From: Simo Sorce Date: Sun, 14 Jun 2015 22:23:16 +0000 (-0400) Subject: Move the initial part of basic auth processing X-Git-Tag: v1.3.0~17 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=commitdiff_plain;h=d499fea35e0c88e75dbaf5e0e072fdbc8f88febe Move the initial part of basic auth processing Consolidate and simplify AUTH BASIC Handling - Part 1. By moving all the special operation one for auth basic into its own segment we make the code simpler (less exceptions) and more readable. Signed-off-by: Simo Sorce --- diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 24cee3d..3976eb2 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -469,13 +469,6 @@ static int mag_auth(request_rec *req) } } - if (mc && mc->established && auth_type != AUTH_TYPE_BASIC) { - /* if we are re-authenticating make sure the conn context - * is cleaned up so we do not accidentally reuse an existing - * established context */ - mag_conn_clear(mc); - } - switch (auth_type) { case AUTH_TYPE_NEGOTIATE: if (!parse_auth_header(req->pool, &auth_header, &input)) { @@ -501,18 +494,55 @@ static int mag_auth(request_rec *req) ba_user.length = strlen(ba_user.value); ba_pwd.length = strlen(ba_pwd.value); - if (mc && mc->established) { - if (mag_basic_check(cfg, mc, ba_user, ba_pwd)) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, - "Already established BASIC AUTH context found!"); - mag_set_req_data(req, cfg, mc); - ret = OK; - goto done; - } else { - mag_conn_clear(mc); - } + if (mc && mc->established && + mag_basic_check(cfg, mc, ba_user, ba_pwd)) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, + "Already established BASIC AUTH context found!"); + mag_set_req_data(req, cfg, mc); + ret = OK; + goto done; + } + + break; + + case AUTH_TYPE_RAW_NTLM: + if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, + "NTLM Authentication is not allowed!"); + goto done; + } + + if (!parse_auth_header(req->pool, &auth_header, &input)) { + goto done; } + desired_mechs = discard_const(&gss_mech_set_ntlmssp); + break; + + default: + goto done; + } + + if (mc && mc->established) { + /* if we are re-authenticating make sure the conn context + * is cleaned up so we do not accidentally reuse an existing + * established context */ + mag_conn_clear(mc); + } + + req->ap_auth_type = apr_pstrdup(req->pool, auth_types[auth_type]); + +#ifdef HAVE_CRED_STORE + if (cfg->use_s4u2proxy) { + cred_usage = GSS_C_BOTH; + } +#endif + if (!mag_acquire_creds(req, cfg, desired_mechs, + cred_usage, &acquired_cred, NULL)) { + goto done; + } + + if (auth_type == AUTH_TYPE_BASIC) { maj = gss_import_name(&min, &ba_user, GSS_C_NT_USER_NAME, &client); if (GSS_ERROR(maj)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, @@ -556,39 +586,7 @@ static int mag_auth(request_rec *req) goto done; } gss_release_name(&min, &client); - break; - - case AUTH_TYPE_RAW_NTLM: - if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, - "NTLM Authentication is not allowed!"); - goto done; - } - - if (!parse_auth_header(req->pool, &auth_header, &input)) { - goto done; - } - - desired_mechs = discard_const(&gss_mech_set_ntlmssp); - break; - default: - goto done; - } - - req->ap_auth_type = apr_pstrdup(req->pool, auth_types[auth_type]); - -#ifdef HAVE_CRED_STORE - if (cfg->use_s4u2proxy) { - cred_usage = GSS_C_BOTH; - } -#endif - if (!mag_acquire_creds(req, cfg, desired_mechs, - cred_usage, &acquired_cred, NULL)) { - goto done; - } - - if (auth_type == AUTH_TYPE_BASIC) { if (cred_usage == GSS_C_BOTH) { /* If GSS_C_BOTH is used then inquire_cred will return the client * name instead of the SPN of the server credentials. Therefore we