struct mag_config *cfg,
gss_buffer_desc ba_user,
gss_buffer_desc ba_pwd,
- gss_cred_usage_t cred_usage,
gss_name_t *client,
gss_OID *mech_type,
gss_cred_id_t *delegated_cred,
gss_name_t server = GSS_C_NO_NAME;
gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t server_ctx = GSS_C_NO_CONTEXT;
- gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL;
gss_buffer_desc input = GSS_C_EMPTY_BUFFER;
gss_buffer_desc output = GSS_C_EMPTY_BUFFER;
gss_OID_set allowed_mechs;
/* must acquire creds based on the actual mechs we want to try */
if (!mag_acquire_creds(req, cfg, actual_mechs,
- cred_usage, &acquired_cred, NULL)) {
+ GSS_C_ACCEPT, &server_cred, NULL)) {
goto done;
}
- if (cred_usage == GSS_C_BOTH) {
- /* must acquire with GSS_C_ACCEPT to get the server name */
- if (!mag_acquire_creds(req, cfg, actual_mechs,
- GSS_C_ACCEPT, &server_cred, NULL)) {
- goto done;
- }
- } else {
- server_cred = acquired_cred;
- }
-
#ifdef HAVE_CRED_STORE
if (cfg->deleg_ccache_dir) {
/* delegate ourselves credentials so we store them as requested */
break;
}
gss_release_buffer(&min, &output);
- maj = gss_accept_sec_context(&min, &server_ctx, acquired_cred,
+ maj = gss_accept_sec_context(&min, &server_ctx, server_cred,
&input, GSS_C_NO_CHANNEL_BINDINGS,
client, mech_type, &output, NULL,
vtime, delegated_cred);
gss_release_buffer(&min, &output);
gss_release_buffer(&min, &input);
gss_release_name(&min, &server);
- if (server_cred != acquired_cred)
- gss_release_cred(&min, &server_cred);
gss_delete_sec_context(&min, &server_ctx, GSS_C_NO_BUFFER);
- gss_release_cred(&min, &acquired_cred);
+ gss_release_cred(&min, &server_cred);
gss_release_name(&min, &user);
gss_release_cred(&min, &user_cred);
gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER);
return req_cfg;
}
+#ifdef HAVE_CRED_STORE
static bool use_s4u2proxy(struct mag_req_cfg *req_cfg) {
if (req_cfg->cfg->use_s4u2proxy) {
if (req_cfg->cfg->deleg_ccache_dir != NULL) {
}
return false;
}
+#endif
static int mag_auth(request_rec *req)
{
gss_buffer_desc lname = GSS_C_EMPTY_BUFFER;
struct mag_conn *mc = NULL;
int i;
+ bool send_auth_header = true;
type = ap_auth_type(req);
if ((type == NULL) || (strcasecmp(type, "GSSAPI") != 0)) {
auth_header_type = ap_getword_white(req->pool, &auth_header);
if (!auth_header_type) goto done;
+ /* We got auth header, sending auth header would mean re-auth */
+ send_auth_header = !cfg->negotiate_once;
+
for (i = 0; auth_types[i] != NULL; i++) {
if (strcasecmp(auth_header_type, auth_types[i]) == 0) {
auth_type = i;
if (auth_type == AUTH_TYPE_BASIC) {
if (mag_auth_basic(req, cfg, ba_user, ba_pwd,
- cred_usage, &client, &mech_type,
+ &client, &mech_type,
&delegated_cred, &vtime)) {
goto complete;
}
apr_table_add(req->err_headers_out, req_cfg->rep_proto, reply);
}
} else if (ret == HTTP_UNAUTHORIZED) {
- apr_table_add(req->err_headers_out, req_cfg->rep_proto, "Negotiate");
-
- if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp,
- cfg->gss_conn_ctx)) {
- apr_table_add(req->err_headers_out, req_cfg->rep_proto, "NTLM");
+ if (send_auth_header) {
+ apr_table_add(req->err_headers_out,
+ req_cfg->rep_proto, "Negotiate");
+ if (is_mech_allowed(desired_mechs, gss_mech_ntlmssp,
+ cfg->gss_conn_ctx)) {
+ apr_table_add(req->err_headers_out, req_cfg->rep_proto,
+ "NTLM");
+ }
}
if (cfg->use_basic_auth) {
apr_table_add(req->err_headers_out, req_cfg->rep_proto,
return NULL;
}
+static const char *mag_negotiate_once(cmd_parms *parms, void *mconfig, int on)
+{
+ struct mag_config *cfg = (struct mag_config *)mconfig;
+
+ cfg->negotiate_once = on ? true : false;
+ return NULL;
+}
+
#define GSS_NAME_ATTR_USERDATA "GSS Name Attributes Userdata"
static apr_status_t mag_name_attrs_cleanup(void *data)
#endif
AP_INIT_ITERATE("GssapiAllowedMech", mag_allow_mech, NULL, OR_AUTHCFG,
"Allowed Mechanisms"),
+ AP_INIT_FLAG("GssapiNegotiateOnce", mag_negotiate_once, NULL, OR_AUTHCFG,
+ "Don't resend negotiate header on negotiate failure"),
AP_INIT_RAW_ARGS("GssapiNameAttributes", mag_name_attrs, NULL, OR_AUTHCFG,
"Name Attributes to be exported as environ variables"),
{ NULL }