mod_authnz_fcgi: New module to enable FastCGI authorizer applications to authenticate and/or authorize clients. A fair amount of code was taken from or at least based on mod_proxy_fcgi, with a smaller amount taken from mod_fcgid.

mod_allowhandlers: New module to forbid specific handlers for specific directories.

Change module sets and default activation status: 1) Promoted from "most" to "few" - mod_headers 2) Demoted from "yes" to "most" - mod_actions - mod_allowmethods - mod_auth_form - mod_buffer - mod_cgi(d) - mod_include - mod_negotiation - mod_ratelimit - mod_request - mod_userdir Remember: default module set is "most", but only the LoadModule lines of all modules except "yes" are commented out by default. The following modules will now be loaded by default: - mod_access_compat - mod_alias - mod_auth_basic - mod_authn_core - mod_authn_file - mod_authz_core - mod_authz_groupfile - mod_authz_host - mod_authz_user - mod_autoindex - mod_dir - mod_env - mod_filter - mod_headers - mod_log_config - mod_mime - mod_mpm_event - mod_reqtimeout - mod_setenvif - mod_status - mod_unixd - mod_version

Enable ldap modules in 'all' and 'most' selections if ldap is compiled into apr-util

Bring part some parts of r1142938 which were removed by the big ldap revert r1150179. Original commit log: Use APR_ADDTO instead of APR_SETVAR or direct variable assignment. ...

Merge branch revert-ap-ldap: Revert ap_ldap integration due to veto by Graham Leggett Mailing list threads: http://mail-archives.apache.org/mod_mbox/httpd-dev/201106.mbox/%3C4192DC1D-C0B9-42BB-B614-C3A41290F18B@sharp.fm%3E http://mail-archives.apache.org/mod_mbox/httpd-dev/201107.mbox/%3C4E15E51E.4090700@rowe-clan.net%3E

Allow to specify module specific custom linker flags via the MOD_XXX_LDADD variables. Use APR_ADDTO instead of APR_SETVAR or direct variable assignment. This is especially useful when building mod_lua or mod_deflate against a lua resp. libz which are installed in non-standard locations. One can add "-R ..." to MOD_LUA_LDADD and MOD_DEFLATE_LDADD before configure to fix the RPATH/RUNPATH of those modules.

Several fixes for the ap_ldap build logic. This should fix compilation without --with-ldap.

Incorporate the ap_ldap incomplete API, as there is no interest or effort at APR to make this a complete abstraction, and it was voted 'off the island' with APR 2.0. This will allow httpd 2.3 to build against either apr-2.0 or apr+util 1.x.

Build mod_authn_socache on same terms as other authn modules

Build mod_allowmethods (windows and netware stuff needs to be tested). Change method bit vector to 64 bits

Always make mod_*.h files available where they exist, modpath by modpath

* Make LDAP working with APR 2.0 again by using apr-config instead of apu-config which is gone in APR 2.0.

Remove mod_authn_default and mod_authz_default. Note: I've attempted to work through the Windows and Netware build files, but if those with such systems could repair any damage, that would be appreciated.

For *trunk/* development, presume at least apr-1.3 (now released) for seperation of ldap link options.

mod_auth_form: Add a module capable of allowing end users to log in using an HTML form, storing the credentials within mod_session.

* modules/aaa/config.m4: Place mod_access_compat in the 'yes' list as not handling older auth configs out-of-the-box is badness.

