1 /***************************************************************************
2 Included Headers And Module Declaration
3 ***************************************************************************/
8 #include "http_config.h"
11 #include "http_protocol.h"
12 #include "http_request.h"
14 module kerb_auth_module;
17 #include "apr_strings.h"
19 #include "ap_config.h"
21 #include "http_config.h"
22 #include "http_core.h"
24 #include "http_protocol.h"
25 #include "http_request.h"
27 module AP_MODULE_DECLARE_DATA kerb_auth_module;
43 /***************************************************************************
44 Macros To Ease Compatibility
45 ***************************************************************************/
48 #define MK_TABLE_GET ap_table_get
49 #define MK_TABLE_SET ap_table_set
50 #define MK_TABLE_TYPE table
51 #define MK_PSTRDUP ap_pstrdup
52 #define MK_PROXY STD_PROXY
53 #define MK_USER r->connection->user
54 #define MK_AUTH_TYPE r->connection->ap_auth_type
55 #define MK_ARRAY_HEADER array_header
58 #define MK_POOL apr_pool_t
59 #define MK_TABLE_GET apr_table_get
60 #define MK_TABLE_SET apr_table_set
61 #define MK_TABLE_TYPE apr_table_t
62 #define MK_PSTRDUP apr_pstrdup
63 #define MK_PROXY PROXYREQ_PROXY
64 #define MK_USER r->user
65 #define MK_AUTH_TYPE r->ap_auth_type
66 #define MK_ARRAY_HEADER apr_array_header_t
73 /***************************************************************************
74 Auth Configuration Structure
75 ***************************************************************************/
84 int krb_authoritative;
85 char *krb_default_realm;
87 char *krb_force_instance;
95 int krb_save_credentials;
101 gss_ctx_id_t context;
102 gss_cred_id_t server_creds;
105 static gss_connection_t *gss_connection = NULL;
108 cleanup_gss_connection(void *data)
110 OM_uint32 minor_status;
111 gss_connection_t *gss_conn = (gss_connection_t *)data;
115 if (gss_conn->context != GSS_C_NO_CONTEXT)
116 gss_delete_sec_context(&minor_status, &gss_conn->context,
118 if (gss_conn->server_creds != GSS_C_NO_CREDENTIAL)
119 gss_release_cred(&minor_status, &gss_conn->server_creds);
124 /***************************************************************************
125 Auth Configuration Initialization
126 ***************************************************************************/
127 static void *kerb_dir_config(MK_POOL *p, char *d)
130 rec = (void *) ap_pcalloc(p, sizeof(kerb_auth_config));
131 ((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED;
132 ((kerb_auth_config *)rec)->krb_authoritative = 0;
133 ((kerb_auth_config *)rec)->krb_auth_type = MK_PSTRDUP(p, "None");
140 /***************************************************************************
141 Auth Configuration Parsers
142 ***************************************************************************/
143 static const char *kerb_set_fail_slot(cmd_parms *cmd, void *struct_ptr,
146 int offset = (int) (long) cmd->info;
147 if (!strncasecmp(arg, "unauthorized", 12))
148 *(int *) ((char *)struct_ptr + offset) = HTTP_UNAUTHORIZED;
149 else if (!strncasecmp(arg, "forbidden", 9))
150 *(int *) ((char *)struct_ptr + offset) = HTTP_FORBIDDEN;
151 else if (!strncasecmp(arg, "declined", 8))
152 *(int *) ((char *)struct_ptr + offset) = DECLINED;
154 return "KrbAuthFailStatus must be Forbidden, Unauthorized, or Declined.";
158 /* these are either char *struct_ptr, char *arg or void *struct_ptr, const char *arg */
159 static const char *kerb_set_type_slot(cmd_parms *cmd, void *struct_ptr,
162 int offset = (int) (long) cmd->info;
164 if (!strncasecmp(arg, "v5", 2))
165 *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosV5");
169 if (!strncasecmp(arg, "v4", 2))
170 *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosV4");
173 if (!strncasecmp(arg, "dualv5v4", 8))
174 *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosDualV5V4");
176 (!strncasecmp(arg, "dualv4v5", 8))
177 *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosDualV4V5");
178 #if defined(KRB4) && defined(KRB5)
179 #endif /* KRB4 && KRB5 */
181 return "AuthKerberos must be V5, V4, DualV4V5, or DualV5V4.";
188 /***************************************************************************
189 Auth Configuration Commands
190 ***************************************************************************/
192 command_rec kerb_auth_cmds[] = {
196 (void*)XtOffsetOf(kerb_auth_config, krb_auth_type),
199 "Permit Kerberos auth without AuthType requirement."
