1 /***************************************************************************
2 Included Headers And Module Declaration
3 ***************************************************************************/
8 #include "http_config.h"
11 #include "http_protocol.h"
12 #include "http_request.h"
14 module kerb_auth_module;
17 #include "apr_strings.h"
19 #include "ap_config.h"
21 #include "http_config.h"
22 #include "http_core.h"
24 #include "http_protocol.h"
25 #include "http_request.h"
27 module AP_MODULE_DECLARE_DATA kerb_auth_module;
43 /***************************************************************************
44 Macros To Ease Compatibility
45 ***************************************************************************/
48 #define MK_TABLE_GET ap_table_get
49 #define MK_TABLE_SET ap_table_set
50 #define MK_TABLE_TYPE table
51 #define MK_PSTRDUP ap_pstrdup
52 #define MK_PROXY STD_PROXY
53 #define MK_USER r->connection->user
54 #define MK_AUTH_TYPE r->connection->ap_auth_type
55 #define MK_ARRAY_HEADER array_header
58 #define MK_POOL apr_pool_t
59 #define MK_TABLE_GET apr_table_get
60 #define MK_TABLE_SET apr_table_set
61 #define MK_TABLE_TYPE apr_table_t
62 #define MK_PSTRDUP apr_pstrdup
63 #define MK_PROXY PROXYREQ_PROXY
64 #define MK_USER r->user
65 #define MK_AUTH_TYPE r->ap_auth_type
66 #define MK_ARRAY_HEADER apr_array_header_t
73 /***************************************************************************
74 Auth Configuration Structure
75 ***************************************************************************/
84 int krb_authoritative;
85 char *krb_default_realm;
87 char *krb_force_instance;
95 int krb_save_credentials;
101 gss_ctx_id_t context;
102 gss_cred_id_t server_creds;
105 static gss_connection_t *gss_connection = NULL;
108 cleanup_gss_connection(void *data)
110 OM_uint32 minor_status;
111 gss_connection_t *gss_conn = (gss_connection_t *)data;
115 if (gss_conn->context != GSS_C_NO_CONTEXT)
116 gss_delete_sec_context(&minor_status, &gss_conn->context,
118 if (gss_conn->server_creds != GSS_C_NO_CREDENTIAL)
119 gss_release_cred(&minor_status, &gss_conn->server_creds);
124 /***************************************************************************
125 Auth Configuration Initialization
126 ***************************************************************************/
127 static void *kerb_dir_config(MK_POOL *p, char *d)
130 rec = (void *) ap_pcalloc(p, sizeof(kerb_auth_config));
131 ((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED;
132 ((kerb_auth_config *)rec)->krb_authoritative = 0;
133 ((kerb_auth_config *)rec)->krb_auth_type = MK_PSTRDUP(p, "None");
140 /***************************************************************************
141 Auth Configuration Parsers
142 ***************************************************************************/
143 static const char *kerb_set_fail_slot(cmd_parms *cmd, void *struct_ptr,
146 int offset = (int) (long) cmd->info;
147 if (!strncasecmp(arg, "unauthorized", 12))
148 *(int *) ((char *)struct_ptr + offset) = HTTP_UNAUTHORIZED;
149 else if (!strncasecmp(arg, "forbidden", 9))
150 *(int *) ((char *)struct_ptr + offset) = HTTP_FORBIDDEN;
151 else if (!strncasecmp(arg, "declined", 8))
152 *(int *) ((char *)struct_ptr + offset) = DECLINED;
154 return "KrbAuthFailStatus must be Forbidden, Unauthorized, or Declined.";
158 /* these are either char *struct_ptr, char *arg or void *struct_ptr, const char *arg */
159 static const char *kerb_set_type_slot(cmd_parms *cmd, void *struct_ptr,
162 int offset = (int) (long) cmd->info;
164 if (!strncasecmp(arg, "v5", 2))
165 *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosV5");
169 if (!strncasecmp(arg, "v4", 2))
170 *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosV4");
173 if (!strncasecmp(arg, "dualv5v4", 8))
174 *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosDualV5V4");
176 (!strncasecmp(arg, "dualv4v5", 8))
177 *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosDualV4V5");
178 #if defined(KRB4) && defined(KRB5)
179 #endif /* KRB4 && KRB5 */
181 return "AuthKerberos must be V5, V4, DualV4V5, or DualV5V4.";
188 /***************************************************************************
189 Auth Configuration Commands
190 ***************************************************************************/
192 command_rec kerb_auth_cmds[] = {
196 (void*)XtOffsetOf(kerb_auth_config, krb_auth_type),
199 "Permit Kerberos auth without AuthType requirement."
