From: Simo Sorce Date: Fri, 6 Mar 2015 14:30:51 +0000 (-0500) Subject: Remove forward basic auth and fix docs X-Git-Tag: v1.1.0~7 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_gssapi.git;a=commitdiff_plain;h=e6d9a30c889fe042cf3ad5073519f348dbe924f0 Remove forward basic auth and fix docs Fixes #8 --- diff --git a/README b/README index 903d199..6c37412 100644 --- a/README +++ b/README @@ -176,9 +176,19 @@ Example: ### GssapiBasicAuth Allows the use of Basic Auth in conjunction with Negotiate. -Two modes are supported, direct usage of the received username and password -to try to acquire credentials via GSSAPI, or forwarding to following apache -module. +If the browser fails to use Negotiate is will instead fallback to Basic and +the username and password will be used to try to acquire credentials in the +module via GSSAPI. If credentials are acquire successfully then they are +validated agaist the server's keytab. + +Enable with: GssapiBasicAuth On +Default: GssapiBasicAuth Off Example: - GssapiBasicAuth Forward + + AuthType GSSAPI + AuthName "Login" + GssapiBasicAuth On + GssapiCredStore keytab:/etc/httpd/http.keytab + Require valid-user + diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 4ba543e..aed0c3b 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -255,26 +255,14 @@ static int mag_auth(request_rec *req) input.value = apr_pcalloc(req->pool, input.length); if (!input.value) goto done; input.length = apr_base64_decode(input.value, auth_header_value); - } else if (strcasecmp(auth_header_type, "Basic") == 0) { + } else if ((strcasecmp(auth_header_type, "Basic") == 0) && + (cfg->use_basic_auth == true)) { auth_type = "Basic"; is_basic = true; gss_buffer_desc ba_user; gss_buffer_desc ba_pwd; - switch (cfg->basic_auth) { - case BA_ON: - /* handle directly */ - break; - case BA_FORWARD: - /* decline to handle ourselves, let other modules do it */ - ret = DECLINED; - goto done; - case BA_OFF: - goto done; - default: - goto done; - } ba_pwd.value = ap_pbase64decode(req->pool, auth_header); if (!ba_pwd.value) goto done; ba_user.value = ap_getword_nulls_nc(req->pool, @@ -483,7 +471,7 @@ done: } else { apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate"); - if (cfg->basic_auth != BA_OFF) { + if (cfg->use_basic_auth) { apr_table_add(req->err_headers_out, "WWW-Authenticate", apr_psprintf(req->pool, "Basic realm=\"%s\"", @@ -674,19 +662,11 @@ static const char *mag_deleg_ccache_dir(cmd_parms *parms, void *mconfig, return NULL; } -static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig, - const char *value) +static const char *mag_use_basic_auth(cmd_parms *parms, void *mconfig, int on) { struct mag_config *cfg = (struct mag_config *)mconfig; - if (strcasecmp(value, "on") == 0) { - cfg->basic_auth = BA_ON; - } else if (strcasecmp(value, "forward") == 0) { - cfg->basic_auth = BA_FORWARD; - } else { - cfg->basic_auth = BA_OFF; - } - + cfg->use_basic_auth = on ? true : false; return NULL; } @@ -712,7 +692,7 @@ static const command_rec mag_commands[] = { OR_AUTHCFG, "Directory to store delegated credentials"), #endif #ifdef HAVE_GSS_ACQUIRE_CRED_WITH_PASSWORD - AP_INIT_TAKE1("GssapiBasicAuth", mag_use_basic_auth, NULL, OR_AUTHCFG, + AP_INIT_FLAG("GssapiBasicAuth", mag_use_basic_auth, NULL, OR_AUTHCFG, "Allows use of Basic Auth for authentication"), #endif { NULL } diff --git a/src/mod_auth_gssapi.h b/src/mod_auth_gssapi.h index 9ebadcc..efe230d 100644 --- a/src/mod_auth_gssapi.h +++ b/src/mod_auth_gssapi.h @@ -43,11 +43,7 @@ struct mag_config { char *deleg_ccache_dir; gss_key_value_set_desc *cred_store; struct seal_key *mag_skey; - enum { - BA_OFF = 0, - BA_FORWARD = 1, - BA_ON = 2 - } basic_auth; + bool use_basic_auth; }; struct mag_conn {