206 (void*)XtOffsetOf(kerb_auth_config, krb_4_srvtab),
207 RSRC_CONF & ACCESS_CONF,
209 "Location of Kerberos V4 srvtab file."
217 (void*)XtOffsetOf(kerb_auth_config, krb_5_keytab),
218 RSRC_CONF & ACCESS_CONF,
220 "Location of Kerberos V5 keytab file."
227 (void*)XtOffsetOf(kerb_auth_config, krb_authoritative),
230 "Refuse to pass request down to lower modules."
236 (void*)XtOffsetOf(kerb_auth_config, krb_default_realm),
239 "Default realm to authenticate users against."
245 (void*)XtOffsetOf(kerb_auth_config, krb_fail_status),
248 "If auth fails, return status set here."
254 (void*)XtOffsetOf(kerb_auth_config, krb_force_instance),
257 "Force authentication against an instance specified here."
264 (void*)XtOffsetOf(kerb_auth_config, krb_forwardable),
267 "Credentials retrieved will be flagged as forwardable."
274 (void*)XtOffsetOf(kerb_auth_config, krb_lifetime),
277 "Lifetime of tickets retrieved."
284 (void*)XtOffsetOf(kerb_auth_config, krb_renewable),
287 "Credentials retrieved will be renewable for this length."
292 "KrbSaveCredentials",
294 (void*)XtOffsetOf(kerb_auth_config, krb_save_credentials),
297 "Save and store credentials/tickets retrieved during auth."
303 (void*)XtOffsetOf(kerb_auth_config, krb_save_credentials),
306 "Alias for KrbSaveCredentials."
312 (void*)XtOffsetOf(kerb_auth_config, krb_tmp_dir),
313 RSRC_CONF & ACCESS_CONF,
315 "Path to store ticket files and such in."
322 static const command_rec kerb_auth_cmds[] = {
326 (void*)APR_XtOffsetOf(kerb_auth_config, krb_auth_type),
328 "Permit Kerberos auth without AuthType requirement."
335 (void*)APR_XtOffsetOf(kerb_auth_config, krb_4_srvtab),
336 RSRC_CONF & ACCESS_CONF,
337 "Location of Kerberos V4 srvtab file."
345 (void*)APR_XtOffsetOf(kerb_auth_config, krb_5_keytab),
346 RSRC_CONF & ACCESS_CONF,
347 "Location of Kerberos V5 keytab file."
354 (void*)APR_XtOffsetOf(kerb_auth_config, krb_authoritative),
356 "Refuse to pass request down to lower modules."
362 (void*)APR_XtOffsetOf(kerb_auth_config, krb_default_realm),
364 "Default realm to authenticate users against."
370 (void*)APR_XtOffsetOf(kerb_auth_config, krb_fail_status),
372 "If auth fails, return status set here."
378 (void*)APR_XtOffsetOf(kerb_auth_config, krb_force_instance),
380 "Force authentication against an instance specified here."
387 (void*)APR_XtOffsetOf(kerb_auth_config, krb_forwardable),
389 "Credentials retrieved will be flagged as forwardable."
396 (void*)APR_XtOffsetOf(kerb_auth_config, krb_lifetime),
398 "Lifetime of tickets retrieved."
405 (void*)APR_XtOffsetOf(kerb_auth_config, krb_renewable),
407 "Credentials retrieved will be renewable for this length."
412 "KrbSaveCredentials",
414 (void*)APR_XtOffsetOf(kerb_auth_config, krb_save_credentials),
416 "Save and store credentials/tickets retrieved during auth."
422 (void*)APR_XtOffsetOf(kerb_auth_config, krb_save_credentials),
424 "Alias for KrbSaveCredentials."
430 (void*)APR_XtOffsetOf(kerb_auth_config, krb_tmp_dir),
431 RSRC_CONF & ACCESS_CONF,
432 "Path to store ticket files and such in."
