randy 96/12/24 11:10:32
Modified: htdocs/manual/mod mod_auth.html mod_auth_db.html
mod_auth_dbm.html
Log:
Update docs to reflect addition of Authoritative directive.
Submitted by: Dirk vanGulik
Revision Changes Path
1.4 +27 -0 apache/htdocs/manual/mod/mod_auth.html
Index: mod_auth.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_auth.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -C3 -r1.3 -r1.4
*** mod_auth.html 1996/12/02 18:14:00 1.3
--- mod_auth.html 1996/12/24 19:08:23 1.4
***************
*** 17,22 ****
--- 17,23 ----
<menu>
<li><A HREF="#authgroupfile">AuthGroupFile</A>
<li><A HREF="#authuserfile">AuthUserFile</A>
+ <li><A HREF="#authauthoritative">AuthAuthoritative</A>
</menu>
<hr>
***************
*** 69,74 ****
--- 70,101 ----
document tree of the web-server; do <em>not</em> put it in the directory
that
it protects. Otherwise, clients will be able to download the
AuthUserFile.<p>
+ See also <A HREF="core.html#authname">AuthName</A>,
+ <A HREF="core.html#authtype">AuthType</A> and
+ <A HREF="#authgroupfile">AuthGroupFile</A>.<p>
+ <hr>
+ <A name="authauthoritative"><h2>AuthAuthoritative</h2></A>
+ <!--%plaintext <?INDEX {\tt AuthAuthoritative} directive> -->
+ <strong>Syntax:</strong> AuthAuthoritative < <strong>
on</strong>(default) | off > <br>
+ <Strong>Context:</strong> directory, .htaccess<br>
+ <Strong>Override:</strong> AuthConfig<br>
+ <strong>Status:</strong> Base<br>
+ <strong>Module:</strong> mod_auth<p>
+
+ Setting the AuthAuthoritative directive explicitly to <b>'off'</b> allows
for both authentification and authorization to be passed on to lower level
modules (as defined in the <code>Configuration</code> and
<code>modules.c</code> file if there is <b>no userID</b> or <b>rule</b>
matching the supplied userID. If there is a userID and/or rule specified; the
usual password and access checks will be applied and a failure will give an
Authorization Required reply.
+ <p>
+ So if a userID appears in the database of more than one module; or if a
valid require directive applies to more than one module; then the first module
will verify the credentials; and no access is passed on; regardless of the
AuthAuthoritative setting.
+ <p>
+ A common use for this is in conjection with one of the database modules;
such
+ as <a href="mod_auth_anon.c"><code>mod_auth_db.c</code></a>, <a
href="mod_auth_anon.c"><code>mod_auth_dbm.c</code></a>,
+ <a href="mod_auth_anon.c"><code>mod_auth_msql.c</code></a> and <a
href="mod_auth_anon.c"><code>mod_auth_anon.c</code></a>. These modules supply
the bulk of the user credential checking; but a few (administrator) related
accesses fall through to a lower level with a well protected AuthUserFile.
+ <p>
+ <b>Default:</b> By default; control is not passed on; and an unkown userID
or rule will result in an Authorization Required reply. Not setting it thus
keeps the system secure; and forces an NSCA compliant behaviour.
+ <p>
+ Security: Do consider the implications of allowing a user to allow
fall-through in his .htaccess file; and verify that this is really what you
want; Generally it is easier to just secure a single .htpasswd file, than it is
to secure a database such as mSQL. Make sure that the AuthUserFile is stored
outside the
+ document tree of the web-server; do <em>not</em> put it in the directory
that
+ it protects. Otherwise, clients will be able to download the AuthUserFile.
