Location of Apache Modules

[Michele Waldman]

I ran a find for functions like ap_hook_auth_checker, ap_run_type_checker
and a few other functions.

I could not find the function definitions.  All I could find was a
reference to them in server/export.c.
 
Does anyone know where all of the functions are?

It's difficult to trace through the code if you can't find it.

I've been glancing over the server code and I see references to
"subrequests".

That appears what the ajax call may be.  I noticed the reference in the
digest modules was the main html file, even though it was validating the
credentials for the ajax file, which may be treated as a subrequest?

What's throwing me for a loop, is that it is logging in with the first
request, but not forcing a new login with different credentials on
subsequent requests.

Michele

FW: [M] mod_auth_digest hook

[Michele Waldman]

Maybe, if I'm a little clearer someone might be able to point in the right
direction.  I don't think I need to modify mod_auth_digest, but another
apache module.

What I have is a person login into htaccess using ajax.  The file they
access has htaccess require valid-user.

The first time they log in, great.

To log out, they log into a logout account.  The file they access has
require user logout.

The next time they try to log into the account via ajax.  They are granted
access to the page they are calling, but remote_user is not set.

I put print statements in mod_auth_digest authenticate_digest_user to see
what was happening.

All of the values are right, the user is authenticated, but the new user
is not logged in.  Apache keeps them logged into the logout account and only
grants access to that one page.

Does anyone know which module I should modify to force a new login?  I'm
thinking whichever module calls the hooks has to be modified.  Is this
right?

It looks like I don't have to modify mod_auth_digest, which authenticates,
but probably the httpd module that calls the hooks and does the actually
logging in.  I was looking at the module util_script.c which sets
remote_user, but I'm not sure if this is the right module.  I'm not
terribly familiar with apache.  It also just sets remote_user to r->user,
which should work.  I may need to look at the module that calls that
ap_add_commom_vars to see if it's not being called.  If this is the only
module that sets the environment variable, then I think it's being
skipped.

I tried implementing htaccess require restrict logout.  But since the new
user is not logout access is granted for that page, but the account is not
logged into.

It seems to me if a page is accessed and granted a page in the directory
with new creditials, apache would log in the new user but doesn't.

M*

Re: Location of Apache Modules

[Eric Covener]

On Tue, Apr 21, 2009 at 12:51 PM, Michele Waldman  wrote:
> I ran a find for functions like ap_hook_auth_checker, ap_run_type_checker
> and a few other functions.
>
> I could not find the function definitions.  All I could find was a
> reference to them in server/export.c.
>
> Does anyone know where all of the functions are?
>
> It's difficult to trace through the code if you can't find it.

These functions are defined by preprocessor macros such as:

AP_IMPLEMENT_HOOK_RUN_FIRST
AP_IMPLEMENT_HOOK_RUN_ALL

The 2nd argument gets baked into function names like ap_run_XXX and ap_hook_XX.

If you're just using grep, you can usually get good results just using
the unique bit at the end. If you use something like cscope, you have
to know that you can't copy/paste to find the definitions/callers and
have to put the names together by hand.

>
> I've been glancing over the server code and I see references to
> "subrequests".
>
> That appears what the ajax call may be.  I noticed the reference in the
> digest modules was the main html file, even though it was validating the
> credentials for the ajax file, which may be treated as a subrequest?

subrequests are an internal notion only, e.g. some kinds of rewrites
or things like DirectoryIndex are handled internally as subrequests.
The components of SSI are subrequests as well.

>
> What's throwing me for a loop, is that it is logging in with the first
> request, but not forcing a new login with different credentials on
> subsequent requests.

Did your browser send digest credentials on the ajax request?  You can
log %{Authorization}i in the access log to quickly tell.

If credentials were sent, can mod_log_config log a %u or were they
ignored (due to no Require, satisfy any, etc)?


-- 
Eric Covener
cove...@gmail.com

RE: Location of Apache Modules

[Michele Waldman]

> Did your browser send digest credentials on the ajax request?  You can
> log %{Authorization}i in the access log to quickly tell.

Yes.  The browser is sending the creditials.  I did check this.  That's what
was hanging me up.

> If credentials were sent, can mod_log_config log a %u or were they
> ignored (due to no Require, satisfy any, etc)?
> 
On the first request it's login in.

On the second request, a user is already logged in and it's not utilizing
the creditials to login, but it is using them to access the page being
called.

I'm not sure what you mean by " can mod_log_config".  Is that the file that
performs the login?  Do you think sending a header can force the new login?

Michele