clean up some left-over debugging code and comments

Restore Order, Deny, Allow, Satisfy for backwards compatibility with authz

Authz refactoring Merge from branches/authz-dev Basically here is a list of what has been done: - Convert all of the authz modules from hook based to provider based - Remove the ap_requires field from the core_dir_config structure - Remove the function ap_requires() since its functionality is no longer supported or necessary in the refactoring - Remove the calls to ap_some_auth_required() in the core request handling to allow the hooks to be called in all cases. - Add the new module mod_authz_core which will act as the authorization provider vector and contain common authz directives such as 'Require', 'Reject' and '<RequireAlias>' - Add the new module mod_authn_core which will contain common authentication directives such as 'AuthType', 'AuthName' and '<AuthnProviderAlias>' - Move the check for METHOD_MASK out of the authz providers and into the authz_core provider vector - Define the status codes that can be returned by the authz providers as AUTHZ_DENIED, AUTHZ_GRANTED and AUTHZ_GENERAL_ERROR - Remove the 'Satisfy' directive - Implement the '<RequireAll>', '<RequireOne>' block directives to handle the 'and' and 'or' logic for authorization. - Remove the 'AuthzXXXAuthoritative' directives from all of the authz providers - Implement the 'Reject' directive that will deny authorization if the argument is true - Fold the 'Reject' directive into the '<RequireAll>', '<RequireOne>' logic - Reimplement the host based authorization functionality provided by 'allow', 'deny' and 'order' as authz providers - Remove the 'allow', 'deny' and 'order' directives - Merge mod_authn_alias into mod_authn_core - Add '<RequireAlias>' functionality which is similar to '<AuthnProviderAlias>' but specific to authorization aliasing - Remove all of the references to the 'authzxxxAuthoritative' directives from the documentation - Remove the 'Satisfy' directive from the documentation - Remove 'Allow', 'Deny', 'Order' directives from the documentation - Document '<RequireAll>', '<RequireOne>', 'Reject' directives - Reimplement the APIs ap_auth_type(), ap_auth_name() as optional functions and move the actual implementation into mod_authn_core - Reimplement the API ap_some_auth_required() as an optional function and move the actual implementation into mod_authz_core Major Changes: - Added the directives <RequireAll>, <RequireOne>, <RequireAlias>, Reject - Expanded the functionality of the directive 'Require' to handle all authorization and access control - Added the new authz providers 'env', 'ip', 'host', 'all' to handle host-based access control - Removed the directives 'Allow', 'Deny', 'Order', 'Satisfy', 'AuthzXXXAuthoritative' - Removed the ap_require() API - Moved the directives 'AuthType', 'AuthName' out of mod_core and into mod_authn_core - Moved the directive 'Require' out of mod_core and into mod_authz_core - Merged mod_authn_alias into mod_authn_core - Renamed mod_authz_dbm authz providers from 'group' and 'file-group' to 'dbm-group' and 'dbm-file-group' Benefits: - All authorization and access control is now handle through two directives, 'Require' and 'Reject' - Authorization has been expanded to allow for complex 'AND/OR' control logic through the directives '<RequireAll>' and '<RequireOne>' - Configuration is now much simpler and consistent across the board - Other modules like mod_ssl and mod_proxy should be able to plug into and take advantage of the same provider based authorization mechanism by implementing their own providers Issues: - Backwards compatibility between 2.2 and 2.3 configurations will be broken in the area of authorization and access control due to the fact that the directives 'allow', 'deny', 'order' and 'satisfy' have been removed. When moving from 2.2 to 2.3 these directives will have to be changed to 'Require all granted', 'Require all denied' or some variation of the authz host-based providers. - Existing third party authorization modules will have to adapt to the new structure.

mod_authz_dbd: SQL authz with Login/Session support

Add mod_authn_dbd to build

Add mod_authn_alias to the build

Make sure mod_authnz_ldap is included in the unix builds. PR: Obtained from: Submitted by: Reviewed by:

Use -export-dynamic only when linking an httpd which includes mod_so, not when linking modules or support programs. * modules/aaa/config.m4, modules/arch/win32/config.m4, modules/cache/config.m4, modules/echo/config.m4, modules/filters/config.m4, modules/generators/config5.m4, modules/metadata/config.m4: Don't add -export-dynamic to LT_LDFLAGS. * modules/mappers/config9.m4: Add -export-dynamic to HTTPD_LDFLAGS when mod_so is enabled.

