Added authoritative support.

diff --git a/ChangeLog b/ChangeLog
index a98b99a..c364830 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,7 +10,7 @@
 
        * apache1/auth_user.c:
        * apache2/auth_user.c:
-       Added fail_status and kerbauthtype functionality.
+       Added fail_status, authoritative, and kerbauthtype functionality.
 
        * apache1/dir_config.c:
        * apache2/dir_config.c:

diff --git a/TODO b/TODO
index 3103f0a..9333f4e 100644 (file)
--- a/TODO
+++ b/TODO
@@ -18,10 +18,6 @@
 - Settable Location of Keytab/Srvtab
        Again, in config instead of compiled in.
 
-- Authoritative Support
-       If Kerberos check fails, don't fall through to other modules.
-       Should I used AuthAuthoritative for this or a specific Kerb one?
-
 - Lifetime Settable
        Set lifetime of tickets in config.
 
@@ -37,21 +33,12 @@
        Set a lifetime on tickets, and after expiration, tries to -force-
        a reauth (brings up login/password window)
 
-- Auth Fail Status
-       Set how a failure fails.  Forbidden or Unauthorized.
-
 - Forwardable/Renewable Tickets
        Setting in config.
 
 - Browser Mutual Auth Support
        Combined with plugins, use auth user already has.
 
-- AuthKerberosType(name?)
-       Way to both have a normal AuthType and a Kerberos authtype,
-       in case you want to turn authoritative off and have it punt
-       to something else specific
-       Re: msg 268 "Jason Gilbert"
-
 - Environment Variables
        KRB5CCNAME, KRBTKFILE
        KRB_PRINC_NAME?

diff --git a/apache1/auth_cmds.c b/apache1/auth_cmds.c
index c59a752..3649cb2 100644 (file)
--- a/apache1/auth_cmds.c
+++ b/apache1/auth_cmds.c
@@ -20,19 +20,19 @@ static const char *kerb_set_type_slot(cmd_parms *cmd, char *struct_ptr,
        if
 #ifdef KRB5
           (!strncasecmp(arg, "v5", 2))
-               *(char **) (struct_ptr + offset) = "KerberosV5";
+               *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosV5");
        else if
 #endif /* KRB5 */
 #ifdef KRB4
           (!strncasecmp(arg, "v4", 2))
-               *(char **) (struct_ptr + offset) = "KerberosV4";
+               *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosV4");
 #endif /* KRB4 */
        else if
           (!strncasecmp(arg, "dualv5v4", 2))
-               *(char **) (struct_ptr + offset) = "KerberosDualV5V4";
+               *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosDualV5V4");
        else if
           (!strncasecmp(arg, "dualv4v5", 2))
-               *(char **) (struct_ptr + offset) = "KerberosDualV4V5";
+               *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosDualV4V5");
 #if defined(KRB4) && defined(KRB5)
 #endif /* KRB4 && KRB5 */
        else
@@ -59,5 +59,14 @@ command_rec kerb_auth_cmds[] = {
                "If auth fails, return status set here."
        },
 
+       {
+               "KrbAuthoritative",
+               ap_set_flag_slot,
+               (void*)XtOffsetOf(kerb_auth_config, krb_authoritative),
+               OR_AUTHCFG,
+               FLAG,
+               "Refuse to pass request down to lower modules."
+       },
+
        { NULL }
 };

diff --git a/apache1/auth_config.h b/apache1/auth_config.h
index 554586e..6c17007 100644 (file)
--- a/apache1/auth_config.h
+++ b/apache1/auth_config.h
@@ -1,4 +1,5 @@
 typedef struct {
        char *krb_auth_type;
        int krb_fail_status;
+       int krb_authoritative;
 } kerb_auth_config;

diff --git a/apache1/dir_config.c b/apache1/dir_config.c
index 54ba60d..9b0af79 100644 (file)
--- a/apache1/dir_config.c
+++ b/apache1/dir_config.c
@@ -3,6 +3,7 @@ static void *kerb_dir_config(pool *p, char *d)
        static void *rec;
        rec = (void *) ap_pcalloc(p, sizeof(kerb_auth_config));
        ((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED;
+       ((kerb_auth_config *)rec)->krb_authoritative = 0;
        ((kerb_auth_config *)rec)->krb_auth_type = ap_pstrdup(p, "None");
        return rec;
 }