443 krb5_verify_user(krb5_context context, krb5_principal principal,
444 krb5_ccache ccache, const char *password, krb5_boolean secure,
449 krb5_data tgtname = {
455 memset((char *)&my_creds, 0, sizeof(my_creds));
456 my_creds.client = principal;
458 if (krb5_build_principal_ext(kcontext, &server,
459 krb5_princ_realm(kcontext, me)->length,
460 krb5_princ_realm(kcontext, me)->data,
461 tgtname.length, tgtname.data,
462 krb5_princ_realm(kcontext, me)->length,
463 krb5_princ_realm(kcontext, me)->data,
468 my_creds.server = server;
469 if (krb5_timeofday(kcontext, &now))
472 my_creds.times.starttime = 0;
474 my_creds.times.endtime = now + lifetime;
475 my_creds.times.renew_till = now + renewal;
478 ret = krb5_get_in_tkt_with_password(kcontext, options, 0, NULL, 0,
479 pass, ccache, &my_creds, 0);
489 /***************************************************************************
490 Username/Password Validation
491 ***************************************************************************/
493 int kerb5_password_validate(request_rec *r, const char *user, const char *pass)
495 kerb_auth_config *conf =
496 (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
499 krb5_context kcontext;
500 krb5_principal server, me;
503 krb5_ccache ccache = NULL;
504 krb5_deltat lifetime = 300; /* 5 minutes */
505 krb5_deltat renewal = 0;
506 krb5_flags options = 0;
507 krb5_data tgtname = {
514 char *c, ccname[MAX_STRING_LEN];
516 if (krb5_init_context(&kcontext))
519 if (conf->krb_forwardable) {
520 options |= KDC_OPT_FORWARDABLE;
523 if (conf->krb_renewable) {
524 options |= KDC_OPT_RENEWABLE;
525 renewal = 86400; /* 24 hours */
528 if (conf->krb_lifetime) {
529 lifetime = atoi(conf->krb_lifetime);
532 code = krb5_cc_gen_new(kcontext, &krb5_mcc_ops, &ccache);
534 snprintf(errstr, sizeof(errstr), "krb5_cc_gen_new(): %.100s",
535 krb5_get_err_text(kcontext, code));
536 ap_log_reason (errstr, r->uri, r);
541 realms = conf->krb5_auth_realm;
545 code = krb5_set_default_realm(kcontext,
546 ap_getword_white(r->pool, &realms));
551 code = krb5_parse_name(kcontext, r->connection->user, &princ);
555 code = krb5_verify_user(kcontext, princ, ccache, sent_pw,
560 /* ap_getword_white() used above shifts the parameter, so it's not
561 needed to touch the realms variable */
562 } while (realms && *realms);
564 memset((char *)pass, 0, strlen(pass));
567 snprintf(errstr, sizeof(errstr), "Verifying krb5 password failed: %s",
568 krb5_get_err_text(kcontext, code));
569 ap_log_reason (errstr, r->uri, r);
570 ret = HTTP_UNAUTHORIZED;
574 if (conf->krb_save_credentials) {
575 sprintf(ccname, "FILE:%s/k5cc_ap_%s",
576 conf->krb_tmp_dir ? conf->krb_tmp_dir : "/tmp",
579 for (c = ccname + strlen(conf->krb_tmp_dir ? conf->krb_tmp_dir : "/tmp") + 1; *c; c++) {
584 ap_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
585 if (krb5_cc_set_default_name(kcontext, ccname)) {
588 unlink(ccname+strlen("FILE:"));
590 if (krb5_cc_resolve(kcontext, ccname, &ccache))
593 problem = krb5_cc_get_principal(krb_ctx, mem_ccache, &me);
595 if (krb5_cc_initialize(kcontext, ccache, me))
598 problem = krb5_cc_copy_cache(krb_ctx, delegated_cred, ccache);
603 krb5_cc_close(krb_ctx, ccache);
611 int kerb4_password_validate(request_rec *r, const char *user, const char *pass)
613 kerb_auth_config *conf =
614 (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
617 int lifetime = DEFAULT_TKT_LIFE;
619 char *username = NULL;
620 char *instance = NULL;
623 username = (char *)ap_pstrdup(r->pool, user);
628 instance = strchr(username, '.');
636 realm = strchr(username, '@');
644 if (conf->krb_lifetime) {
645 lifetime = atoi(conf->krb_lifetime);
648 if (conf->krb_force_instance) {
649 instance = conf->krb_force_instance;
652 if (conf->krb_save_credentials) {
653 tfname = (char *)malloc(sizeof(char) * MAX_STRING_LEN);
654 sprintf(tfname, "%s/k5cc_ap_%s",
655 conf->krb_tmp_dir ? conf->krb_tmp_dir : "/tmp",
658 if (!strcmp(instance, "")) {
659 tfname = strcat(tfname, ".");
660 tfname = strcat(tfname, instance);
663 if (!strcmp(realm, "")) {
664 tfname = strcat(tfname, ".");
665 tfname = strcat(tfname, realm);
668 for (c = tfname + strlen(conf->krb_tmp_dir ? conf->krb_tmp_dir :
669 "/tmp") + 1; *c; c++) {
674 krb_set_tkt_string(tfname);
677 if (!strcmp(realm, "")) {
678 realm = (char *)malloc(sizeof(char) * (REALM_SZ + 1));
679 ret = krb_get_lrealm(realm, 1);
684 ret = krb_get_pw_in_tkt((char *)user, instance, realm, "krbtgt", realm,
685 lifetime, (char *)pass);
700 get_gss_creds(request_rec *r,
701 kerb_auth_config *conf,
702 gss_cred_id_t *server_creds)
