diff options
| author | olavmrk <olavmrk@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2012-01-12 13:30:58 +0000 |
|---|---|---|
| committer | olavmrk <olavmrk@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2012-01-12 13:30:58 +0000 |
| commit | faf54a426fe2e3eaef2e8b377258778f52918135 (patch) | |
| tree | 80105c75a2bcb6575cafee81dd2e17f5f3651388 | |
| parent | 9e9ad9fd7ab67968b67b405813369b5ca9d034bf (diff) | |
| download | mod_auth_mellon-faf54a426fe2e3eaef2e8b377258778f52918135.tar.gz mod_auth_mellon-faf54a426fe2e3eaef2e8b377258778f52918135.tar.xz mod_auth_mellon-faf54a426fe2e3eaef2e8b377258778f52918135.zip | |
Split am_auth_new_ticket() into am_handle_auth() and am_start_auth().
The code in am_auth_new_ticket() was shared between the "auth"
endpoint and the code to start authentication from other requests. This
results in the possibility of unpredictable interactions between those
functions.
For example, it was possible to select the IdP from a random page by
adding the "IdP" parameter. The "ReturnTo" parameter could also affect
where the user was sent after authentication.
The result of this change is two new functions, one for starting
authentication from other requests, and one for handling the "auth"
endpoint. The "auth"-endpoint is no longer used by code, but may
be used elsewhere. It is therefore included for backwards
compatibility.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@149 a716ebb1-153a-0410-b759-cfb97c6a1b53
| -rw-r--r-- | auth_mellon_handler.c | 51 |
1 files changed, 42 insertions, 9 deletions
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c index 4ec3ac7..09e52c2 100644 --- a/auth_mellon_handler.c +++ b/auth_mellon_handler.c @@ -2539,19 +2539,23 @@ static int am_send_authn_request(request_rec *r, const char *idp, } -static int am_auth_new_ticket(request_rec *r) +/* Handle the "auth" endpoint. + * + * This endpoint is included for backwards-compatibility. + * + * Parameters: + * request_rec *r The request we received. + * + * Returns: + * OK or HTTP_SEE_OTHER on success, an error on failure. + */ +static int am_handle_auth(request_rec *r) { am_dir_cfg_rec *cfg = am_get_dir_cfg(r); const char *relay_state; relay_state = am_reconstruct_url(r); - /* If this is a POST request, attempt to save it */ - if (r->method_number == M_POST) { - if (am_save_post(r, &relay_state) != OK) - return HTTP_INTERNAL_SERVER_ERROR; - } - /* Check if IdP discovery is in use and no IdP was selected yet */ if ((cfg->discovery_url != NULL) && (am_extract_query_parameter(r->pool, r->args, "IdP") == NULL)) { @@ -2842,7 +2846,7 @@ int am_handler(request_rec *r) } else if(!strcmp(endpoint, "artifactResponse")) { return am_handle_artifact_reply(r); } else if(!strcmp(endpoint, "auth")) { - return am_auth_new_ticket(r); + return am_handle_auth(r); } else if(!strcmp(endpoint, "metadata")) { return OK; } else if(!strcmp(endpoint, "repost")) { @@ -2867,6 +2871,35 @@ int am_handler(request_rec *r) } +/** + * Trigger a login operation from a "normal" request. + * + * Parameters: + * request_rec *r The request we received. + * + * Returns: + * HTTP_SEE_OTHER on success, or an error on failure. + */ +static int am_start_auth(request_rec *r) +{ + am_dir_cfg_rec *cfg = am_get_dir_cfg(r); + const char *return_to; + + return_to = am_reconstruct_url(r); + + /* If this is a POST request, attempt to save it */ + if (r->method_number == M_POST) { + if (am_save_post(r, &return_to) != OK) + return HTTP_INTERNAL_SERVER_ERROR; + } + + /* Check if IdP discovery is in use. */ + if (cfg->discovery_url) { + return am_start_disco(r, return_to); + } + + return am_send_authn_request(r, am_get_idp(r), return_to, FALSE); +} int am_auth_mellon_user(request_rec *r) { @@ -2913,7 +2946,7 @@ int am_auth_mellon_user(request_rec *r) } /* Send the user to the authentication page on the IdP. */ - return am_auth_new_ticket(r); + return am_start_auth(r); } /* Verify that the user has access to this resource. */ |