use APR_CHECK_APR_DEFINE() where possible an anomaly noticed before and after this commit: "--enable-cgi=shared --disable-so" is not recognized as inconsistent

as announced and with no objections: mod_authz_owner: forward port of require file-owner/file-group functionality The goal of the module is to do all the neccessary file system work to figure out username and groupname. "Require file-owner" is completely resolved within the module. "file-group" is only determined there and the groupname will be extracted from the stat call and stored within the r->notes. Done that, the module will decline, so that the group database modules (mod_authz_groupfile, mod_authz_dbm) can verify the groupname with their lists. Thus every group module that supports the file-group requirement must be hooked after mod_authz_owner. They have to recognize "file-group" and read the groupname from r->notes. (If there's no name stored, the modules should ignore the file-group requirement). The backstopper module will do its work in worst case. not solved yet: - the module doesn't work as one could expect if the file doesn't exist in the first request round (consider MultiViews) (the 1.3 version has the same problem). I played around with some subrequest techniques, but got no helpful result. Is there any magic to recognize the actual resulting filename (if there is)?

Use $INCLUDES rather than adding yet another place to edit include dirs.

Add ap_register_provider and ap_lookup_provider functions which resolve the DSO link problems for DAV and the new aaa modules by moving the provider code into the core of the server and generalizing them to be used by any code. Remove the auth{nz}_*_provider functions as they are no longer needed. Change the dav_*_provider functions to wrap the ap_*_provider functions as they have a bit more of a historical precedent that we should keep around. Reviewed by: John K. Sterling <john@sterls.com> (in concept)

Stage #2 of aaa rewrite: Add provider support so that mod_authn_* modules do not have to re-implement basic auth and to allow mod_auth_digest (and other modules) to leverage the authn backends. Adds AuthBasicProvider and AuthDigestProvider directives. This also moves a lot of the basic auth handling code inside of mod_auth_basic (but does not remove the code in server/protocol.c - that will have to wait for a version bump so that we don't totally bust old modules). This patch incorporates code review comments by Greg Stein.

Stage #1 of the aaa rewrite - refactoring modules. All modules are reorganized under the following scheme: - mod_auth_*: Front-end (basic, digest) - mod_authn_*: Authentication (anon, dbm, default, file) - mod_authz_*: Authorization (dbm, default, groupfile, host, user) This passes the httpd-test suite when it accounts for the renaming of aaa modules. Originally written by: Dirk-Willem van Gulik Completed by: Justin Erenkrantz

Remove all non-portable DBM calls in mod_auth_dbm and rely only on the apr-util DBM code.

Remove mod_auth_db since we've received enough votes (Justin, Ian, and Lars) and ample warning has been posted to dev@httpd. mod_auth_dbm should be able to take over all functionality of mod_auth_db with the AuthDBMType directive.

allow mod_auth_digest to configure with --srcdir (added same include path as modules/mappers/config9.m4) PR: Obtained from: Submitted by: Reviewed by:

Remove all of the ldap modules. These have been moved to their own repository, httpd-ldap, and they now form their own sub-project of the httpd project.

I don't like underscore as a name prefix.

Roy beat me to the commit. Anyway, fix the version numbers in the comment so that it reflects reality (so I think).

Due to some lunacy in ndbm.h on some platforms, we need to find the right include directory for db.h if we include ndbm.h. Submitted by: Justin Erenkrantz Reviewed by: Roy Fielding

Fix build breakage on Linux glibc 2.1+ systems that prevented db1 from being correctly found for mod_auth_dbm. This is similar to the mod_auth_db check.

- Switch to AC_SEARCH_LIBS to check multiple libraries for mod_auth_db (the AC_* way of doing what Martin committed) - Fix the configuration check for mod_auth_digest so that: - Everything is on separate lines so that the preprocessor doesn't scream - It adds the path to APR. (APR_SOURCE_DIR looks right, but I'm not sure.) By the time the modules are configured, the CPPFLAGS and such are not setup to point at APR. This should probably be rectified and then this can be taken out - so you could assume that apr.h is in your CPPFLAGS somewhere when configuring the modules.

