Parent Directory
| 
Revision Log
| Links to HEAD: | (view) (annotate) |
| Sticky Revision: |
Fix handling of authz configurations, make default authz logic replicate 2.2.x authz logic and support existing configurations (including .htaccess files), and replace <Satisfy*>, Reject, and AuthzMergeRules directives with Match, <Match*>, and AuthzMerge directives.
remove unused AUTHZ_GROUP_NOTE define
fix typo
* include/mod_auth.h (authz_status): Remove trailing comma on enum.
convert tabs to spaces
revert r672639 which lacked a necessary major bump, add a major MMN bump to account for the short-lived API addition/removal.
* Include http_config.h to ensure that cmd_parms is defined, otherwise e.g. the perl test framework breaks.
mod_auth_digest: Detect during startup when AuthDigestProvider is configured to use an incompatible provider via AuthnProviderAlias. PR 45196
As this is consumed by the core, mod_auth must reside in the serverwide include/'s.
Convert common provider version strings ("0") to
AUTHN/Z_PROVIDER_VERSION macros defined in mod_auth.h.
re-introduce ap_satisfies API back into core and modify how the access_checker, check_user_id and auth_checker hooks are called so that they respect the precedence that is set through the satisfy ALL/ANY directive. This also restores the directives order, allow, deny, satisfyas supported directives rather than being deprecated. These directives still remain in mod_access_compat however.
Fix comment to allow modules using the new authz scheme to work on Win32. * mod_auth.h: Fix up blurb on how to retrieve ap_satisfies to match what mod_authz_core and friends use which does work on Windows.
mod_authn_dbd: Export any additional columns queried in the SQL select into the environment with the name AUTHENTICATE_<COLUMN>. This brings mod_authn_dbd behaviour in line with mod_authnz_ldap.
revert the reject directive is definitive patch and normalize the logic lists.
Converted the reject directive to be definitive and enabled directory_merge to merge all of the authorization rules and logic.
update license header text
Update the copyright year in all .c, .h and .xml files
Clean up some stuff found by Coverity. * modules/aaa/mod_authz_core.c (check_provider_list): Remove redundant code. * modules/aaa/mod_auth.h (AUTHZ_DEFAULT_PROVIDER): Remove redundant definition. Submitted by: Max Bowsher <maxb apache.org> Reviewed by: bnicholes, rooneg
Add a note about the ap_satisfies mess we currently have.
- add a define for ap_satisfies which is now an optional fn. Without this httpd crashes with a SIGBUS when calling ap_satisfies. This gets mod_authz_svn working again with trunk.
* modules/aaa/mod_auth.h: Include apr_optional.h for APR_DECLARE_OPTIONAL_FN definition.
Restore Order, Deny, Allow, Satisfy for backwards compatibility with authz
Authz refactoring Merge from branches/authz-dev Basically here is a list of what has been done: - Convert all of the authz modules from hook based to provider based - Remove the ap_requires field from the core_dir_config structure - Remove the function ap_requires() since its functionality is no longer supported or necessary in the refactoring - Remove the calls to ap_some_auth_required() in the core request handling to allow the hooks to be called in all cases. - Add the new module mod_authz_core which will act as the authorization provider vector and contain common authz directives such as 'Require', 'Reject' and '<RequireAlias>' - Add the new module mod_authn_core which will contain common authentication directives such as 'AuthType', 'AuthName' and '<AuthnProviderAlias>' - Move the check for METHOD_MASK out of the authz providers and into the authz_core provider vector - Define the status codes that can be returned by the authz providers as AUTHZ_DENIED, AUTHZ_GRANTED and AUTHZ_GENERAL_ERROR - Remove the 'Satisfy' directive - Implement the '<RequireAll>', '<RequireOne>' block directives to handle the 'and' and 'or' logic for authorization. - Remove the 'AuthzXXXAuthoritative' directives from all of the authz providers - Implement the 'Reject' directive that will deny authorization if the argument is true - Fold the 'Reject' directive into the '<RequireAll>', '<RequireOne>' logic - Reimplement the host based authorization functionality provided by 'allow', 'deny' and 'order' as authz providers - Remove the 'allow', 'deny' and 'order' directives - Merge mod_authn_alias into mod_authn_core - Add '<RequireAlias>' functionality which is similar to '<AuthnProviderAlias>' but specific to authorization aliasing - Remove all of the references to the 'authzxxxAuthoritative' directives from the documentation - Remove the 'Satisfy' directive from the documentation - Remove 'Allow', 'Deny', 'Order' directives from the documentation - Document '<RequireAll>', '<RequireOne>', 'Reject' directives - Reimplement the APIs ap_auth_type(), ap_auth_name() as optional functions and move the actual implementation into mod_authn_core - Reimplement the API ap_some_auth_required() as an optional function and move the actual implementation into mod_authz_core Major Changes: - Added the directives <RequireAll>, <RequireOne>, <RequireAlias>, Reject - Expanded the functionality of the directive 'Require' to handle all authorization and access control - Added the new authz providers 'env', 'ip', 'host', 'all' to handle host-based access control - Removed the directives 'Allow', 'Deny', 'Order', 'Satisfy', 'AuthzXXXAuthoritative' - Removed the ap_require() API - Moved the directives 'AuthType', 'AuthName' out of mod_core and into mod_authn_core - Moved the directive 'Require' out of mod_core and into mod_authz_core - Merged mod_authn_alias into mod_authn_core - Renamed mod_authz_dbm authz providers from 'group' and 'file-group' to 'dbm-group' and 'dbm-file-group' Benefits: - All authorization and access control is now handle through two directives, 'Require' and 'Reject' - Authorization has been expanded to allow for complex 'AND/OR' control logic through the directives '<RequireAll>' and '<RequireOne>' - Configuration is now much simpler and consistent across the board - Other modules like mod_ssl and mod_proxy should be able to plug into and take advantage of the same provider based authorization mechanism by implementing their own providers Issues: - Backwards compatibility between 2.2 and 2.3 configurations will be broken in the area of authorization and access control due to the fact that the directives 'allow', 'deny', 'order' and 'satisfy' have been removed. When moving from 2.2 to 2.3 these directives will have to be changed to 'Require all granted', 'Require all denied' or some variation of the authz host-based providers. - Existing third party authorization modules will have to adapt to the new structure.
Doxygen fixup / cleanup submited by: Neale Ranns neale ranns.org reviewed by: Ian Holsman
Add the auth provider name as a note in the request so that authn_provider_alias is able to look up the original provider along with the per_dir configuration.
Update copyright year to 2005 and standardize on current copyright owner line.
general property cleanup
fix name of The Apache Software Foundation
fix copyright dates according to the first check in
apply Apache License, Version 2.0
update license to 2004.
finished that boring job: update license to 2003. Happy New Year! ;-))
as announced and with no objections: mod_authz_owner: forward port of require file-owner/file-group functionality The goal of the module is to do all the neccessary file system work to figure out username and groupname. "Require file-owner" is completely resolved within the module. "file-group" is only determined there and the groupname will be extracted from the stat call and stored within the r->notes. Done that, the module will decline, so that the group database modules (mod_authz_groupfile, mod_authz_dbm) can verify the groupname with their lists. Thus every group module that supports the file-group requirement must be hooked after mod_authz_owner. They have to recognize "file-group" and read the groupname from r->notes. (If there's no name stored, the modules should ignore the file-group requirement). The backstopper module will do its work in worst case. not solved yet: - the module doesn't work as one could expect if the file doesn't exist in the first request round (consider MultiViews) (the 1.3 version has the same problem). I played around with some subrequest techniques, but got no helpful result. Is there any magic to recognize the actual resulting filename (if there is)?
Add ap_register_provider and ap_lookup_provider functions which resolve
the DSO link problems for DAV and the new aaa modules by moving the
provider code into the core of the server and generalizing them to be
used by any code.
Remove the auth{nz}_*_provider functions as they are no longer needed.
Change the dav_*_provider functions to wrap the ap_*_provider functions
as they have a bit more of a historical precedent that we should keep
around.
Reviewed by: John K. Sterling <john@sterls.com> (in concept)
Add ability to use multiple providers for basic and digest authentication. The syntax is: AuthBasicProvider file dbm AuthUserFile conf/basic-user AuthDBMUserFile conf/basic-user-dbm
A quick-n-dirty hack. Expose the auth_provider api from mod_auth_basic alone, on Win32 only. Requires mod_auth_basic be loaded prior to using mod_auth_digest or any other mod_authn/z modules. Win32 builds again.
fix a syntax error in an enum (as far as some non-gcc compilers are concerned)
Stage #2 of aaa rewrite: Add provider support so that mod_authn_* modules do not have to re-implement basic auth and to allow mod_auth_digest (and other modules) to leverage the authn backends. Adds AuthBasicProvider and AuthDigestProvider directives. This also moves a lot of the basic auth handling code inside of mod_auth_basic (but does not remove the code in server/protocol.c - that will have to wait for a version bump so that we don't totally bust old modules). This patch incorporates code review comments by Greg Stein.
This form allows you to request diffs between any two revisions of this file. For each of the two "sides" of the diff, enter a numeric revision.
| apache@apache.org | ViewVC Help |
| Powered by ViewVC 1.1.2 |