+ <p>
See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authgroupfile">AuthGroupFile</A>.<p>
1.5 +25 -0 apache/htdocs/manual/mod/mod_auth_db.html
Index: mod_auth_db.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_auth_db.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -C3 -r1.4 -r1.5
*** mod_auth_db.html 1996/12/02 18:14:01 1.4
--- mod_auth_db.html 1996/12/24 19:08:23 1.5
***************
*** 18,23 ****
--- 18,24 ----
<menu>
<li><A HREF="#authdbgroupfile">AuthDBGroupFile</A>
<li><A HREF="#authdbuserfile">AuthDBUserFile</A>
+ <li><A HREF="#authdbauthoritative">AuthDBAuthoritative</A>
</menu>
<hr>
***************
*** 103,108 ****
--- 104,133 ----
See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authdbgroupfile">AuthDBGroupFile</A>.<p>
+ <hr>
+ <A name="authdbauthoritative"><h2>AuthDBAuthoritative</h2></A>
+ <!--%plaintext <?INDEX {\tt AuthDBAuthoritative} directive> -->
+ <strong>Syntax:</strong> AuthDBAuthoritative < <strong>
on</strong>(default) | off > <br>
+ <Strong>Context:</strong> directory, .htaccess<br>
+ <Strong>Override:</strong> AuthConfig<br>
+ <strong>Status:</strong> Base<br>
+ <strong>Module:</strong> mod_auth<p>
+
+ Setting the AuthDBAuthoritative directive explicitly to <b>'off'</b> allows
for both authentification and authorization to be passed on to lower level
modules (as defined in the <code>Configuration</code> and
<code>modules.c</code> file if there is <b>no userID</b> or <b>rule</b>
matching the supplied userID. If there is a userID and/or rule specified; the
usual password and access checks will be applied and a failure will give an
Authorization Required reply.
+ <p>
+ So if a userID appears in the database of more than one module; or if a
valid require directive applies to more than one module; then the first module
will verify the credentials; and no access is passed on; regardless of the
AuthAuthoritative setting.
+ <p>
+ A common use for this is in conjection with one of the basic auth modules;
such
+ as <a href="mod_auth.c"><code>mod_auth.c</code></a>. Whereas this DB module
supplies the bulk of the user credential checking; a few (administrator)
related accesses fall through to a lower level with a well protected .htpasswd
file.
+ <p>
+ <b>Default:</b> By default; control is not passed on; and an unkown userID
or rule will result in an Authorization Required reply. Not setting it thus
keeps the system secure; and forces an NSCA compliant behaviour.
+ <p>
+ Security: Do consider the implications of allowing a user to allow
fall-through in his .htaccess file; and verify that this is really what you
want; Generally it is easier to just secure a single .htpasswd file, than it is
to secure a database which might have more access interfaces.
+
+ <p>
+ See also <A HREF="core.html#authname">AuthName</A>,
+ <A HREF="core.html#authtype">AuthType</A> and
+ <A HREF="#authgroupfile">AuthGroupFile</A>.<p>
<!--#include virtual="footer.html" -->
</BODY>
1.6 +26 -0 apache/htdocs/manual/mod/mod_auth_dbm.html
Index: mod_auth_dbm.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_auth_dbm.html,v
retrieving revision 1.5
retrieving revision 1.6
diff -C3 -r1.5 -r1.6
*** mod_auth_dbm.html 1996/12/10 01:19:36 1.5
--- mod_auth_dbm.html 1996/12/24 19:08:24 1.6
***************
*** 17,22 ****
--- 17,23 ----
<menu>
<li><A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>
<li><A HREF="#authdbmuserfile">AuthDBMUserFile</A>
+ <li><A HREF="#authdbmauthoritative">AuthDBMAuthoritative</A>
</menu>
<hr>
***************
*** 103,108 ****
--- 104,134 ----
See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>.<p>
+
+ <hr>
+ <A name="authdbmauthoritative"><h2>AuthDBMAuthoritative</h2></A>
+ <!--%plaintext <?INDEX {\tt AuthDBMAuthoritative} directive> -->
+ <strong>Syntax:</strong> AuthDBMAuthoritative < <strong>
on</strong>(default) | off > <br>
+ <Strong>Context:</strong> directory, .htaccess<br>
+ <Strong>Override:</strong> AuthConfig<br>
+ <strong>Status:</strong> Base<br>
+ <strong>Module:</strong> mod_auth<p>
+
+ Setting the AuthDBMAuthoritative directive explicitly to <b>'off'</b>
allows for both authentification and authorization to be passed on to lower
level modules (as defined in the <code>Configuration</code> and
<code>modules.c</code> file if there is <b>no userID</b> or <b>rule</b>
matching the supplied userID. If there is a userID and/or rule specified; the
usual password and access checks will be applied and a failure will give an
Authorization Required reply.
