Externalize publically-needed configure macros and fix GSS-related bugs.

[shibboleth/sp.git] / apache / mod_apache.cpp

diff --git a/apache/mod_apache.cpp b/apache/mod_apache.cpp
index eddfb60..3bc0770 100644 (file)
--- a/apache/mod_apache.cpp
+++ b/apache/mod_apache.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2001-2010 Internet2
+ *  Copyright 2001-2011 Internet2
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -311,7 +311,7 @@ extern "C" const char* shib_table_set(cmd_parms* parms, shib_dir_config* dc, con
 
 
 class ShibTargetApache : public AbstractSPRequest
-#if defined(HAVE_GSSAPI) && !defined(SHIB_APACHE_13)
+#if defined(SHIBSP_HAVE_GSSAPI) && !defined(SHIB_APACHE_13)
     , public GSSRequest
 #endif
 {
@@ -356,6 +356,9 @@ public:
   const char* getScheme() const {
     return m_sc->szScheme ? m_sc->szScheme : ap_http_method(m_req);
   }
+  bool isSecure() const {
+      return HTTPRequest::isSecure();
+  }
   const char* getHostname() const {
     return ap_get_server_name(m_req);
   }
@@ -451,6 +454,12 @@ public:
 #endif
     return m_body.c_str();
   }
+  const char* getParameter(const char* name) const {
+      return AbstractSPRequest::getParameter(name);
+  }
+  vector<const char*>::size_type getParameters(const char* name, vector<const char*>& values) const {
+      return AbstractSPRequest::getParameters(name, values);
+  }
   void clearHeader(const char* rawname, const char* cginame) {
     if (m_dc->bUseHeaders == 1) {
        // ap_log_rerror(APLOG_MARK,APLOG_DEBUG|APLOG_NOERRNO,SH_AP_R(m_req), "shib_clear_header: hdr\n");
@@ -591,7 +600,7 @@ public:
   }
   long returnDecline(void) { return DECLINED; }
   long returnOK(void) { return OK; }
-#if defined(HAVE_GSSAPI) && !defined(SHIB_APACHE_13)
+#if defined(SHIBSP_HAVE_GSSAPI) && !defined(SHIB_APACHE_13)
   gss_ctx_id_t getGSSContext() const {
     gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
     apr_pool_userdata_get((void**)&ctx, g_szGSSContextKey, m_req->pool);
@@ -1057,7 +1066,8 @@ AccessControl::aclresult_t htAccessControl::authorized(const SPRequest& request,
             request.log(SPRequest::SPDebug, "htaccess: embedded AccessControl plugin was unsuccessful but not authoritative, leaving it up to Apache");
             return shib_acl_indeterminate;
         }
-       }
+    }
+
 
     require_line* reqs=(require_line*)reqs_arr->elts;
 
@@ -1080,7 +1090,16 @@ AccessControl::aclresult_t htAccessControl::authorized(const SPRequest& request,
         if (!strcasecmp(w,"shibboleth")) {
             // This is a dummy rule needed because Apache conflates authn and authz.
             // Without some require rule, AuthType is ignored and no check_user hooks run.
-            status = true;  // treat it as an "accepted" rule
+
+            // We evaluate to false if ShibAccessControl is used and ShibRequireAll is off.
+            // This allows actual rules to dictate the result, since ShibAccessControl returned
+            // non-true, and if nothing else is used, access will be denied.
+            if (!sta->m_dc->szAccessControl || sta->m_dc->bRequireAll == 1) {
+                // We evaluate to true, because ShibRequireAll is enabled (so a true is just a no-op)
+                // or because there was no other AccessControl rule in place, so this may be the only
+                // rule in effect.
+                status = true;
+            }
         }
         else if (!strcmp(w,"valid-user") && session) {
             request.log(SPRequest::SPDebug, "htaccess: accepting valid-user based on active session");