/* Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License.
*/
#include"apr_strings.h" #include"apr_lib.h"/* for apr_isspace */ #include"apr_base64.h"/* for apr_base64_decode et al */ #define APR_WANT_STRFUNC /* for strcasecmp */ #include"apr_want.h"
/* lookup and cache the actual provider now */
newp->provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,
newp->provider_name,
AUTHN_PROVIDER_VERSION);
if (newp->provider == NULL) { /* by the time they use it, the provider should be loaded and
registered with us. */ return apr_psprintf(cmd->pool, "Unknown Authn provider: %s",
newp->provider_name);
}
if (!newp->provider->check_password) { /* if it doesn't provide the appropriate function, reject it */ return apr_psprintf(cmd->pool, "The '%s' Authn provider doesn't support " "Basic Authentication", newp->provider_name);
}
/* Add it to the list now. */ if (!conf->providers) {
conf->providers = newp;
} else {
authn_provider_list *last = conf->providers;
while (last->next) {
last = last->next;
}
last->next = newp;
}
if (!strcasecmp(user, "off")) {
conf->fakeuser = NULL;
conf->fakepass = NULL;
conf->fake_set = 1;
} else { /* if password is unspecified, set it to the fixed string "password" to * be compatible with the behaviour of mod_ssl.
*/ if (!pass) {
pass = "password";
}
conf->fakeuser =
ap_expr_parse_cmd(cmd, user, AP_EXPR_FLAG_STRING_RESULT,
&err, NULL); if (err) { return apr_psprintf(cmd->pool, "Could not parse fake username expression '%s': %s", user,
err);
}
conf->fakepass =
ap_expr_parse_cmd(cmd, pass, AP_EXPR_FLAG_STRING_RESULT,
&err, NULL); if (err) { return apr_psprintf(cmd->pool, "Could not parse fake password expression associated to user '%s': %s",
user, err);
}
conf->fake_set = 1;
}
staticconst command_rec auth_basic_cmds[] =
{
AP_INIT_ITERATE("AuthBasicProvider", add_authn_provider, NULL, OR_AUTHCFG, "specify the auth providers for a directory or location"),
AP_INIT_FLAG("AuthBasicAuthoritative", set_authoritative, NULL, OR_AUTHCFG, "Set to 'Off' to allow access control to be passed along to " "lower modules if the UserID is not known to this module"),
AP_INIT_TAKE12("AuthBasicFake", add_basic_fake, NULL, OR_AUTHCFG, "Fake basic authentication using the given expressions for " "username and password, 'off' to disable. Password defaults " "to 'password' if missing."),
AP_INIT_TAKE1("AuthBasicUseDigestAlgorithm", set_use_digest_algorithm,
NULL, OR_AUTHCFG, "Set to 'MD5' to use the auth provider's authentication " "check for digest auth, using a hash of 'user:realm:pass'"),
{NULL}
};
module AP_MODULE_DECLARE_DATA auth_basic_module;
/* These functions return 0 if client is OK, and proper error status * if not... either HTTP_UNAUTHORIZED, if we made a check, and it failed, or * HTTP_INTERNAL_SERVER_ERROR, if things are so totally confused that we * couldn't figure out how to tell if the client is authorized or not. * * If they return DECLINED, and all other modules also decline, that's * treated by the server core as a configuration error, logged and * reported as such.
*/
/* set the user, even though the user is unauthenticated at this point */
r->user = (char *) *user;
return OK;
}
/* Determine user ID, and check if it really is that user, for HTTP * basic authentication...
*/ staticint authenticate_basic_user(request_rec *r)
{
auth_basic_config_rec *conf = ap_get_module_config(r->per_dir_config,
&auth_basic_module); constchar *sent_user, *sent_pw, *current_auth; constchar *realm = NULL; constchar *digest = NULL; int res;
authn_status auth_result;
authn_provider_list *current_provider;
/* Are we configured to be Basic auth? */
current_auth = ap_auth_type(r); if (!current_auth || ap_cstr_casecmp(current_auth, "Basic")) { return DECLINED;
}
/* We need an authentication realm. */ if (!ap_auth_name(r)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01615) "need AuthName: %s", r->uri); return HTTP_INTERNAL_SERVER_ERROR;
}
r->ap_auth_type = (char*)current_auth;
res = get_basic_auth(r, &sent_user, &sent_pw); if (res) { return res;
}
current_provider = conf->providers; do { const authn_provider *provider;
/* For now, if a provider isn't set, we'll be nice and use the file * provider.
*/ if (!current_provider) {
provider = ap_lookup_provider(AUTHN_PROVIDER_GROUP,
AUTHN_DEFAULT_PROVIDER,
AUTHN_PROVIDER_VERSION);
/* If we're not really configured for providers, stop now. */ if (!conf->providers) { break;
}
current_provider = current_provider->next;
} while (current_provider);
if (auth_result != AUTH_GRANTED) { int return_code;
/* If we're not authoritative, then any error is ignored. */ if (!(conf->authoritative) && auth_result != AUTH_DENIED) { return DECLINED;
}
switch (auth_result) { case AUTH_DENIED:
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01617) "user %s: authentication failure for \"%s\": " "Password Mismatch",
sent_user, r->uri);
return_code = HTTP_UNAUTHORIZED; break; case AUTH_USER_NOT_FOUND:
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01618) "user %s not found: %s", sent_user, r->uri);
return_code = HTTP_UNAUTHORIZED; break; case AUTH_GENERAL_ERROR: default: /* We'll assume that the module has already said what its error * was in the logs.
*/
return_code = HTTP_INTERNAL_SERVER_ERROR; break;
}
/* If we're returning 401, tell them to try again. */ if (return_code == HTTP_UNAUTHORIZED) {
note_basic_auth_failure(r);
} return return_code;
}
return OK;
}
/* If requested, create a fake basic authentication header for the benefit * of a proxy or application running behind this server.
*/ staticint authenticate_basic_fake(request_rec *r)
{ constchar *auth_line, *user, *pass, *err;
auth_basic_config_rec *conf = ap_get_module_config(r->per_dir_config,
&auth_basic_module);
if (!conf->fakeuser) { return DECLINED;
}
user = ap_expr_str_exec(r, conf->fakeuser, &err); if (err) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02455) "AuthBasicFake: could not evaluate user expression for URI '%s': %s", r->uri, err); return HTTP_INTERNAL_SERVER_ERROR;
} if (!user || !*user) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02458) "AuthBasicFake: empty username expression for URI '%s', ignoring", r->uri);
apr_table_unset(r->headers_in, "Authorization");
return DECLINED;
}
pass = ap_expr_str_exec(r, conf->fakepass, &err); if (err) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02456) "AuthBasicFake: could not evaluate password expression for URI '%s': %s", r->uri, err); return HTTP_INTERNAL_SERVER_ERROR;
} if (!pass || !*pass) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02459) "AuthBasicFake: empty password expression for URI '%s', ignoring", r->uri);
AP_DECLARE_MODULE(auth_basic) =
{
STANDARD20_MODULE_STUFF,
create_auth_basic_dir_config, /* dir config creater */
merge_auth_basic_dir_config, /* dir merger --- default is to override */
NULL, /* server config */
NULL, /* merge server config */
auth_basic_cmds, /* command apr_table_t */
register_hooks /* register hooks */
};
¤ Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.0.21Bemerkung:
(vorverarbeitet)
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
