mod_auth.c revision 0942697a9b5de44865676345a3828741c827efe6
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes/* ====================================================================
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Copyright (c) 1995-1999 The Apache Group. All rights reserved.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Redistribution and use in source and binary forms, with or without
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * modification, are permitted provided that the following conditions
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * 1. Redistributions of source code must retain the above copyright
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * notice, this list of conditions and the following disclaimer.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * 2. Redistributions in binary form must reproduce the above copyright
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * notice, this list of conditions and the following disclaimer in
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * the documentation and/or other materials provided with the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * distribution.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * 3. All advertising materials mentioning features or use of this
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * software must display the following acknowledgment:
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * "This product includes software developed by the Apache Group
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * for use in the Apache HTTP server project (http://www.apache.org/)."
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * 4. The names "Apache Server" and "Apache Group" must not be used to
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * endorse or promote products derived from this software without
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * prior written permission. For written permission, please contact
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * apache@apache.org.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * 5. Products derived from this software may not be called "Apache"
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * nor may "Apache" appear in their names without prior written
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * permission of the Apache Group.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * 6. Redistributions of any form whatsoever must retain the following
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * acknowledgment:
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * "This product includes software developed by the Apache Group
5c0419d51818eb02045cf923a9fe456127a44c60wrowe * for use in the Apache HTTP server project (http://www.apache.org/)."
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
d266c3777146d36a4c23c17aad6f153aebea1bf4jorton * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
d266c3777146d36a4c23c17aad6f153aebea1bf4jorton * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
d266c3777146d36a4c23c17aad6f153aebea1bf4jorton * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
d266c3777146d36a4c23c17aad6f153aebea1bf4jorton * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * OF THE POSSIBILITY OF SUCH DAMAGE.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * ====================================================================
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * This software consists of voluntary contributions made by many
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * individuals on behalf of the Apache Group and was originally based
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * on public domain software written at the National Center for
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Supercomputing Applications, University of Illinois, Urbana-Champaign.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * For more information on the Apache Group and the Apache HTTP server
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * project, please see <http://www.apache.org/>.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * http_auth: authentication
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Rob McCool
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * Adapted to Apache by rst.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * dirkx - Added Authoritative control to allow passing on to lower
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * modules if and only if the userid is not known to this
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * module. A known user with a faulty or absent password still
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * causes an AuthRequired. The default is 'Authoritative', i.e.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * no control is passed along.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholestypedef struct auth_config_struct {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic void *create_auth_dir_config(ap_context_t *p, char *d)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (auth_config_rec *) ap_pcalloc(p, sizeof(auth_config_rec));
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes sec->auth_pwfile = NULL; /* just to illustrate the default really */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes sec->auth_grpfile = NULL; /* unless you have a broken HP cc */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes sec->auth_authoritative = 1; /* keep the fortress secure by default */
f8fc4173f3b9715e5945b668ba511b77573dc1d1minfrinstatic const char *set_auth_slot(cmd_parms *cmd, void *offset, char *f, char *t)
f8fc4173f3b9715e5945b668ba511b77573dc1d1minfrin return ap_pstrcat(cmd->pool, "Invalid auth file type: ", t, NULL);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (void *) XtOffsetOf(auth_config_rec, auth_pwfile), OR_AUTHCFG, TAKE12,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "text file containing user IDs and passwords"},
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (void *) XtOffsetOf(auth_config_rec, auth_grpfile), OR_AUTHCFG, TAKE12,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "text file containing group names and member user IDs"},
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (void *) XtOffsetOf(auth_config_rec, auth_authoritative),
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "Set to 'no' to allow access control to be passed along to lower modules if the UserID is not known to this module"},
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic char *get_pw(request_rec *r, char *user, char *auth_pwfile)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes const char *rpw, *w;
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes if (!(f = ap_pcfg_openfile(r->pool, auth_pwfile))) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes if ((l[0] == '#') || (!l[0]))
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholesstatic ap_table_t *groups_for_user(ap_context_t *p, char *user, char *grpfile)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes/*add? aplog_error(APLOG_MARK, APLOG_ERR, NULL,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "Could not open group file: %s", grpfile);*/
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes if ((l[0] == '#') || (!l[0]))
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes while (ll[0]) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ap_table_setn(grps, ap_pstrdup(p, group_name), "in");
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes/* These functions return 0 if client is OK, and proper error status
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * if not... either AUTH_REQUIRED, if we made a check, and it failed, or
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * SERVER_ERROR, if things are so totally confused that we couldn't
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * figure out how to tell if the client is authorized or not.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * If they return DECLINED, and all other modules also decline, that's
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * treated by the server core as a configuration error, logged and
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * reported as such.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes/* Determine user ID, and check if it really is that user, for HTTP
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * basic authentication...
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_module);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes const char *sent_pw;
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes if (!(real_pw = get_pw(r, r->user, sec->auth_pwfile))) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes invalid_pw = ap_validate_password(sent_pw, real_pw);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes "user %s: authentication failure for \"%s\": %s",
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes/* Checking ID */
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_module);
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes register int x;
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes const char *t, *w;
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes const ap_array_header_t *reqs_arr = ap_requires(r);
54d22ed1c429b903b029bbd62621f11a9e286137minfrin /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * then any user will do.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes grpstatus = groups_for_user(r->pool, user, sec->auth_grpfile);
54d22ed1c429b903b029bbd62621f11a9e286137minfrin while (t[0]) {
54d22ed1c429b903b029bbd62621f11a9e286137minfrin while (t[0]) {
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes /* if we aren't authoritative, any require directive could be
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * valid even if we don't grok it. However, if we are
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * authoritative, we can warn the user they did something wrong.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes * That something could be a missing "AuthAuthoritative off", but
54d22ed1c429b903b029bbd62621f11a9e286137minfrin * more likely is a typo in the require directive.
54d22ed1c429b903b029bbd62621f11a9e286137minfrin ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "access to %s failed, reason: unknown require directive:"
54d22ed1c429b903b029bbd62621f11a9e286137minfrin ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
54d22ed1c429b903b029bbd62621f11a9e286137minfrin "access to %s failed, reason: user %s not allowed access",
54d22ed1c429b903b029bbd62621f11a9e286137minfrinstatic void register_hooks(void)
54d22ed1c429b903b029bbd62621f11a9e286137minfrin ap_hook_check_user_id(authenticate_basic_user,NULL,NULL,HOOK_MIDDLE);