mod_auth.c revision 2dcfdce30a4dabc6a194c367c9ef5e53d37df638
842ae4bd224140319ae7feec1872b93dfd491143fielding/* ====================================================================
842ae4bd224140319ae7feec1872b93dfd491143fielding * The Apache Software License, Version 1.1
842ae4bd224140319ae7feec1872b93dfd491143fielding * Copyright (c) 2000-2002 The Apache Software Foundation. All rights
842ae4bd224140319ae7feec1872b93dfd491143fielding * reserved.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * Redistribution and use in source and binary forms, with or without
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * modification, are permitted provided that the following conditions
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * 1. Redistributions of source code must retain the above copyright
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * notice, this list of conditions and the following disclaimer.
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd * 2. Redistributions in binary form must reproduce the above copyright
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * notice, this list of conditions and the following disclaimer in
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * the documentation and/or other materials provided with the
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * distribution.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * 3. The end-user documentation included with the redistribution,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * if any, must include the following acknowledgment:
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * "This product includes software developed by the
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * Apache Software Foundation (http://www.apache.org/)."
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * Alternately, this acknowledgment may appear in the software itself,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * if and wherever such third-party acknowledgments normally appear.
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * 4. The names "Apache" and "Apache Software Foundation" must
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * not be used to endorse or promote products derived from this
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * software without prior written permission. For written
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * permission, please contact apache@apache.org.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * 5. Products derived from this software may not be called "Apache",
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * nor may "Apache" appear in their name, without prior written
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * permission of the Apache Software Foundation.
f7376afc33a9e035921be9114c0e246820d7c8besf * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * SUCH DAMAGE.
e8f95a682820a599fe41b22977010636be5c2717jim * ====================================================================
f7376afc33a9e035921be9114c0e246820d7c8besf * This software consists of voluntary contributions made by many
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * individuals on behalf of the Apache Software Foundation. For more
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * information on the Apache Software Foundation, please see
694e8dc146faadc46b2455f3bd0998121fc76c5drbb * Portions of this software are based upon public domain software
c7d0205ec1649076e7742d72a25ac53779768312stoddard * originally written at the National Center for Supercomputing Applications,
c7d0205ec1649076e7742d72a25ac53779768312stoddard * University of Illinois, Urbana-Champaign.
cd9f429ff62d134cdf6ec903c33430c5ebae12f0trawick * http_auth: authentication
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * Rob McCool
e33b627b40578d0166fdb79ce0487f9e46586befgstein * Adapted to Apache by rst.
e33b627b40578d0166fdb79ce0487f9e46586befgstein * dirkx - Added Authoritative control to allow passing on to lower
e33b627b40578d0166fdb79ce0487f9e46586befgstein * modules if and only if the userid is not known to this
e33b627b40578d0166fdb79ce0487f9e46586befgstein * module. A known user with a faulty or absent password still
e33b627b40578d0166fdb79ce0487f9e46586befgstein * causes an AuthRequired. The default is 'Authoritative', i.e.
864c5615d55b8ebbde24e72043f6325741335a74fielding * no control is passed along.
0f081398cf0eef8cc7c66a535d450110a92dc8aefieldingtypedef struct {
1ccd992d37d62c8cb2056126f2234f64ec189bfddougmstatic void *create_auth_dir_config(apr_pool_t *p, char *d)
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding auth_config_rec *conf = apr_palloc(p, sizeof(*conf));
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding conf->auth_pwfile = NULL; /* just to illustrate the default really */
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding conf->auth_grpfile = NULL; /* unless you have a broken HP cc */
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding conf->auth_authoritative = 1; /* keep the fortress secure by default */
e0fe4de2016336428729a620ac0034cd1198ad7awrowestatic const char *set_auth_slot(cmd_parms *cmd, void *offset, const char *f,