705 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
706 OM_uint32 major_status, minor_status;
707 gss_name_t server_name = GSS_C_NO_NAME;
709 if (conf->service_name) {
710 input_token.value = conf->service_name;
711 input_token.length = strlen(conf->service_name) + 1;
714 input_token.value = "khttp";
715 input_token.length = 6;
717 major_status = gss_import_name(&minor_status, &input_token,
718 (conf->service_name) ?
719 GSS_C_NT_USER_NAME : GSS_C_NT_HOSTBASED_SERVICE,
721 if (GSS_ERROR(major_status)) {
722 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
723 "%s", get_gss_error(r->pool, minor_status,
724 "gss_import_name() failed"));
730 if (conf->krb_5_keytab)
731 setenv("KRB5_KTNAME", conf->krb_5_keytab, 1);
734 major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
735 GSS_C_NO_OID_SET, GSS_C_ACCEPT,
736 server_creds, NULL, NULL);
738 if (conf->krb_5_keytab)
739 unsetenv("KRB5_KTNAME");
741 if (GSS_ERROR(major_status)) {
742 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
743 "%s", get_gss_error(r->pool, minor_status,
744 "gss_acquire_cred() failed"));
758 negotiate_authenticate_user(request_rec *r,
759 kerb_auth_config *conf,
760 const char *auth_line)
762 OM_uint32 major_status, minor_status, minor_status2;
763 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
764 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
765 const char *auth_param = NULL;
766 krb5_context krb_ctx = NULL;
768 gss_name_t client_name = GSS_C_NO_NAME;
769 gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
772 if (gss_connection == NULL) {
773 gss_connection = ap_pcalloc(r->connection->pool, sizeof(*gss_connection));
774 if (gss_connection == NULL) {
775 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
776 "ap_pcalloc() failed");
780 memset(gss_connection, 0, sizeof(*gss_connection));
781 ap_register_cleanup(r->connection->pool, gss_connection, cleanup_gss_connection, ap_null_cleanup);
784 if (gss_connection->server_creds == GSS_C_NO_CREDENTIAL) {
785 ret = get_gss_creds(r, conf, &gss_connection->server_creds);
790 /* ap_getword() shifts parameter */
791 auth_param = ap_getword_white(r->pool, &auth_line);
792 if (auth_param == NULL) {
793 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
794 "No Authorization parameter from client");
795 ret = HTTP_UNAUTHORIZED;
799 input_token.length = ap_base64decode_len(auth_param);
800 input_token.value = ap_pcalloc(r->connection->pool, input_token.length);
801 if (input_token.value == NULL) {
802 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
803 "Not enough memory");
807 input_token.length = ap_base64decode(input_token.value, auth_param);
809 major_status = gss_accept_sec_context(&minor_status,
810 &gss_connection->context,
811 gss_connection->server_creds,
813 GSS_C_NO_CHANNEL_BINDINGS,
820 if (output_token.length) {
824 len = ap_base64encode_len(output_token.length);
825 token = ap_pcalloc(r->connection->pool, len + 1);
827 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
828 "Not enough memory");
830 gss_release_buffer(&minor_status2, &output_token);
833 ap_base64encode(token, output_token.value, output_token.length);
835 ap_table_set(r->err_headers_out, "WWW-Authenticate",
836 ap_pstrcat(r->pool, "GSS-Negotiate ", token, NULL));
838 gss_release_buffer(&minor_status2, &output_token);
841 if (GSS_ERROR(major_status)) {
842 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
843 "%s", get_gss_error(r->pool, minor_status,
844 "gss_accept_sec_context() failed"));
845 ret = HTTP_UNAUTHORIZED;
849 if (major_status & GSS_S_CONTINUE_NEEDED) {
851 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
852 "only one authentication iteration allowed");
854 ret = HTTP_UNAUTHORIZED;
858 major_status = gss_export_name(&minor_status, client_name, &output_token);
859 gss_release_name(&minor_status, &client_name);
860 if (GSS_ERROR(major_status)) {
861 ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
862 "%s", get_gss_error(r->pool, minor_status,
863 "gss_export_name() failed"));
868 r->connection->ap_auth_type = "Negotiate";
869 r->connection->user = ap_pstrdup(r->pool, output_token.value);
871 /* If the user comes from a realm specified by configuration don't include
872 its realm name in the username so that the authorization routine could
873 work for both Password-based and Ticket-based authentication. It's
874 administrators responsibility to include only such realm that have
875 unified principal instances, i.e. if the same principal name occures in
876 multiple realms, it must be always assigned to a single user.
