diff options
| -rw-r--r-- | README | 9 | ||||
| -rw-r--r-- | auth_mellon.h | 7 | ||||
| -rw-r--r-- | auth_mellon_config.c | 9 | ||||
| -rw-r--r-- | auth_mellon_handler.c | 10 |
4 files changed, 33 insertions, 2 deletions
@@ -464,6 +464,15 @@ MellonPostCount 100 # Does not check signature on logout messages exchanges with idp1 # MellonDoNotVerifyLogoutSignature http://idp1.example.com/saml/metadata + + # Whether to enable replay of POST requests after authentication. When this option is + # enabled, POST requests that trigger authentication will be saved until the + # authentication is completed, and then replayed. If this option isn't enabled, + # the requests will be turned into normal GET requests after authentication. + # + # The default is that it is "Off". + # MellonPostReplay Off + </Location> diff --git a/auth_mellon.h b/auth_mellon.h index 12ff5a9..176b2f6 100644 --- a/auth_mellon.h +++ b/auth_mellon.h @@ -224,6 +224,9 @@ typedef struct am_dir_cfg_rec { /* MellonDoNotVerifyLogoutSignature idp set */ apr_hash_t *do_not_verify_logout_signature; + /* Whether we should replay POST data after authentication. */ + int post_replay; + /* Cached lasso server object. */ LassoServer *server; } am_dir_cfg_rec; @@ -278,6 +281,10 @@ extern const command_rec auth_mellon_commands[]; static const int default_subject_confirmation_data_address_check = 1; static const int inherit_subject_confirmation_data_address_check = -1; +/* Default and inherit values for MellonPostReplay option. */ +static const int default_post_replay = 0; +static const int inherit_post_replay = -1; + void *auth_mellon_dir_config(apr_pool_t *p, char *d); void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add); diff --git a/auth_mellon_config.c b/auth_mellon_config.c index 7e103cc..6a1eb2d 100644 --- a/auth_mellon_config.c +++ b/auth_mellon_config.c @@ -1144,6 +1144,13 @@ const command_rec auth_mellon_commands[] = { "A list of entity of IdP whose logout requests signatures will not " "be valided" ), + AP_INIT_FLAG( + "MellonPostReplay", + ap_set_flag_slot, + (void *)APR_OFFSETOF(am_dir_cfg_rec, post_replay), + OR_AUTHCFG, + "Whether we should replay POST requests that trigger authentication. Default is off." + ), {NULL} }; @@ -1229,6 +1236,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) dir->authn_context_class_ref = apr_array_make(p, 0, sizeof(char *)); dir->subject_confirmation_data_address_check = inherit_subject_confirmation_data_address_check; dir->do_not_verify_logout_signature = apr_hash_make(p); + dir->post_replay = inherit_post_replay; return dir; } @@ -1442,6 +1450,7 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) new_cfg->subject_confirmation_data_address_check = CFG_MERGE(add_cfg, base_cfg, subject_confirmation_data_address_check); + new_cfg->post_replay = CFG_MERGE(add_cfg, base_cfg, post_replay); return new_cfg; } diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c index 9e9fbc3..cdc4c28 100644 --- a/auth_mellon_handler.c +++ b/auth_mellon_handler.c @@ -3063,8 +3063,14 @@ static int am_start_auth(request_rec *r) /* If this is a POST request, attempt to save it */ if (r->method_number == M_POST) { - if (am_save_post(r, &return_to) != OK) - return HTTP_INTERNAL_SERVER_ERROR; + if (CFG_VALUE(cfg, post_replay)) { + if (am_save_post(r, &return_to) != OK) + return HTTP_INTERNAL_SERVER_ERROR; + } else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "POST data dropped because we do not have a" + " MellonPostReplay is not enabled."); + } } /* Check if IdP discovery is in use. */ |