module AP_MODULE_DECLARE_DATA auth_gssapi_module;
+APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
+
struct mag_config {
bool ssl_only;
bool map_to_local;
return apr_psprintf(req->pool, "%s: [%s (%s)]", msg, msg_maj, msg_min);
}
+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *mag_is_https = NULL;
+
+static int mag_post_config(apr_pool_t *cfg, apr_pool_t *log,
+ apr_pool_t *temp, server_rec *s)
+{
+ /* FIXME: create mutex to deal with connections and contexts ? */
+ mag_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
+
+ return OK;
+}
+
+
struct mag_conn {
gss_ctx_id_t ctx;
bool established;
return OK;
}
+static bool mag_conn_is_https(conn_rec *c)
+{
+ if (mag_is_https) {
+ if (mag_is_https(c)) return true;
+ }
+
+ return false;
+}
+
static int mag_auth(request_rec *req)
{
const char *type;
cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
if (cfg->ssl_only) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
- "FIXME: check for ssl!");
+ if (!mag_conn_is_https(req->connection)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+ "Not a TLS connection, refusing to authenticate!");
+ goto done;
+ }
}
if (cfg->gss_conn_ctx) {
if (reply) {
memcpy(reply, "Negotiate ", 10);
apr_base64_encode(&reply[10], output.value, output.length);
- reply[replen] = '\0';
apr_table_add(req->err_headers_out,
"WWW-Authenticate", reply);
}
mag_register_hooks(apr_pool_t *p)
{
ap_hook_check_user_id(mag_auth, NULL, NULL, APR_HOOK_MIDDLE);
+ ap_hook_post_config(mag_post_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_pre_connection(mag_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
}