+ <p>
+ So if a userID appears in the database of more than one module; or if a
valid require directive applies to more than one module; then the first module
will verify the credentials; and no access is passed on; regardless of the
AuthAuthoritative setting.
+ <p>
+ A common use for this is in conjection with one of the basic auth modules;
such
+ as <a href="mod_auth.c"><code>mod_auth.c</code></a>. Whereas this DBM
module supplies the bulk of the user credential checking; a few (administrator)
related accesses fall through to a lower level with a well protected .htpasswd
file.
+ <p>
+ <b>Default:</b> By default; control is not passed on; and an unkown userID
or rule will result in an Authorization Required reply. Not setting it thus
keeps the system secure; and forces an NSCA compliant behaviour.
+ <p>
+ Security: Do consider the implications of allowing a user to allow
fall-through in his .htaccess file; and verify that this is really what you
want; Generally it is easier to just secure a single .htpasswd file, than it is
to secure a database which might have more access interfaces.
+
+ <p>
+ See also <A HREF="core.html#authname">AuthName</A>,
+ <A HREF="core.html#authtype">AuthType</A> and
+ <A HREF="#authgroupfile">AuthGroupFile</A>.<p>
<!--#include virtual="footer.html" -->
</BODY>
Modified: src CHANGES mod_auth.c mod_auth_db.c mod_auth_dbm.c
Log:
Add Authoritative control for authentication modules giving this same
control across all supplied authentication modules.
Submitted by: Dirk vanGulik
Reviewed by: Chuck Murcko, Randy Terbush
Revision Changes Path
1.96 +7 -0 apache/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /export/home/cvs/apache/src/CHANGES,v
retrieving revision 1.95
retrieving revision 1.96
diff -C3 -r1.95 -r1.96
*** CHANGES 1996/12/24 18:48:31 1.95
--- CHANGES 1996/12/24 19:10:28 1.96
***************
*** 1,5 ****
--- 1,12 ----
Changes with Apache 1.2b3:
+ *) Add "Authoratative" directive for Auth modules that don't
+ currently have it. This gives admin control to assign authoritative
+ control to an authentication scheme and allow "fall through" for
+ those authentication modules that aren't "Authoritative" thereby
+ allowing multiple authentication mechanisms to be chained.
+ [Dirk vanGulik]
+
*) Remove requirement for ResourceConfig/AccessConfig if not using
the three config file layout. [Randy Terbush]
1.10 +22 -1 apache/src/mod_auth.c
Index: mod_auth.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_auth.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -C3 -r1.9 -r1.10
*** mod_auth.c 1996/12/01 20:28:47 1.9
--- mod_auth.c 1996/12/24 19:10:29 1.10
***************
*** 56,61 ****
--- 56,67 ----
* Rob McCool
*
* Adapted to Apache by rst.
+ *
+ * dirkx - Added Authoratative control to allow passing on to lower
+ * modules if and only if the user-id is not known to this
+ * module. A known user with a faulty or absent password still
+ * causes an AuthRequired. The default is 'Authoratative', i.e.
+ * no control is passed along.