206 (void*)XtOffsetOf(kerb_auth_config, krb_4_srvtab),
207 RSRC_CONF & ACCESS_CONF,
209 "Location of Kerberos V4 srvtab file."
217 (void*)XtOffsetOf(kerb_auth_config, krb_5_keytab),
218 RSRC_CONF & ACCESS_CONF,
220 "Location of Kerberos V5 keytab file."
227 (void*)XtOffsetOf(kerb_auth_config, krb_authoritative),
230 "Refuse to pass request down to lower modules."
236 (void*)XtOffsetOf(kerb_auth_config, krb_default_realm),
239 "Default realm to authenticate users against."
245 (void*)XtOffsetOf(kerb_auth_config, krb_fail_status),
248 "If auth fails, return status set here."
254 (void*)XtOffsetOf(kerb_auth_config, krb_force_instance),
257 "Force authentication against an instance specified here."
264 (void*)XtOffsetOf(kerb_auth_config, krb_forwardable),
267 "Credentials retrieved will be flagged as forwardable."
274 (void*)XtOffsetOf(kerb_auth_config, krb_lifetime),
277 "Lifetime of tickets retrieved."
284 (void*)XtOffsetOf(kerb_auth_config, krb_renewable),
287 "Credentials retrieved will be renewable for this length."
292 "KrbSaveCredentials",
294 (void*)XtOffsetOf(kerb_auth_config, krb_save_credentials),
297 "Save and store credentials/tickets retrieved during auth."
303 (void*)XtOffsetOf(kerb_auth_config, krb_save_credentials),
306 "Alias for KrbSaveCredentials."
312 (void*)XtOffsetOf(kerb_auth_config, krb_tmp_dir),
313 RSRC_CONF & ACCESS_CONF,
315 "Path to store ticket files and such in."
322 static const command_rec kerb_auth_cmds[] = {
326 (void*)APR_XtOffsetOf(kerb_auth_config, krb_auth_type),
328 "Permit Kerberos auth without AuthType requirement."
335 (void*)APR_XtOffsetOf(kerb_auth_config, krb_4_srvtab),
336 RSRC_CONF & ACCESS_CONF,
337 "Location of Kerberos V4 srvtab file."
345 (void*)APR_XtOffsetOf(kerb_auth_config, krb_5_keytab),
346 RSRC_CONF & ACCESS_CONF,
347 "Location of Kerberos V5 keytab file."
354 (void*)APR_XtOffsetOf(kerb_auth_config, krb_authoritative),
356 "Refuse to pass request down to lower modules."
362 (void*)APR_XtOffsetOf(kerb_auth_config, krb_default_realm),
364 "Default realm to authenticate users against."
370 (void*)APR_XtOffsetOf(kerb_auth_config, krb_fail_status),
372 "If auth fails, return status set here."
378 (void*)APR_XtOffsetOf(kerb_auth_config, krb_force_instance),
380 "Force authentication against an instance specified here."
387 (void*)APR_XtOffsetOf(kerb_auth_config, krb_forwardable),
389 "Credentials retrieved will be flagged as forwardable."
396 (void*)APR_XtOffsetOf(kerb_auth_config, krb_lifetime),
398 "Lifetime of tickets retrieved."
405 (void*)APR_XtOffsetOf(kerb_auth_config, krb_renewable),
407 "Credentials retrieved will be renewable for this length."
412 "KrbSaveCredentials",
414 (void*)APR_XtOffsetOf(kerb_auth_config, krb_save_credentials),
416 "Save and store credentials/tickets retrieved during auth."
422 (void*)APR_XtOffsetOf(kerb_auth_config, krb_save_credentials),
424 "Alias for KrbSaveCredentials."
