The following reply was made to PR mod_auth-any/1809; it has been noted by
GNATS.
From: John Mechalas <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: mod_auth-any/1809: Suggestion for improving authentication modules
and core source code, problem with 401 and ErrorDocument
Date: Tue, 17 Feb 1998 12:09:15 -0800 (PST)
> If you want to add the diffs to your change-request please
> reply to this message (without changing the subject line)
> and include the diffs.
> Thanks in advance.
Okay...here they are. Note that these are from the apache 1.2.5 source.
The mods to http_protocol.c and mod_auth.c have been fully tested and are
in production here. I have not fully tested mod_auth_db.c
The http_protocol.c changes make two environment variables available
to the subprocess (CGI script):
AUTH_TYPE
AUTH_NAME
their values come straight from the directives that define access
control for the requested URL. They can be used to generate the
WWW-Authenticate: header (though you have to access them as
REDIRECT_AUTH_TYPE and REDIRECT_AUTH_NAME because of the way Apache
handles environment varaibles during a redirection).
The mods to mod_auth*.c set variables to provide info on what
authorization is required, and why authorization failed. This is
described in the original bug report text.
I wanted to be able to make all modification to the module colde,
only, but it was not possible. Apparently, Apache does not consult
the authentication modules (mod_auth*) if the browser doesn't send an
authentication string in its requests (and a browser won't send this
string unless the server sends a "WWW-Authenticate:" header...hence,
an unresolvable situation, requiring the modification be made in the
http_protocol.c source).
Cheers,
John
------------------------------ 8< Cut here 8< ---------------------------------
*** mod_auth.c.dist Fri Feb 13 17:45:45 1998
--- mod_auth.c Tue Feb 17 11:49:48 1998
***************
*** 188,193 ****
--- 188,194 ----
conn_rec *c = r->connection;
char *sent_pw, *real_pw;
char errstr[MAX_STRING_LEN];
+ table *e = r->subprocess_env;
int res;
if ((res = get_basic_auth_pw (r, &sent_pw))) return res;
***************
*** 201,206 ****
--- 202,208 ----
ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
+ table_set(e, "AUTH_ERROR", "user not found");
return AUTH_REQUIRED;
}
/* anyone know where the prototype for crypt is? */
***************
*** 208,213 ****
--- 210,216 ----
ap_snprintf(errstr, sizeof(errstr), "user %s: password
mismatch",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
+ table_set(e, "AUTH_ERROR", "password incorrect");
return AUTH_REQUIRED;
}
return OK;
***************
*** 226,231 ****
--- 229,235 ----
table *grpstatus;
array_header *reqs_arr = requires (r);
require_line *reqs;
+ table *e = r->subprocess_env;
/* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive,
* then any user will do.
***************
*** 247,257 ****
--- 251,263 ----
t = reqs[x].requirement;
w = getword(r->pool, &t, ' ');
+ table_set(e, "AUTH_REQUIRE", w);
if(!strcmp(w,"valid-user"))
return OK;
if(!strcmp(w,"user")) {
while(t[0]) {
w = getword_conf (r->pool, &t);
+ table_merge(e, "AUTH_REQUIRE_ID", w);
if(!strcmp(user,w))
return OK;
}
***************
*** 262,267 ****
--- 268,274 ----
while(t[0]) {
w = getword_conf(r->pool, &t);
+ table_merge(e, "AUTH_REQUIRE_ID", w);
if(table_get (grpstatus, w))
return OK;
}
***************
*** 274,279 ****
--- 281,287 ----
if (!(sec -> auth_authoritative))
return DECLINED;
+ table_set(e, "AUTH_ERROR", "permission denied");
note_basic_auth_failure (r);
return AUTH_REQUIRED;
}
***************
*** 296,298 ****
--- 304,307 ----
NULL, /* logger */
NULL /* header parser */
};
+
*** mod_auth_db.c.dist Sun Feb 15 20:44:44 1998
--- mod_auth_db.c Sun Feb 15 20:51:52 1998
***************
*** 190,195 ****
--- 190,196 ----
conn_rec *c = r->connection;
char *sent_pw, *real_pw, *colon_pw;
char errstr[MAX_STRING_LEN];
+ table *e = r->subprocess_env;
int res;
if ((res = get_basic_auth_pw (r, &sent_pw)))
***************
*** 204,209 ****
--- 205,211 ----
ap_snprintf(errstr, sizeof(errstr), "DB user %s not found", c->user);
log_reason (errstr, r->filename, r);
note_basic_auth_failure (r);
+ table_set(e, "AUTH_ERROR", "user not found");
return AUTH_REQUIRED;
}
/* Password is up to first : if exists */
***************
*** 215,220 ****
--- 217,223 ----
"user %s: password mismatch",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
+ table_set(e, "AUTH_ERROR", "password incorrect");
return AUTH_REQUIRED;
}
return OK;
***************
*** 232,240 ****
array_header *reqs_arr = requires (r);
require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
register int x;
! const char *t;
char *w;
if (!sec->auth_dbgrpfile) return DECLINED;
--- 235,244 ----
array_header *reqs_arr = requires (r);
require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
+ table *e = r->subprocess_env;
register int x;
! const char *orig_t, *t;
char *w;
if (!sec->auth_dbgrpfile) return DECLINED;
***************
*** 247,255 ****
--- 251,267 ----
t = reqs[x].requirement;
w = getword(r->pool, &t, ' ');
+ table_set(e, "AUTH_REQUIRE", w);
if(!strcmp(w,"group") && sec->auth_dbgrpfile) {
const char *orig_groups,*groups;
char *v;
+
+ orig_t = t;
+ while(t[0]) {
+ w = getword(r->pool, &t, ' ');
+ table_merge(e, "AUTH_REQUIRE_ID", w);
+ }
+ t = orig_t;
if (!(groups = get_db_grp(r, user, sec->auth_dbgrpfile))) {
if (!(sec->auth_dbauthoritative))
*** http_protocol.c.dist Sat Feb 14 19:14:26 1998
--- http_protocol.c Sat Feb 14 19:19:57 1998
***************
*** 913,918 ****
--- 913,922 ----
{
const char *auth_line = table_get (r->headers_in, "Authorization");
char *t;
+ table *e = r->subprocess_env;
+
+ table_set(e, "AUTH_TYPE", auth_type(r));
+ table_set(e, "AUTH_NAME", auth_name(r));
if(!(t = auth_type(r)) || strcasecmp(t, "Basic"))
return DECLINED;