878 p = strchr(r->connection->user, '@');
880 const char *realms = conf->gss_krb5_realms;
882 while (realms && *realms) {
883 if (strcmp(p+1, ap_getword_white(r->pool, &realms)) == 0) {
891 gss_release_buffer(&minor_status, &output_token);
894 /* This should be only done if afs token are requested or gss_save creds is
896 /* gss_export_cred() from the GGF GSS Extensions could be used */
897 if (delegated_cred != GSS_C_NO_CREDENTIAL &&
898 (conf->gss_save_creds || (conf->gss_krb5_cells && k_hasafs()))) {
899 krb5_init_context(&krb_ctx);
900 do_afs_log(krb_ctx, r, delegated_cred->ccache, conf->gss_krb5_cells);
901 ret = store_krb5_creds(krb_ctx, r, conf, delegated_cred->ccache);
902 krb5_free_context(krb_ctx);
911 gss_release_cred(&minor_status, &delegated_cred);
913 if (output_token.length)
914 gss_release_buffer(&minor_status, &output_token);
916 if (client_name != GSS_C_NO_NAME)
917 gss_release_name(&minor_status, &client_name);
923 /***************************************************************************
925 ***************************************************************************/
926 int kerb_authenticate_user(request_rec *r)
928 const char *name; /* AuthName specified */
929 const char *type; /* AuthType specified */
930 int KerberosV5 = 0; /* Kerberos V5 check enabled */
931 int KerberosV4 = 0; /* Kerberos V4 check enabled */
932 int KerberosV4first = 0; /* Kerberos V4 check first */
933 const char *sent_pw; /* Password sent by browser */
934 int res; /* Response holder */
935 int retcode; /* Return code holder */
936 const char *t; /* Decoded auth_line */
937 const char *authtype; /* AuthType to send back to browser */
938 const char *auth_line = MK_TABLE_GET(r->headers_in,
939 (r->proxyreq == MK_PROXY)
940 ? "Proxy-Authorization"
942 kerb_auth_config *conf =
943 (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
946 type = ap_auth_type(r);
950 if ((strncasecmp(type, "KerberosV5", 10) == 0) ||
951 (strncasecmp(conf->krb_auth_type, "KerberosV5", 10) == 0)) {
957 if ((strncasecmp(type, "KerberosV4", 10) == 0) ||
958 (strncasecmp(conf->krb_auth_type, "KerberosV4", 10) == 0)) {
963 #if defined(KRB5) && defined(KRB4)
964 if ((strncasecmp(type, "KerberosDualV5V4", 15) == 0) ||
965 (strncasecmp(conf->krb_auth_type, "KerberosDualV5V4", 15) == 0)) {
970 if ((strncasecmp(type, "KerberosDualV4V5", 15) == 0) ||
971 (strncasecmp(conf->krb_auth_type, "KerberosDualV4V5", 15) == 0)) {
976 #endif /* KRB5 && KRB4 */
979 if (!KerberosV4 && !KerberosV5) {
980 if (conf->krb_authoritative) {
981 return HTTP_UNAUTHORIZED;
988 name = ap_auth_name(r);
990 return HTTP_INTERNAL_SERVER_ERROR;
994 MK_TABLE_SET(r->err_headers_out, "WWW-Authenticate",
995 (char *)ap_pstrcat(r->pool,
996 "Basic realm=\"", name, "\"", NULL));
997 return HTTP_UNAUTHORIZED;
1000 type = ap_getword_white(r->pool, &auth_line);
1001 t = ap_pbase64decode(r->pool, auth_line);
1002 MK_USER = ap_getword_nulls(r->pool, &t, ':');
1003 MK_AUTH_TYPE = "Kerberos";
1004 sent_pw = ap_getword_white(r->pool, &t);
1009 if (KerberosV5 && !KerberosV4first && retcode != OK) {
1010 MK_AUTH_TYPE = "KerberosV5";