430 (void*)APR_XtOffsetOf(kerb_auth_config, krb_tmp_dir),
431 RSRC_CONF & ACCESS_CONF,
432 "Path to store ticket files and such in."
443 /***************************************************************************
444 Username/Password Validation
445 ***************************************************************************/
447 int kerb5_password_validate(request_rec *r, const char *user, const char *pass)
449 kerb_auth_config *conf =
450 (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
453 krb5_context kcontext;
454 krb5_principal server, me;
457 krb5_ccache ccache = NULL;
458 krb5_deltat lifetime = 300; /* 5 minutes */
459 krb5_deltat renewal = 0;
460 krb5_flags options = 0;
461 krb5_data tgtname = {
468 char *c, ccname[MAX_STRING_LEN];
470 if (krb5_init_context(&kcontext))
473 if (conf->krb_save_credentials) {
474 lifetime = 1800; /* 30 minutes */
476 if (conf->krb_forwardable) {
477 options |= KDC_OPT_FORWARDABLE;
480 if (conf->krb_renewable) {
481 options |= KDC_OPT_RENEWABLE;
482 renewal = 86400; /* 24 hours */
485 sprintf(ccname, "FILE:%s/k5cc_ap_%s",
486 conf->krb_tmp_dir ? conf->krb_tmp_dir : "/tmp",
489 for (c = ccname + strlen(conf->krb_tmp_dir ? conf->krb_tmp_dir :
490 "/tmp") + 1; *c; c++) {
495 ap_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
496 if (krb5_cc_set_default_name(kcontext, ccname)) {
499 unlink(ccname+strlen("FILE:"));
502 if (conf->krb_lifetime) {
503 lifetime = atoi(conf->krb_lifetime);
506 memset((char *)&my_creds, 0, sizeof(my_creds));
507 if(krb5_parse_name(kcontext, user, &me))
509 my_creds.client = me;
513 if (krb5_build_principal_ext(kcontext, &server,
514 krb5_princ_realm(kcontext, me)->length,
515 krb5_princ_realm(kcontext, me)->data,
516 tgtname.length, tgtname.data,
517 krb5_princ_realm(kcontext, me)->length,
518 krb5_princ_realm(kcontext, me)->data,
523 my_creds.server = server;
524 if (krb5_timeofday(kcontext, &now))
526 my_creds.times.starttime = 0;
527 my_creds.times.endtime = now + lifetime;
528 my_creds.times.renew_till = now + renewal;
530 if (conf->krb_save_credentials) {
531 if (krb5_cc_resolve(kcontext, ccname, &ccache))
534 if (krb5_cc_initialize(kcontext, ccache, me))
538 ret = krb5_get_in_tkt_with_password(kcontext, options, 0, NULL, 0,
539 pass, ccache, &my_creds, 0);
544 krb5_free_cred_contents(kcontext, &my_creds);
551 int kerb4_password_validate(request_rec *r, const char *user, const char *pass)
553 kerb_auth_config *conf =
554 (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
557 int lifetime = DEFAULT_TKT_LIFE;
559 char *username = NULL;
560 char *instance = NULL;
563 username = (char *)ap_pstrdup(r->pool, user);
568 instance = strchr(username, '.');
576 realm = strchr(username, '@');
584 if (conf->krb_lifetime) {
585 lifetime = atoi(conf->krb_lifetime);
588 if (conf->krb_force_instance) {
589 instance = conf->krb_force_instance;
592 if (conf->krb_save_credentials) {
593 tfname = (char *)malloc(sizeof(char) * MAX_STRING_LEN);
594 sprintf(tfname, "%s/k5cc_ap_%s",
595 conf->krb_tmp_dir ? conf->krb_tmp_dir : "/tmp",
598 if (!strcmp(instance, "")) {
599 tfname = strcat(tfname, ".");
600 tfname = strcat(tfname, instance);
603 if (!strcmp(realm, "")) {
604 tfname = strcat(tfname, ".");
605 tfname = strcat(tfname, realm);
608 for (c = tfname + strlen(conf->krb_tmp_dir ? conf->krb_tmp_dir :
609 "/tmp") + 1; *c; c++) {
614 krb_set_tkt_string(tfname);
617 if (!strcmp(realm, "")) {
618 realm = (char *)malloc(sizeof(char) * (REALM_SZ + 1));
619 ret = krb_get_lrealm(realm, 1);
624 ret = krb_get_pw_in_tkt((char *)user, instance, realm, "krbtgt", realm,
625 lifetime, (char *)pass);
640 get_gss_creds(request_rec *r,
641 kerb_auth_config *conf,
642 gss_cred_id_t *server_creds)
645 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
646 OM_uint32 major_status, minor_status;
647 gss_name_t server_name = GSS_C_NO_NAME;
649 if (conf->service_name) {
650 input_token.value = conf->service_name;
651 input_token.length = strlen(conf->service_name) + 1;
654 input_token.value = "khttp";
655 input_token.length = 6;
657 major_status = gss_import_name(&minor_status, &input_token,
658 (conf->service_name) ?