diff --git a/apache2/auth_cmds.c b/apache2/auth_cmds.c
index 7ac3f73..7ad4c43 100644 (file)
--- a/apache2/auth_cmds.c
+++ b/apache2/auth_cmds.c
@@ -6,7 +6,7 @@ static const char *kerb_set_fail_slot(cmd_parms *cmd, void *struct_ptr,
                *(int *) ((char *)struct_ptr + offset) = HTTP_UNAUTHORIZED;
        else if (!strncasecmp(arg, "forbidden", 9))
                *(int *) ((char *)struct_ptr + offset) = HTTP_FORBIDDEN;
-       else if (!strncasecmp(arg, "declined", 9))
+       else if (!strncasecmp(arg, "declined", 8))
                *(int *) ((char *)struct_ptr + offset) = DECLINED;
        else
                return apr_pstrcat(cmd->pool, "KrbAuthFailStatus must be Forbidden, Unauthorized, or Declined.", NULL);
@@ -20,20 +20,20 @@ static const char *kerb_set_type_slot(cmd_parms *cmd, void *struct_ptr,
        if
 #ifdef KRB5
           (!strncasecmp(arg, "v5", 2))
-               *(char **) ((char *)struct_ptr + offset) = "KerberosV5";
+               *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosV5");
        else if
 #endif /* KRB5 */
 #ifdef KRB4
           (!strncasecmp(arg, "v4", 2))
-               *(char **) ((char *)struct_ptr + offset) = "KerberosV4";
+               *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosV4");
 #endif /* KRB4 */
 #if defined(KRB5) && defined(KRB4)
        else if
           (!strncasecmp(arg, "dualv5v4", 8))
-               *(char **) ((char *)struct_ptr + offset) = "KerberosDualV5V4";
+               *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosDualV5V4");
        else if
           (!strncasecmp(arg, "dualv4v5", 8))
-               *(char **) ((char *)struct_ptr + offset) = "KerberosDualV4V5";
+               *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosDualV4V5");
 #endif /* KRB5 && KRB4 */
        else
                return "AuthKerberos must be V5, V4, DualV4V5, or DualV5V4.";
@@ -57,5 +57,13 @@ static const command_rec kerb_auth_cmds[] = {
                "If auth fails, return status set here."
        ),
 
+       AP_INIT_FLAG(
+               "KrbAuthoritative",
+               ap_set_flag_slot,
+               (void*)APR_XtOffsetOf(kerb_auth_config, krb_authoritative),
+               OR_AUTHCFG,
+               "Refuse to pass request down to lower modules."
+       ),
+
        { NULL }
 };

diff --git a/apache2/auth_config.h b/apache2/auth_config.h
index 554586e..6c17007 100644 (file)
--- a/apache2/auth_config.h
+++ b/apache2/auth_config.h
@@ -1,4 +1,5 @@
 typedef struct {
        char *krb_auth_type;
        int krb_fail_status;
+       int krb_authoritative;
 } kerb_auth_config;

diff --git a/apache2/auth_user.c b/apache2/auth_user.c
index 444fa9b..955dc0d 100644 (file)
--- a/apache2/auth_user.c
+++ b/apache2/auth_user.c
@@ -52,7 +52,12 @@ int kerb_authenticate_user(request_rec *r) {
        }
 
        if (!KerberosV4 && !KerberosV5) {
-               return DECLINED;
+               if (conf->krb_authoritative) {
+                       return HTTP_UNAUTHORIZED;
+               }
+               else {
+                       return DECLINED;
+               }
        }
 
        name = ap_auth_name(r);
@@ -112,5 +117,10 @@ int kerb_authenticate_user(request_rec *r) {
        }
 #endif /* KRB5 && KRB4 */
 
-       return retcode;
+       if (conf->krb_authoritative && retcode == DECLINED) {
+               return HTTP_UNAUTHORIZED;
+       }
+       else {
+               return retcode;
+       }
 }

diff --git a/apache2/dir_config.c b/apache2/dir_config.c
index aa15d9c..ea14a35 100644 (file)
--- a/apache2/dir_config.c
+++ b/apache2/dir_config.c
@@ -3,6 +3,7 @@ static void *kerb_dir_config(apr_pool_t *p, char *d)
        static void *rec;
        rec = (void *) ap_pcalloc(p, sizeof(kerb_auth_config));
        ((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED;
+       ((kerb_auth_config *)rec)->krb_authoritative = 0;
        ((kerb_auth_config *)rec)->krb_auth_type = apr_pstrdup(p, "None");
        return rec;
 }