Add some caching for password hash validation. Password hash functions must be expensive in order to be secure. But if they have to be re-evaluated for every request, performance suffers. As a minimal remedy, cache the most recent result for every connection. This gives a great performance boost if a web browser does many requests on the same connection with the same user+password. In principle, this may keep the plain text password around longer than before. But in practice, there won't be much difference since user+password can already remain in some unused data bucket for longer than the request duration. A proper solution still needs to be found for connections from proxies which may carry requests for many different users. While it currently only requires the conn_rec, the new ap_password_validate() function takes username and request_rec to allow future extensions, like detection of brute-force attempts.

Add lots of unique tags to error log messages

Enable authn_cache in the main easy-to-do authn provider modules

Use the new APLOG_USE_MODULE/AP_DECLARE_MODULE macros everywhere to take advantage of per-module loglevels

Fix string constness to get rid of gcc compiler warnings by -Wwrite-strings.

revert r672639 which lacked a necessary major bump, add a major MMN bump to account for the short-lived API addition/removal.

mod_auth_digest: Detect during startup when AuthDigestProvider is configured to use an incompatible provider via AuthnProviderAlias. PR 45196

Convert common provider version strings ("0") to AUTHN/Z_PROVIDER_VERSION macros defined in mod_auth.h.

Avoid calling access control hooks for internal requests with configurations which match those of the initial request. Revert to the original behaviour (call access control hooks for internal requests with URIs different from the initial request) if any access control hooks or providers are not registered as permitting this optimization. Introduce wrappers for access control hook and provider registration which can accept additional mode and flag data. The configuration walk optimizations were originally proposed a while ago (see http://marc.info/?l=apache-httpd-dev&m=116536713506234&w=2); they have been used since then in production systems and appear to be stable and effective. They permit certain combinations of modules and clients to function efficiently, especially when a deeply recursive series of internal requests, such as those generated by certain WebDAV requests, are all subject to the identical authentication and authorization directives. The major change from the original proposal is a cleaner mechanism for detecting modules which may expect the old behaviour. This has been tested successfully with Subversion's mod_authz_svn, which specifically requires the old behaviour when performing path-based authorization based against its own private access control configuration files.

update license header text

Update the copyright year in all .c, .h and .xml files

No functional Change: Removing trailing whitespace. This also means that "blank" lines consisting of just spaces or tabs are now really blank lines

Update copyright year to 2005 and standardize on current copyright owner line.

fix name of The Apache Software Foundation

fix copyright dates according to the first check in

apply Apache License, Version 2.0

update license to 2004.

finished that boring job: update license to 2003. Happy New Year! ;-))

Use ap_strchr instead of strchr and get the constness right.

allow empty user ids to be supplied without responding a 500.

add support for digest authentication to the authn_dbm module. The key is "$user:$realm" (perl speaking), the value is the MD5-hash, optionally followed by a colon and other garbage. Note that currently there's no tool to create such databases.

cut password at the first colon. This readds the ability to store password and group information within the same dbm file

Per Greg's request, add a version string component to the ap_provider.h functions. This allows modules to register different versions of the same provider.

kill a warning

Add missing includes in mod_authn_file and mod_authn_dbm. Submitted by: Sebastian Bergmann <lists@sebastian-bergmann.de> Reviewed by: Justin Erenkrantz

Add ap_register_provider and ap_lookup_provider functions which resolve the DSO link problems for DAV and the new aaa modules by moving the provider code into the core of the server and generalizing them to be used by any code. Remove the auth{nz}_*_provider functions as they are no longer needed. Change the dav_*_provider functions to wrap the ap_*_provider functions as they have a bit more of a historical precedent that we should keep around. Reviewed by: John K. Sterling <john@sterls.com> (in concept)

Remove Authoritative functionality from the authn providers. All ordering semantics should be resolved by the modules which use these providers, not the providers themselves.

Axe unused variable 'res'

Stage #2 of aaa rewrite: Add provider support so that mod_authn_* modules do not have to re-implement basic auth and to allow mod_auth_digest (and other modules) to leverage the authn backends. Adds AuthBasicProvider and AuthDigestProvider directives. This also moves a lot of the basic auth handling code inside of mod_auth_basic (but does not remove the code in server/protocol.c - that will have to wait for a version bump so that we don't totally bust old modules). This patch incorporates code review comments by Greg Stein.

Stage #1 of the aaa rewrite - refactoring modules. All modules are reorganized under the following scheme: - mod_auth_*: Front-end (basic, digest) - mod_authn_*: Authentication (anon, dbm, default, file) - mod_authz_*: Authorization (dbm, default, groupfile, host, user) This passes the httpd-test suite when it accounts for the renaming of aaa modules. Originally written by: Dirk-Willem van Gulik Completed by: Justin Erenkrantz