*/
#include "httpd.h"
***************
*** 70,80 ****
typedef struct auth_config_struct {
char *auth_pwfile;
char *auth_grpfile;
} auth_config_rec;
void *create_auth_dir_config (pool *p, char *d)
{
! return pcalloc (p, sizeof(auth_config_rec));
}
const char *set_auth_slot (cmd_parms *cmd, void *offset, char *f, char *t)
--- 76,92 ----
typedef struct auth_config_struct {
char *auth_pwfile;
char *auth_grpfile;
+ int auth_authoritative;
} auth_config_rec;
void *create_auth_dir_config (pool *p, char *d)
{
! auth_config_rec *sec =
! (auth_config_rec *) pcalloc (p, sizeof(auth_config_rec));
! sec->auth_pwfile = NULL; /* just to illustrate the default really */
! sec->auth_grpfile = NULL; /* unless you have a broken HP cc */
! sec->auth_authoritative = 1; /* keep the fortress secure by default */
! return sec;
}
const char *set_auth_slot (cmd_parms *cmd, void *offset, char *f, char *t)
***************
*** 90,95 ****
--- 102,111 ----
(void*)XtOffsetOf(auth_config_rec,auth_pwfile), OR_AUTHCFG, TAKE12, NULL
},
{ "AuthGroupFile", set_auth_slot,
(void*)XtOffsetOf(auth_config_rec,auth_grpfile), OR_AUTHCFG, TAKE12, NULL
},
+ { "Auth_MSQL_Authoritative", set_flag_slot,
+ (void*)XtOffsetOf(auth_config_rec,auth_authoritative),
+ OR_AUTHCFG, FLAG,
+ "Set to 'no' to allow access control to be passed along to lower modules
if the UserID is not known to this module" },
{ NULL }
};
***************
*** 180,185 ****
--- 196,203 ----
return DECLINED;
if (!(real_pw = get_pw(r, c->user, sec->auth_pwfile))) {
+ if (!(sec->auth_authoritative))
+ return DECLINED;
sprintf(errstr,"user %s not found",c->user);
log_reason (errstr, r->uri, r);
note_basic_auth_failure (r);
***************
*** 252,257 ****
--- 270,278 ----
if (!method_restricted)
return OK;
+
+ if (!(sec -> auth_authoritative))
+ return DECLINED;
note_basic_auth_failure (r);
return AUTH_REQUIRED;
1.7 +21 -2 apache/src/mod_auth_db.c
Index: mod_auth_db.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_auth_db.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -C3 -r1.6 -r1.7
*** mod_auth_db.c 1996/12/01 20:28:49 1.6
--- mod_auth_db.c 1996/12/24 19:10:29 1.7
***************
*** 72,77 ****
--- 72,83 ----
* On some BSD systems (e.g. FreeBSD and NetBSD) dbm is automatically
* mapped to Berkeley DB. You can use either mod_auth_dbm or
* mod_auth_db. The latter makes it more obvious that it's Berkeley.
+ *
+ * dirkx - Added Authoratative control to allow passing on to lower
+ * modules if and only if the user-id is not known to this
+ * module. A known user with a faulty or absent password still
+ * causes an AuthRequired. The default is 'Authoratative', i.e.
+ * no control is passed along.
*/
#include "httpd.h"
***************
*** 85,96 ****
char *auth_dbpwfile;
char *auth_dbgrpfile;
!
} db_auth_config_rec;
void *create_db_auth_dir_config (pool *p, char *d)
{
! return pcalloc (p, sizeof(db_auth_config_rec));
}
const char *set_db_slot (cmd_parms *cmd, void *offset, char *f, char *t)
--- 91,107 ----
char *auth_dbpwfile;
char *auth_dbgrpfile;
! int auth_dbauthoritative;
} db_auth_config_rec;
void *create_db_auth_dir_config (pool *p, char *d)
{
! db_auth_config_rec *sec
! = (db_auth_config_rec *)pcalloc (p, sizeof(db_auth_config_rec));
! sec->auth_dbpwfile = NULL;
! sec->auth_dbgrpfile = NULL;
! sec->auth_dbauthoritative=1; /* fortress is secure by default */
! return sec;
}
const char *set_db_slot (cmd_parms *cmd, void *offset, char *f, char *t)
***************
*** 114,119 ****
--- 125,134 ----