659 GSS_C_NT_USER_NAME : GSS_C_NT_HOSTBASED_SERVICE,
661 if (GSS_ERROR(major_status)) {
662 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
663 "%s", get_gss_error(r->pool, minor_status,
664 "gss_import_name() failed"));
670 if (conf->krb_5_keytab)
671 setenv("KRB5_KTNAME", conf->krb_5_keytab, 1);
674 major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
675 GSS_C_NO_OID_SET, GSS_C_ACCEPT,
676 server_creds, NULL, NULL);
678 if (conf->krb_5_keytab)
679 unsetenv("KRB5_KTNAME");
681 if (GSS_ERROR(major_status)) {
682 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
683 "%s", get_gss_error(r->pool, minor_status,
684 "gss_acquire_cred() failed"));
698 negotiate_authenticate_user(request_rec *r,
699 kerb_auth_config *conf,
700 const char *auth_line)
702 OM_uint32 major_status, minor_status, minor_status2;
703 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
704 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
705 const char *auth_param = NULL;
706 krb5_context krb_ctx = NULL;
708 gss_name_t client_name = GSS_C_NO_NAME;
709 gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
712 if (gss_connection == NULL) {
713 gss_connection = ap_pcalloc(r->connection->pool, sizeof(*gss_connection));
714 if (gss_connection == NULL) {
715 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
716 "ap_pcalloc() failed");
720 memset(gss_connection, 0, sizeof(*gss_connection));
721 ap_register_cleanup(r->connection->pool, gss_connection, cleanup_gss_connection, ap_null_cleanup);
724 if (gss_connection->server_creds == GSS_C_NO_CREDENTIAL) {
725 ret = get_gss_creds(r, conf, &gss_connection->server_creds);
730 /* ap_getword() shifts parameter */
731 auth_param = ap_getword_white(r->pool, &auth_line);
732 if (auth_param == NULL) {
733 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
734 "No Authorization parameter from client");
735 ret = HTTP_UNAUTHORIZED;
739 input_token.length = ap_base64decode_len(auth_param);
740 input_token.value = ap_pcalloc(r->connection->pool, input_token.length);
741 if (input_token.value == NULL) {
742 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
743 "Not enough memory");
747 input_token.length = ap_base64decode(input_token.value, auth_param);
749 major_status = gss_accept_sec_context(&minor_status,
750 &gss_connection->context,
751 gss_connection->server_creds,
753 GSS_C_NO_CHANNEL_BINDINGS,
760 if (output_token.length) {
764 len = ap_base64encode_len(output_token.length);
765 token = ap_pcalloc(r->connection->pool, len + 1);
767 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
768 "Not enough memory");
770 gss_release_buffer(&minor_status2, &output_token);
773 ap_base64encode(token, output_token.value, output_token.length);
775 ap_table_set(r->err_headers_out, "WWW-Authenticate",
776 ap_pstrcat(r->pool, "GSS-Negotiate ", token, NULL));
778 gss_release_buffer(&minor_status2, &output_token);
781 if (GSS_ERROR(major_status)) {
782 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
783 "%s", get_gss_error(r->pool, minor_status,
784 "gss_accept_sec_context() failed"));
785 ret = HTTP_UNAUTHORIZED;
789 if (major_status & GSS_S_CONTINUE_NEEDED) {
791 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
792 "only one authentication iteration allowed");
794 ret = HTTP_UNAUTHORIZED;
798 major_status = gss_export_name(&minor_status, client_name, &output_token);
799 gss_release_name(&minor_status, &client_name);
800 if (GSS_ERROR(major_status)) {
801 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
802 "%s", get_gss_error(r->pool, minor_status,
803 "gss_export_name() failed"));
808 r->connection->ap_auth_type = "Negotiate";
809 r->connection->user = ap_pstrdup(r->pool, output_token.value);
811 /* If the user comes from a realm specified by configuration don't include
812 its realm name in the username so that the authorization routine could
813 work for both Password-based and Ticket-based authentication. It's
814 administrators responsibility to include only such realm that have
815 unified principal instances, i.e. if the same principal name occures in
816 multiple realms, it must be always assigned to a single user.