On modern systems (e.g., FreeBSD), the db* functions reside in libc rather than in libdb. Also, be more precise in telling what is actually checked for (we are NOT testing for main(), but we are testing for dbopen(), right?). Without the first fix, configuration would fail completely for FreeBSD

Oops - left off the apr_ldap.h file in the commit. PR: Obtained from: Submitted by: Reviewed by:

Fix --enable-modules=all breakage with mod_auth_db and mod_auth_digest by allowing a module to disable itself if its prerequisites are not met. This introduces the subtle nuance that if you request a module and you don't meet its prerequisites, it'll refuse to build itself. mod_ssl exits if its prerequisites are not met.

Fix httpd's definition of LTFLAGS to be consistent with that of apr and apr-util, allow it to be overridden by the configure command-line (default="--silent") and introduce LT_LDFLAGS to replace what we were formally abusing as LTFLAGS.

Completely revamp configure so that it preserves the standard make variables CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS and LIBS by moving the configure additions to EXTRA_* variables. Also, allow the user to specify NOTEST_* values for all of the above, which eliminates the need for THREAD_CPPFLAGS, THREAD_CFLAGS, and OPTIM. Fix the setting of INCLUDES and EXTRA_INCLUDES. Check flags as they are added to avoid pointless duplications. Fix the order in which flags are given on the compile and link lines.

Add a few more modules to the "most" category.

Remove "no" from many APACHE_MODULE() invocations to allow them to be selected by --enable-modules=all Set some modules to "most" to allow --enable-modules=most

Rename the module structures so that the exported symbol matches the file name, and it is easier to automate the installation process (generating LoadModule directives from the module filenames). Next step is to remove the 4th argument to the APACHE_MODULE macro completely and require people to use the matching names, and to reduce the LoadModule directive to 1 argument.... Objections?

Allow the auth modules to load into the server.

*) remove STANDARD_LIBS line; it is unused/unneeded *) simplify by removing the extra AC_DEFUN() in each file

Get the modules configuration stuff working correctly. This just deals with STANDARD modules and Protocol, not MPMs.

Start to add back the config.m4 and Makefile.in's that were separated out during the repository move.

Port mod_info to 2.0. This is basically a complete re-write to use the config tree instead of re-reading the config file. As a part of this change, the config tree needs to be exposed to modules as ap_conftree. Submitted by: Ryan Morgan <rmorgan@covalent.net> Reviewed by: Ryan Bloom

add apr_get_home_directory(), teach mod_userdir to use that instead of calling getpwnam[_r] directly, back out mod_userdir's config check for getpwnam_r

Get mod_userdir compiling on FreeBSD when APR_HAS_THREADS. This doesn't account for the fact that getpwnam() isn't thread-safe on FreeBSD; it also doesn't account for systems where getpwnam_r lives outside of libc. See thread with subject "[?PATCH?] using getpwnam_r in mod_userdir" in Nov. 2000 new-httpd for some better long-term ideas for how to handle the problem.

Don't build mod_suexec by default. It breaks other platforms, and since suexec isn't built by default anyway, it makes sense to treat mod_suexec similarly. Submitted by: Greg Stein

Add back suexec support.

echo should not be built by default (maybe this module should be moved to modules/example/)

Prepare our autoconf setup for autoconf 2.14a and for cross-compiling PR: 6379 Submitted by: "R�diger" Kuhlmann <Tadu@gmx.de> Reviewed by: Ryan Bloom

Disable the dbm_ usage in mod_rewrite so that it links. Still to do: decide at config time whether any modules need dbm, whether to use the native one or sdbm, etc.

Fix the configure script. If a either the mpmt_pthread or dexter MPM's are chosen, the default CGI module is mod_cgid. If any other MPM is chosen, mod_cgi is the default. I would rather have the maintainers for other platforms change their own defaults, than make mod_cgid the default on all threaded MPM's.

