X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=blobdiff_plain;f=src%2Fmod_auth_gssapi.c;h=66c86595b6cdbca3bb4d8253d51149d2917ebcff;hp=79d62cd9a1af977749c13d89e7173ac8ebf4f52b;hb=5cd4e8a90f3db84e57a25570ffdfeaffcf908b6c;hpb=8cabd1e6ac6c300f7e603cd61f1a8a7a7da7fb8f

diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 79d62cd..66c8659 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -288,6 +288,28 @@ const char *auth_types[] = {
     NULL
 };
 
+static void mag_set_req_data(request_rec *req,
+                             struct mag_config *cfg,
+                             struct mag_conn *mc)
+{
+    apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name);
+    apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION",
+                  apr_psprintf(req->pool,
+                               "%ld", (long)mc->expiration));
+    req->ap_auth_type = apr_pstrdup(req->pool,
+                                    auth_types[mc->auth_type]);
+    req->user = apr_pstrdup(req->pool, mc->user_name);
+    if (cfg->deleg_ccache_dir && mc->delegated) {
+        char *ccname;
+        ccname = mag_gss_name_to_ccache_name(req,
+                                             cfg->deleg_ccache_dir,
+                                             mc->gss_name);
+        if (ccname) {
+            mag_set_KRB5CCANME(req, ccname);
+        }
+    }
+}
+
 static int mag_auth(request_rec *req)
 {
     const char *type;
@@ -397,31 +419,18 @@ static int mag_auth(request_rec *req)
         mag_check_session(req, cfg, &mc);
     }
 
+    auth_header = apr_table_get(req->headers_in, "Authorization");
+
     if (mc) {
         /* register the context in the memory pool, so it can be freed
          * when the connection/request is terminated */
-        apr_pool_userdata_set(mc, "mag_conn_ptr",
-                              mag_conn_destroy, mc->parent);
+        apr_pool_cleanup_register(mc->parent, (void *) mc,
+                                  mag_conn_destroy, apr_pool_cleanup_null);
 
-        if (mc->established) {
+        if (mc->established && !auth_header) {
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,
                           "Already established context found!");
-            apr_table_set(req->subprocess_env, "GSS_NAME", mc->gss_name);
-            apr_table_set(req->subprocess_env, "GSS_SESSION_EXPIRATION",
-                          apr_psprintf(req->pool,
-                                       "%ld", (long)mc->expiration));
-            req->ap_auth_type = apr_pstrdup(req->pool,
-                                            auth_types[mc->auth_type]);
-            req->user = apr_pstrdup(req->pool, mc->user_name);
-            if (cfg->deleg_ccache_dir && mc->delegated) {
-                char *ccname;
-                ccname = mag_gss_name_to_ccache_name(req,
-                                                     cfg->deleg_ccache_dir,
-                                                     mc->gss_name);
-                if (ccname) {
-                    mag_set_KRB5CCANME(req, ccname);
-                }
-            }
+            mag_set_req_data(req, cfg, mc);
             ret = OK;
             goto done;
         }
@@ -430,7 +439,7 @@ static int mag_auth(request_rec *req)
         pctx = &ctx;
     }
 
-    auth_header = apr_table_get(req->headers_in, "Authorization");
+    /* We can proceed only if we do have an auth header */
     if (!auth_header) goto done;
 
     auth_header_type = ap_getword_white(req->pool, &auth_header);
@@ -467,6 +476,16 @@ static int mag_auth(request_rec *req)
         }
         ba_user.length = strlen(ba_user.value);
         ba_pwd.length = strlen(ba_pwd.value);
+
+        if (mc && mc->established &&
+            mag_basic_check(cfg, mc, ba_user, ba_pwd)) {
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,
+                          "Already established BASIC AUTH context found!");
+            mag_set_req_data(req, cfg, mc);
+            ret = OK;
+            goto done;
+        }
+
         maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &client);
         if (GSS_ERROR(maj)) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req,
@@ -609,10 +628,6 @@ static int mag_auth(request_rec *req)
         goto done;
     }
     if (auth_type == AUTH_TYPE_BASIC) {
-        if (mc) {
-            apr_pool_cleanup_run(mc->parent, mc, mag_conn_destroy);
-            mc = NULL;
-        }
         while (maj == GSS_S_CONTINUE_NEEDED) {
             gss_release_buffer(&min, &input);
             /* output and input are inverted here, this is intentional */
@@ -644,7 +659,6 @@ static int mag_auth(request_rec *req)
                           "Mechanism needs continuation but neither "
                           "GssapiConnectionBound nor "
                           "GssapiUseSessions are available");
-            gss_delete_sec_context(&min, pctx, GSS_C_NO_BUFFER);
             gss_release_buffer(&min, &output);
             output.length = 0;
         }
@@ -703,10 +717,13 @@ static int mag_auth(request_rec *req)
             vtime = MIN_SESS_EXP_TIME;
         }
         mc->expiration = expiration;
+        mc->auth_type = auth_type;
+        if (auth_type == AUTH_TYPE_BASIC) {
+            mag_basic_cache(cfg, mc, ba_user, ba_pwd);
+        }
         if (cfg->use_sessions) {
             mag_attempt_session(req, cfg, mc);
         }
-        mc->auth_type = auth_type;
     }
 
     if (cfg->send_persist)
@@ -750,7 +767,9 @@ done:
         }
     }
 #endif
-    gss_delete_sec_context(&min, &user_ctx, &output);
+    if (ctx != GSS_C_NO_CONTEXT)
+        gss_delete_sec_context(&min, &ctx, GSS_C_NO_BUFFER);
+    gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER);
     gss_release_cred(&min, &user_cred);
     gss_release_cred(&min, &acquired_cred);
     gss_release_cred(&min, &delegated_cred);