projects
/
mod_auth_kerb.cvs
/
.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
b27fce0
)
Added SSL_preauthentication option
author
kouril
<kouril>
Thu, 2 Feb 2006 15:35:42 +0000
(15:35 +0000)
committer
kouril
<kouril>
Thu, 2 Feb 2006 15:35:42 +0000
(15:35 +0000)
src/mod_auth_kerb.c
patch
|
blob
|
history
diff --git
a/src/mod_auth_kerb.c
b/src/mod_auth_kerb.c
index
de9bfa7
..
64a0a12
100644
(file)
--- a/
src/mod_auth_kerb.c
+++ b/
src/mod_auth_kerb.c
@@
-154,6
+154,7
@@
typedef struct {
const char *krb_service_name;
int krb_authoritative;
int krb_delegate_basic;
const char *krb_service_name;
int krb_authoritative;
int krb_delegate_basic;
+ int krb_ssl_preauthentication;
#ifdef KRB5
char *krb_5_keytab;
int krb_method_gssapi;
#ifdef KRB5
char *krb_5_keytab;
int krb_method_gssapi;
@@
-206,6
+207,9
@@
static const command_rec kerb_auth_cmds[] = {
command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic,
FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."),
command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic,
FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."),
+ command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication,
+ FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."),
+
#ifdef KRB5
command("Krb5Keytab", ap_set_file_slot, krb_5_keytab,
TAKE1, "Location of Kerberos V5 keytab file."),
#ifdef KRB5
command("Krb5Keytab", ap_set_file_slot, krb_5_keytab,
TAKE1, "Location of Kerberos V5 keytab file."),
@@
-304,6
+308,7
@@
static void *kerb_dir_create_config(MK_POOL *p, char *d)
((kerb_auth_config *)rec)->krb_service_name = NULL;
((kerb_auth_config *)rec)->krb_authoritative = 1;
((kerb_auth_config *)rec)->krb_delegate_basic = 0;
((kerb_auth_config *)rec)->krb_service_name = NULL;
((kerb_auth_config *)rec)->krb_authoritative = 1;
((kerb_auth_config *)rec)->krb_delegate_basic = 0;
+ ((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0;
#ifdef KRB5
((kerb_auth_config *)rec)->krb_method_k5pass = 1;
((kerb_auth_config *)rec)->krb_method_gssapi = 1;
#ifdef KRB5
((kerb_auth_config *)rec)->krb_method_k5pass = 1;
((kerb_auth_config *)rec)->krb_method_gssapi = 1;
@@
-1482,6
+1487,14
@@
kerb_authenticate_user(request_rec *r)
else
return DECLINED;
else
return DECLINED;
+ if (conf->krb_ssl_preauthentication) {
+ const char *ssl_client_verify = ssl_var_lookup(r->pool, r->server,
+ r->connection, r, "SSL_CLIENT_VERIFY");
+
+ if (ssl_client_verify && strcmp(ssl_client_verify, "SUCCESS") == 0)
+ return OK;
+ }
+
/* get what the user sent us in the HTTP header */
auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY)
? "Proxy-Authorization"
/* get what the user sent us in the HTTP header */
auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY)
? "Proxy-Authorization"