1011 if (kerb5_password_validate(r, MK_USER, sent_pw)) {
1015 retcode = conf->krb_fail_status;
1021 if (KerberosV4 && retcode != OK) {
1022 MK_AUTH_TYPE = "KerberosV4";
1023 if (kerb4_password_validate(r, MK_USER, sent_pw)) {
1027 retcode = conf->krb_fail_status;
1032 #if defined(KRB5) && defined(KRB4)
1033 if (KerberosV5 && KerberosV4first && retcode != OK) {
1034 MK_AUTH_TYPE = "KerberosV5";
1035 if (kerb5_password_validate(r, MK_USER, sent_pw)) {
1039 retcode = conf->krb_fail_status;
1042 #endif /* KRB5 && KRB4 */
1044 if (conf->krb_authoritative && retcode == DECLINED) {
1045 return HTTP_UNAUTHORIZED;
1055 /***************************************************************************
1057 ***************************************************************************/
1058 int kerb_check_user_access(request_rec *r)
1062 const MK_ARRAY_HEADER *reqs_arr = ap_requires(r);
1064 kerb_auth_config *conf =
1065 (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
1068 if (reqs_arr == NULL) {
1071 reqs = (require_line *)reqs_arr->elts;
1073 for (x = 0; x < reqs_arr->nelts; x++) {
1074 t = reqs[x].requirement;
1075 w = ap_getword_white(r->pool, &t);
1076 if (strcmp(w, "realm") == 0) {
1077 while (t[0] != '\0') {
1078 w = ap_getword_conf(r->pool, &t);
1079 if (strcmp(MK_USER, w) == 0) {
1092 /***************************************************************************
1093 Module Setup/Configuration
1094 ***************************************************************************/
1096 module MODULE_VAR_EXPORT kerb_auth_module = {
1097 STANDARD_MODULE_STUFF,
1098 NULL, /* module initializer */
1099 kerb_dir_config, /* per-directory config creator */
1100 NULL, /* per-directory config merger */
1101 NULL, /* per-server config creator */
1102 NULL, /* per-server config merger */
1103 kerb_auth_cmds, /* command table */
1104 NULL, /* [ 9] content handlers */
1105 NULL, /* [ 2] URI-to-filename translation */
1106 kerb_authenticate_user, /* [ 5] check/validate user_id */
1107 kerb_check_user_access, /* [ 6] check user_id is valid *here* */
1108 NULL, /* [ 4] check access by host address */
1109 NULL, /* [ 7] MIME type checker/setter */
1110 NULL, /* [ 8] fixups */
1111 NULL, /* [10] logger */
1112 NULL, /* [ 3] header parser */
1113 NULL, /* process initialization */
1114 NULL, /* process exit/cleanup */
1115 NULL /* [ 1] post read_request handling */
1117 , /* EAPI Additions */
1118 NULL, /* EAPI add module */
1119 NULL, /* EAPI remove module */
1120 NULL, /* EAPI rewrite command */
1121 NULL /* EAPI new connection */
1126 void kerb_register_hooks(apr_pool_t *p)
1128 ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
1129 ap_hook_access_checker(kerb_check_user_access, NULL, NULL, APR_HOOK_MIDDLE);
1132 module AP_MODULE_DECLARE_DATA kerb_auth_module =
1134 STANDARD20_MODULE_STUFF,
1135 kerb_dir_config, /* create per-dir conf structures */
1136 NULL, /* merge per-dir conf structures */
1137 NULL, /* create per-server conf structures */
1138 NULL, /* merge per-server conf structures */
1139 kerb_auth_cmds, /* table of configuration directives */
1140 kerb_register_hooks /* register hooks */