818 p = strchr(r->connection->user, '@');
820 const char *realms = conf->gss_krb5_realms;
822 while (realms && *realms) {
823 if (strcmp(p+1, ap_getword_white(r->pool, &realms)) == 0) {
831 gss_release_buffer(&minor_status, &output_token);
834 /* This should be only done if afs token are requested or gss_save creds is
836 /* gss_export_cred() from the GGF GSS Extensions could be used */
837 if (delegated_cred != GSS_C_NO_CREDENTIAL &&
838 (conf->gss_save_creds || (conf->gss_krb5_cells && k_hasafs()))) {
839 krb5_init_context(&krb_ctx);
840 do_afs_log(krb_ctx, r, delegated_cred->ccache, conf->gss_krb5_cells);
841 ret = store_krb5_creds(krb_ctx, r, conf, delegated_cred->ccache);
842 krb5_free_context(krb_ctx);
851 gss_release_cred(&minor_status, &delegated_cred);
853 if (output_token.length)
854 gss_release_buffer(&minor_status, &output_token);
856 if (client_name != GSS_C_NO_NAME)
857 gss_release_name(&minor_status, &client_name);
863 /***************************************************************************
865 ***************************************************************************/
866 int kerb_authenticate_user(request_rec *r)
868 const char *name; /* AuthName specified */
869 const char *type; /* AuthType specified */
870 int KerberosV5 = 0; /* Kerberos V5 check enabled */
871 int KerberosV4 = 0; /* Kerberos V4 check enabled */
872 int KerberosV4first = 0; /* Kerberos V4 check first */
873 const char *sent_pw; /* Password sent by browser */
874 int res; /* Response holder */
875 int retcode; /* Return code holder */
876 const char *t; /* Decoded auth_line */
877 const char *authtype; /* AuthType to send back to browser */
878 const char *auth_line = MK_TABLE_GET(r->headers_in,
879 (r->proxyreq == MK_PROXY)
880 ? "Proxy-Authorization"
882 kerb_auth_config *conf =
883 (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
886 type = ap_auth_type(r);
890 if ((strncasecmp(type, "KerberosV5", 10) == 0) ||
891 (strncasecmp(conf->krb_auth_type, "KerberosV5", 10) == 0)) {
897 if ((strncasecmp(type, "KerberosV4", 10) == 0) ||
898 (strncasecmp(conf->krb_auth_type, "KerberosV4", 10) == 0)) {
903 #if defined(KRB5) && defined(KRB4)
904 if ((strncasecmp(type, "KerberosDualV5V4", 15) == 0) ||
905 (strncasecmp(conf->krb_auth_type, "KerberosDualV5V4", 15) == 0)) {
910 if ((strncasecmp(type, "KerberosDualV4V5", 15) == 0) ||
911 (strncasecmp(conf->krb_auth_type, "KerberosDualV4V5", 15) == 0)) {
916 #endif /* KRB5 && KRB4 */
919 if (!KerberosV4 && !KerberosV5) {
920 if (conf->krb_authoritative) {
921 return HTTP_UNAUTHORIZED;
928 name = ap_auth_name(r);
930 return HTTP_INTERNAL_SERVER_ERROR;
934 MK_TABLE_SET(r->err_headers_out, "WWW-Authenticate",
935 (char *)ap_pstrcat(r->pool,
936 "Basic realm=\"", name, "\"", NULL));
937 return HTTP_UNAUTHORIZED;
940 type = ap_getword_white(r->pool, &auth_line);
941 t = ap_pbase64decode(r->pool, auth_line);
942 MK_USER = ap_getword_nulls(r->pool, &t, ':');
943 MK_AUTH_TYPE = "Kerberos";
944 sent_pw = ap_getword_white(r->pool, &t);
949 if (KerberosV5 && !KerberosV4first && retcode != OK) {
950 MK_AUTH_TYPE = "KerberosV5";
