On Sep 23, 2013, at 2:56 PM, Russ Allbery <ea...@windlord.stanford.edu> wrote:
> Unfortunately, I got seriously distracted doing other things, and haven't
> been able to get back to this. We're not deploying Apache 2.4 yet, so
> it's not been a priority. I'd therefore be very happy for you to work on
> it.
Great! I partially implemented this approach by using
ap_hook_check_access_ex to skip the check_user_id checks altogether if we're
in the WebAuthOptional case.
> I think this will work properly, although one thing to be careful of is
> subqueries. mod_webauth already doesn't set the various environment
> variables on subqueries; I don't know if that's correct behavior or not,
> since it's hard to find an exhaustive list of what subqueries are used
> for. You do need to stash the app token data somewhere where fixups can
> get it back.
Since the code path is not dramatically changed I haven't really tested
subqueries -- I don't think that this changes the behavior in a way that
could affect them. I'm happy to run things through the ringer a bit more
here. Httpd 2.4 does have some support for removing redundant auth hook
calls by setting AP_AUTH_INTERNAL_PER_CONF.
> Currently, WebAuth uses notes to store the authenticated
> identity, but fixups will need more than that. I was going to see if
> there's now a place for per-request data that will persist through
> subqueries and use that instead of notes.
Yes, the place for that is r->request_config. I've implemented that for
mod_webauth_check_access, check_user_id_hook, and fixups_hook. It can
probably be used in translate_name_hook too, but more carefully since
MWA_REQ_CTXT->{dconf,sconf} aren't there yet.
Let me know if this approach looks OK, and if you'd like me to iterate.
Pull from http://bcodding.w3.uvm.edu/git/webauth uvm-apache-2.4
Ben