{ "AuthGroupFile", set_db_slot,
(void*)XtOffsetOf(db_auth_config_rec, auth_dbgrpfile),
OR_AUTHCFG, TAKE12, NULL },
+ { "AuthDBAuthoratative", set_flag_slot,
+ (void*)XtOffsetOf(db_auth_config_rec, auth_dbauthoritative),
+ OR_AUTHCFG, FLAG,
+ "Set to 'no' to allow access control to be passed along to lower
modules if the userID is not known to this module" },
{ NULL }
};
***************
*** 184,189 ****
--- 199,206 ----
return DECLINED;
if(!(real_pw = get_db_pw(r, c->user, sec->auth_dbpwfile))) {
+ if (!(sec -> auth_dbauthoritative))
+ return DECLINED;
sprintf(errstr,"DB user %s not found", c->user);
log_reason (errstr, r->filename, r);
note_basic_auth_failure (r);
***************
*** 234,239 ****
--- 251,258 ----
char *v;
if (!(groups = get_db_grp(r, user, sec->auth_dbgrpfile))) {
+ if (!(sec->auth_dbauthoritative))
+ return DECLINED:
sprintf(errstr,"user %s not in DB group file %s",
user, sec->auth_dbgrpfile);
log_reason (errstr, r->filename, r);
1.11 +22 -1 apache/src/mod_auth_dbm.c
Index: mod_auth_dbm.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_auth_dbm.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -C3 -r1.10 -r1.11
*** mod_auth_dbm.c 1996/12/01 20:28:51 1.10
--- mod_auth_dbm.c 1996/12/24 19:10:30 1.11
***************
*** 56,61 ****
--- 56,67 ----
* Rob McCool & Brian Behlendorf.
*
* Adapted to Apache by rst.
+ *
+ * dirkx - Added Authoratative control to allow passing on to lower
+ * modules if and only if the user-id is not known to this
+ * module. A known user with a faulty or absent password still
+ * causes an AuthRequired. The default is 'Authoratative', i.e.
+ * no control is passed along.
*/
#include "httpd.h"
***************
*** 69,80 ****
char *auth_dbmpwfile;
char *auth_dbmgrpfile;
} dbm_auth_config_rec;
void *create_dbm_auth_dir_config (pool *p, char *d)
{
! return pcalloc (p, sizeof(dbm_auth_config_rec));
}
const char *set_dbm_slot (cmd_parms *cmd, void *offset, char *f, char *t)
--- 75,94 ----
char *auth_dbmpwfile;
char *auth_dbmgrpfile;
+ int auth_dbmauthoritative;
} dbm_auth_config_rec;
void *create_dbm_auth_dir_config (pool *p, char *d)
{
! dbm_auth_config_rec *sec
! = (dbm_auth_config_rec *)pcalloc (p, sizeof(dbm_auth_config_rec));
!
! sec->auth_dbmpwfile = NULL;
! sec->auth_dbmgrpfile = NULL;
! sec->auth_dbmauthoritative = 1; /* fortress is secure by default */
!
! return sec;
}
const char *set_dbm_slot (cmd_parms *cmd, void *offset, char *f, char *t)
***************
*** 98,103 ****
--- 112,120 ----
{ "AuthGroupFile", set_dbm_slot,
(void*)XtOffsetOf(dbm_auth_config_rec, auth_dbmgrpfile),
OR_AUTHCFG, TAKE12, NULL },
+ { "AuthDBMAuthoritative", set_flag_slot,
+ (void*)XtOffsetOf(dbm_auth_config_rec, auth_dbmauthoritative),
+ OR_AUTHCFG, FLAG, "Set to 'no' to allow access control to be passed
along to lower modules, if the UserID is not known in this module" },
{ NULL }
};
***************
*** 170,175 ****
--- 187,194 ----
return DECLINED;
if(!(real_pw = get_dbm_pw(r, c->user, sec->auth_dbmpwfile))) {
+ if (!(sec->auth_dbmauthoritative))
+ return DECLINED;
sprintf(errstr,"DBM user %s not found", c->user);
log_reason (errstr, r->filename, r);
note_basic_auth_failure (r);
***************
*** 220,225 ****
--- 239,246 ----
char *v;
if (!(groups = get_dbm_grp(r, user, sec->auth_dbmgrpfile))) {
+ if (!(sec->auth_dbmauthoritative))
+ return DECLINED;
sprintf(errstr,"user %s not in DBM group file %s",
user, sec->auth_dbmgrpfile);
log_reason (errstr, r->filename, r);
