On 05/16/2013 09:32 AM, Graham Leggett wrote:
On 16 May 2013, at 3:26 PM, Eric Covener <cove...@gmail.com> wrote:
Wow for a "dev" list there is nobody who can even comment in any way
whatsoever. Where do the devs for httpd live for real? IRC? Anyone?
Bueller?
This is the right place, despite the fact that nobody has shown
interest in your issue in this thread.
As applies to everyone who posts to a public mailing list asking for help, we
need a proper description of the problem, including an example config that
would allow someone else to reproduce the problem you are seeing.
The bugreport contains a single paragraph with a vague description of the
problem, and this tells us nothing. Was the server set up correctly? No way to
tell.
Thanks for your help.
First of all, the bug report was not put in by me, just found by me. I
have done extensive debugging in the source code to determine some basic
facts, primarily that, when using an ErrorDocument it is impossible to
"keep" the POST body using the kept_body_filter. The r->kept_body is
simply not assigned to the sub request in "internal_internal_redirect"
(and even after "fixing" this and recompiling, it doesn't work because
the filter "ctx" variable is not preserved).
I was asking the question "has anyone ever seen this working", because
it seems that there is no possible way it could ever work AFACT.
However, if it means someone may help, here is a simple test case:
To start with, the goal is a user should be able to POST data from
within (say) an expired session or unprotected part of the website when
not-yet-logged-in, get the login page, enter credentials, and the
originally POSTed data should be POSTed to the original target.
In order to accomplish this, a basic fact is that the originally POSTed
data must be accessible in some way while handling the login page and
not be discarded. If it's discarded it cannot be preserved, right?
In this example I will show that by the time the ErrorDocument for 401
is invoked (which is the way "inline authentication with body
preservation" works), that the POST body has been discarded and the
request has been converted from POST to GET (these are probably related).
So in this example there is a page /start.html which is NOT within the
"private" area of the site. It has a simple form which gets POSTed to
/private/target.html (which doesn't need to exist because we fail before
it's relevant).
The authentication hook intercepts the POST, and the mod_auth_form
throws a 401, which is handled with the ErrorDocument 401
/cgi-bin/login.cgi (or /login.shtml)
When login.cgi runs there is no POST data on STDIN and REQUEST_METHOD is
always GET.
BTW, I have also tried using ErrorDocument 401 /login.shtml (via
mod_include) but the result is the same.
Files attached:
formauth.conf => place in /etc/httpd/conf.d or equiv
start.html => place in /var/www/form_auth_test as per conf
login.shtml => ditto (to activate this change the ErrorDocument in conf)
login.cgi => place in /var/www/form_auth_test_cgi as per conf
This is tested on Fedora 18 with fedora build of httpd 2.4.4-2 as well
as on centos 6 with httpd 2.4.4 compiled from .tar.gz using the
instructions here: http://httpd.apache.org/docs/2.4/platform/rpm.html
Thanks,
David Mansfield
Listen 0.0.0.0:8877
<VirtualHost _default_:8877>
DocumentRoot "/var/www/form_auth_test"
ScriptAlias /cgi-bin/ "/var/www/form_auth_test_cgi/"
<Directory "/var/www/form_auth_test">
AllowOverride None
Require all granted
KeptBodySize 4096
</Directory>
<Directory "/var/www/form_auth_test_cgi">
AllowOverride None
Require all granted
KeptBodySize 4096
</Directory>
<Location />
Options +Includes
KeptBodySize 4096
</Location>
<Location /private>
KeptBodySize 4096
AuthFormProvider "file"
AuthUserFile /etc/httpd/conf/form_auth_test.users
AuthType form
AuthName "Auth Form Test"
Require valid-user
#ErrorDocument 401 /login.shtml
ErrorDocument 401 /cgi-bin/login.cgi
Session On
SessionCookieName session path=/
</Location>
</VirtualHost>
#!/usr/bin/perl -w
use Data::Dumper;
use CGI;
my $query = CGI->new;
print "Content-type: text/html\r\n\r\n";
print "<pre>\r\n";
print "QUERY=".Dumper($query);
print "ENV=".Dumper(\%ENV);
print "</pre>\r\n";