- don't let apache log errno messages
- use HAVE_KRB5_CC_GEN_NEW definition (set by the configure script)
- have the moduled called only once (for the initial request). This should
prevent from multiple contacting KDC and significantly decrease number of
messages sent over the network (and increase perfomance thus)
#define MODAUTHKERB_VERSION "5.0-rc2"
#ifndef APXS1
#define MODAUTHKERB_VERSION "5.0-rc2"
#ifndef APXS1
#ifdef APXS1
#define MK_POOL pool
#define MK_TABLE_GET ap_table_get
#ifdef APXS1
#define MK_POOL pool
#define MK_TABLE_GET ap_table_get
-#define MK_TABLE_SET ap_table_set
-#define MK_TABLE_TYPE table
-#define MK_PSTRDUP ap_pstrdup
#define MK_USER r->connection->user
#define MK_AUTH_TYPE r->connection->ap_auth_type
#define MK_USER r->connection->user
#define MK_AUTH_TYPE r->connection->ap_auth_type
-#define MK_ARRAY_HEADER array_header
#else
#define MK_POOL apr_pool_t
#define MK_TABLE_GET apr_table_get
#else
#define MK_POOL apr_pool_t
#define MK_TABLE_GET apr_table_get
-#define MK_TABLE_SET apr_table_set
-#define MK_TABLE_TYPE apr_table_t
-#define MK_PSTRDUP apr_pstrdup
#define MK_USER r->user
#define MK_AUTH_TYPE r->ap_auth_type
#define MK_USER r->user
#define MK_AUTH_TYPE r->ap_auth_type
-#define MK_ARRAY_HEADER apr_array_header_t
const request_rec *r, const char *fmt, ...)
{
char errstr[1024];
const request_rec *r, const char *fmt, ...)
{
char errstr[1024];
va_list ap;
va_start(ap, fmt);
vsnprintf(errstr, sizeof(errstr), fmt, ap);
va_end(ap);
va_list ap;
va_start(ap, fmt);
vsnprintf(errstr, sizeof(errstr), fmt, ap);
va_end(ap);
+
+ errnostr[0] = '\0';
+ if (errno)
+ snprintf(errnostr, sizeof(errnostr), "%s: (%s)", errstr, strerror(errno));
+ else
+ snprintf(errnostr, sizeof(errnostr), "%s", errstr);
- /* these functions also print out current errno (if not zero), resulting in
- * lines of the format:
- * (errno)strerror(errno): errstr
- * This behaviour can be avoided by using APLOG_NOERRNO */
- ap_log_rerror(file, line, level, r, "%s", errstr);
+ ap_log_rerror(file, line, level | APLOG_NOERRNO, r, "%s", errnostr);
- ap_log_rerror(file, line, level, status, r, "%s", errstr);
+ ap_log_rerror(file, line, level | APLOG_NOERRNO, status, r, "%s", errnostr);
int ret;
krb5_ccache tmp_ccache = NULL;
int ret;
krb5_ccache tmp_ccache = NULL;
-#ifdef HEIMDAL
- /* new MIT krb5-1.3.x also supports this call */
+#ifdef HAVE_KRB5_CC_GEN_NEW
problem = krb5_cc_gen_new(kcontext, &krb5_fcc_ops, &tmp_ccache);
#else
problem = krb5_cc_gen_new(kcontext, &krb5_fcc_ops, &tmp_ccache);
#else
+ /* only older MIT seem to not have the krb5_cc_gen_new() call, so we use
+ * MIT specific call here */
problem = krb5_fcc_generate_new(kcontext, &tmp_ccache);
/* krb5_fcc_generate_new() doesn't set KRB5_TC_OPENCLOSE, which makes
krb5_cc_initialize() fail */
problem = krb5_fcc_generate_new(kcontext, &tmp_ccache);
/* krb5_fcc_generate_new() doesn't set KRB5_TC_OPENCLOSE, which makes
krb5_cc_initialize() fail */
+#ifdef HAVE_KRB5_CC_GEN_NEW
code = krb5_cc_gen_new(kcontext, &krb5_mcc_ops, &ccache);
#else
code = krb5_cc_gen_new(kcontext, &krb5_mcc_ops, &ccache);
#else
+ /* only older MIT seem to not have the krb5_cc_gen_new() call, so we use
+ * MIT specific call here */
code = krb5_mcc_generate_new(kcontext, &ccache);
#endif
if (code) {
code = krb5_mcc_generate_new(kcontext, &ccache);
#endif
if (code) {
int ret;
gss_name_t client_name = GSS_C_NO_NAME;
gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
int ret;
gss_name_t client_name = GSS_C_NO_NAME;
gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
- static int initial_return = HTTP_UNAUTHORIZED;
-
- /* needed to work around replay caches */
- if (!ap_is_initial_req(r))
- return initial_return;
- initial_return = HTTP_UNAUTHORIZED;
if (gss_connection == NULL) {
gss_connection = ap_pcalloc(r->connection->pool, sizeof(*gss_connection));
if (gss_connection == NULL) {
gss_connection = ap_pcalloc(r->connection->pool, sizeof(*gss_connection));
cleanup_gss_connection(gss_connection);
cleanup_gss_connection(gss_connection);
return ret;
}
#endif /* KRB5 */
return ret;
}
#endif /* KRB5 */
+static int
+already_succeeded(request_rec *r)
+{
+ if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL)
+ return 0;
+ if (strcmp(MK_AUTH_TYPE, "Negotiate") ||
+ (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@')))
+ return 1;
+ return 0;
+}
static void
note_kerb_auth_failure(request_rec *r, const kerb_auth_config *conf,
static void
note_kerb_auth_failure(request_rec *r, const kerb_auth_config *conf,
const char *type = NULL;
int use_krb5 = 0, use_krb4 = 0;
int ret;
const char *type = NULL;
int use_krb5 = 0, use_krb4 = 0;
int ret;
+ static int last_return = HTTP_UNAUTHORIZED;
/* get the type specified in .htaccess */
type = ap_auth_type(r);
/* get the type specified in .htaccess */
type = ap_auth_type(r);
}
auth_type = ap_getword_white(r->pool, &auth_line);
}
auth_type = ap_getword_white(r->pool, &auth_line);
+ if (already_succeeded(r))
+ return last_return;
+
ret = HTTP_UNAUTHORIZED;
#ifdef KRB5
ret = HTTP_UNAUTHORIZED;
#ifdef KRB5
if (ret == HTTP_UNAUTHORIZED)
note_kerb_auth_failure(r, conf, use_krb4, use_krb5);
if (ret == HTTP_UNAUTHORIZED)
note_kerb_auth_failure(r, conf, use_krb4, use_krb5);