e0fe4de2016336428729a620ac0034cd1198ad7awrowe const char *t)
0ec6007a40ac877a7c8d87767ca8e306d89f6595aaron return apr_pstrcat(cmd->pool, "Invalid auth file type: ", t, NULL);
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding (void *)APR_OFFSETOF(auth_config_rec, auth_pwfile),
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding OR_AUTHCFG, "text file containing user IDs and passwords"),
0ec6007a40ac877a7c8d87767ca8e306d89f6595aaron "text file containing group names and member user IDs"),
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding AP_INIT_FLAG("AuthAuthoritative", ap_set_flag_slot,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding (void *)APR_OFFSETOF(auth_config_rec, auth_authoritative),
dc80439e9fba60c753cd145cb6799409ffea9b71ronald "Set to 'no' to allow access control to be passed along to "
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding "lower modules if the UserID is not known to this module"),
0f081398cf0eef8cc7c66a535d450110a92dc8aefieldingstatic char *get_pw(request_rec *r, char *user, char *auth_pwfile)
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding const char *rpw, *w;
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding if ((status = ap_pcfg_openfile(&f, r->pool, auth_pwfile)) != APR_SUCCESS) {
7ddfd45e4d3d13de264931df8eb27ee7619fdb0ejerenkrantz while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) {
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding if ((l[0] == '#') || (!l[0])) {
0f081398cf0eef8cc7c66a535d450110a92dc8aefieldingstatic apr_table_t *groups_for_user(apr_pool_t *p, char *user, char *grpfile)
c7de1955eb0eaeabf7042902476397692672d549sf if ((status = ap_pcfg_openfile(&f, p, grpfile)) != APR_SUCCESS) {
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding/*add? aplog_error(APLOG_MARK, APLOG_ERR, NULL,
dc80439e9fba60c753cd145cb6799409ffea9b71ronald "Could not open group file: %s", grpfile);*/
29c30db45f6a469017e16b606611e460cc1a1f2caaron if ((l[0] == '#') || (!l[0])) {
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding while (ll[0]) {
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding apr_table_setn(grps, apr_pstrdup(p, group_name), "in");
185aa71728867671e105178b4c66fbc22b65ae26sf/* These functions return 0 if client is OK, and proper error status
678a15e91d6a44569c956445442731bb64a98a63sf * if not... either HTTP_UNAUTHORIZED, if we made a check, and it failed, or
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * HTTP_INTERNAL_SERVER_ERROR, if things are so totally confused that we
97d20d37d21b8d427a920e211858172f0a82427epoirier * couldn't figure out how to tell if the client is authorized or not.
97d20d37d21b8d427a920e211858172f0a82427epoirier * If they return DECLINED, and all other modules also decline, that's
97d20d37d21b8d427a920e211858172f0a82427epoirier * treated by the server core as a configuration error, logged and
97d20d37d21b8d427a920e211858172f0a82427epoirier * reported as such.
0ec6007a40ac877a7c8d87767ca8e306d89f6595aaron/* Determine user ID, and check if it really is that user, for HTTP
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * basic authentication...
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
dc80439e9fba60c753cd145cb6799409ffea9b71ronald const char *sent_pw;
c7de1955eb0eaeabf7042902476397692672d549sf if (!(real_pw = get_pw(r, r->user, conf->auth_pwfile))) {
c7de1955eb0eaeabf7042902476397692672d549sf "user %s: authentication failure for \"%s\": "
c7de1955eb0eaeabf7042902476397692672d549sf "Password Mismatch",
afd0a335375c636605c8625b0d5755dd2408be2btrawick/* Checking ID */
16ceb754873fe06f67a9c52c45d1e583a0f112ddsf auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
c7de1955eb0eaeabf7042902476397692672d549sf register int x;
c7de1955eb0eaeabf7042902476397692672d549sf const char *t, *w;
1ccd992d37d62c8cb2056126f2234f64ec189bfddougm /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive,
dc80439e9fba60c753cd145cb6799409ffea9b71ronald * then any user will do.
a6b9ed64fdf548c61de9714e2cfb999ec59d149cgstein grpstatus = groups_for_user(r->pool, user, conf->auth_grpfile);
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
97d20d37d21b8d427a920e211858172f0a82427epoirier while (t[0]) {
97d20d37d21b8d427a920e211858172f0a82427epoirier while (t[0]) {
dc80439e9fba60c753cd145cb6799409ffea9b71ronald /* if we aren't authoritative, any require directive could be
0ec6007a40ac877a7c8d87767ca8e306d89f6595aaron * valid even if we don't grok it. However, if we are
97d20d37d21b8d427a920e211858172f0a82427epoirier * authoritative, we can warn the user they did something wrong.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * That something could be a missing "AuthAuthoritative off", but
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding * more likely is a typo in the require directive.
0ec6007a40ac877a7c8d87767ca8e306d89f6595aaron "access to %s failed, reason: unknown require "
97d20d37d21b8d427a920e211858172f0a82427epoirier "access to %s failed, reason: user %s not allowed access",
dc80439e9fba60c753cd145cb6799409ffea9b71ronald ap_hook_check_user_id(authenticate_basic_user,NULL,NULL,APR_HOOK_MIDDLE);