951 if (kerb5_password_validate(r, MK_USER, sent_pw)) {
955 retcode = conf->krb_fail_status;
961 if (KerberosV4 && retcode != OK) {
962 MK_AUTH_TYPE = "KerberosV4";
963 if (kerb4_password_validate(r, MK_USER, sent_pw)) {
967 retcode = conf->krb_fail_status;
972 #if defined(KRB5) && defined(KRB4)
973 if (KerberosV5 && KerberosV4first && retcode != OK) {
974 MK_AUTH_TYPE = "KerberosV5";
975 if (kerb5_password_validate(r, MK_USER, sent_pw)) {
979 retcode = conf->krb_fail_status;
982 #endif /* KRB5 && KRB4 */
984 if (conf->krb_authoritative && retcode == DECLINED) {
985 return HTTP_UNAUTHORIZED;
995 /***************************************************************************
997 ***************************************************************************/
998 int kerb_check_user_access(request_rec *r)
1002 const MK_ARRAY_HEADER *reqs_arr = ap_requires(r);
1004 kerb_auth_config *conf =
1005 (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
1008 if (reqs_arr == NULL) {
1011 reqs = (require_line *)reqs_arr->elts;
1013 for (x = 0; x < reqs_arr->nelts; x++) {
1014 t = reqs[x].requirement;
1015 w = ap_getword_white(r->pool, &t);
1016 if (strcmp(w, "realm") == 0) {
1017 while (t[0] != '\0') {
1018 w = ap_getword_conf(r->pool, &t);
1019 if (strcmp(MK_USER, w) == 0) {
1032 /***************************************************************************
1033 Module Setup/Configuration
1034 ***************************************************************************/
1036 module MODULE_VAR_EXPORT kerb_auth_module = {
1037 STANDARD_MODULE_STUFF,
1038 NULL, /* module initializer */
1039 kerb_dir_config, /* per-directory config creator */
1040 NULL, /* per-directory config merger */
1041 NULL, /* per-server config creator */
1042 NULL, /* per-server config merger */
1043 kerb_auth_cmds, /* command table */
1044 NULL, /* [ 9] content handlers */
1045 NULL, /* [ 2] URI-to-filename translation */
1046 kerb_authenticate_user, /* [ 5] check/validate user_id */
1047 kerb_check_user_access, /* [ 6] check user_id is valid *here* */
1048 NULL, /* [ 4] check access by host address */
1049 NULL, /* [ 7] MIME type checker/setter */
1050 NULL, /* [ 8] fixups */
1051 NULL, /* [10] logger */
1052 NULL, /* [ 3] header parser */
1053 NULL, /* process initialization */
1054 NULL, /* process exit/cleanup */
1055 NULL /* [ 1] post read_request handling */
1057 , /* EAPI Additions */
1058 NULL, /* EAPI add module */
1059 NULL, /* EAPI remove module */
1060 NULL, /* EAPI rewrite command */
1061 NULL /* EAPI new connection */
1066 void kerb_register_hooks(apr_pool_t *p)
1068 ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
1069 ap_hook_access_checker(kerb_check_user_access, NULL, NULL, APR_HOOK_MIDDLE);
1072 module AP_MODULE_DECLARE_DATA kerb_auth_module =
1074 STANDARD20_MODULE_STUFF,
1075 kerb_dir_config, /* create per-dir conf structures */
1076 NULL, /* merge per-dir conf structures */
1077 NULL, /* create per-server conf structures */
1078 NULL, /* merge per-server conf structures */
1079 kerb_auth_cmds, /* table of configuration directives */
1080 kerb_register_hooks /* register hooks */