_config.c @@ -1144,6 +1144,13 @@ const command_rec auth_mellon_commands[] = { "A list of entity of IdP whose logout requests signatures will not " "be valided" ), + AP_INIT_FLAG( + "MellonPostReplay", + ap_set_flag_slot, + (void *)APR_OFFSETOF(am_dir_cfg_rec, post_replay), + OR_AUTHCFG, + "Whether we should replay POST requests that trigger authentication. Default is off." + ), {NULL} }; @@ -1229,6 +1236,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *)); dir->subject_confirmation_data_address_check = inherit_subject_confirmation_data_address_check; dir->do_not_verify_logout_signature = apr_hash_make(p); + dir->post_replay = inherit_post_replay; return dir; } @@ -1442,6 +1450,7 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) new_cfg->subject_confirmation_data_address_check = CFG_MERGE(add_cfg, base_cfg, subject_confirmation_data_address_check); + new_cfg->post_replay = CFG_MERGE(add_cfg, base_cfg, post_replay); return new_cfg; } diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c index 9e9fbc3..cdc4c28 100644 --- a/auth_mellon_handler.c +++ b/auth_mellon_handler.c @@ -3063,8 +3063,14 @@ static int am_start_auth(request_rec *r) /* If this is a POST request, attempt to save it */ if (r->method_number == M_POST) { - if (am_save_post(r, &return_to) != OK) - return HTTP_INTERNAL_SERVER_ERROR; + if (CFG_VALUE(cfg, post_replay)) { + if (am_save_post(r, &return_to) != OK) + return HTTP_INTERNAL_SERVER_ERROR; + } else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "POST data dropped because we do not have a" + " MellonPostReplay is not enabled."); + } } /* Check if IdP discovery is in use. */ |