Detect libraries based on which platform configure is being run on. Basically, Apache now runs APR's configure script first. APR's configure script has been setup to create a new file, APRVARS. APRVARS is basically all of the environment variables that APR wants to export to the program that is using it. This allows the calling program to "source" APRVARS and get those environment variables. Removed hack to make platforms use -ldl.

Dont' add -ldl for BeOS.

Don't add -ldl for OS/2.

Get FreeBSD 3.4 building again. It doesn't have lib dl, so the build was broken as of the time we started always sticking in -ldl. src/modules/standard/config.m4: . don't add "-ldl" to LIBS for FreeBSD either . back out previous change regarding LTFLAGS; it should be o.k. to add it for any platform, because libtool knows what to do with it (no, Greg A., I haven't added support for it to OS/390 libtool yet :) ) src/lib/apr/configure.in: . if dlopen() isn't found in lib dl, don't fret (yet); try to find it in the default libraries;

OS/390: avoid unconditional -ldl and -export-dynamic (other platforms can add related logic to the case statement) This is a stop-gap measure until the need for certain libraries can be determined automatically.

Remove the ability to enable/disable DSO support in APR. The only current way to check for DSO support is to look for libdl. Apache automatically adds -ldl to it's LIBS flag from config.m4 in modules/standard. Other platforms will need to add the correct flag for their system.

Fix mod_so handling. Basically, if --enable-so or --enable-some-module=shared is specified on the ./configure line, then mod_so is included in the build, -ldl is added to LIBS, and --enable-dso is added to APR's configure line. Otherwise, mod_so is turned off, -ldl is not added, and APR is specifically told to build without DSO support.

Fix DSO enabling logic. Basically if --enable-dso was specified on the command line but the cache had DSO off, we used to turn DSO off. This has been fixed with this patch. Also, if we specify ANY Apache module as being compiled shared, then we automatically turn on mod_so.

Fix building with DSO support. If any module is configured to be compiled for shared support then APR_HAS_DSO is enabled and -ldl is added to the LIBS variable. -ldl may need to be modified based on platform. If no modules are designated as shared then APR_HAS_DSO is disabled and nothing is added to LIBS. In basic testing this compiled without errors or warnings.

Allow --enable-cgid and --disable-cgid to work. Basically just make cgid a standard module.

Allow for help messages for modules. PR: Obtained from: Submitted by: Reviewed by:

Patch to port mod_auth_db to the 2.0 api and also to support Berlekey DB 3.0. It works for me with both Berkeley DB 3.0.55 and 2.7.7. It should work with version 1 as well but I haven't tested it. Submitted by: Brian Martin <bmartin@penguincomputing.com> Reviewed by: Bill Stoddard

Enable dynamic module support on Linux. This should work on any LIBTOOL based system, but YMMV.

These changes are committed together, because they depend on each other. - shared modules can be built in the tree - added support for --with-layout, uses APACI's config.layout - working 'make install' - working 'make depend' - working Pthreads checks - buildconf replaced

mmap_static isn't in the standard directory yet; this directory shouldn't try to configure it.

Add strucutre to autoconf-config system to allow modules to specify config tests to run if they are enabled.

Make most other modules selectable by autoconf's ./configure.

Oops, changed the default status of mod_env for testing and committed it.

Move the default status of module inclusion/exclusion into the STANDARD_MODULE macro, to make it a little more maintainable.

Make the call to configure a module a little simpler if the module struct's name is the same as the module's.

autoconf: Start adding support for selecting modules on the ./configure line. This commit only supports mod_env and mod_log_config.

autoconf: Generate modules.c based on configuration. This is the first step to supporting selection of modules, and it seems to make --with-mpm actually work now.

Deal with times() properly in autoconf. This also changes NO_TIMES to !HAVE_TIMES.

The second part of the big autoconf patch, which actually adds autoconf building to the tree.