* apache1/auth_user.c:
* apache2/auth_user.c:
- Added fail_status and kerbauthtype functionality.
+ Added fail_status, authoritative, and kerbauthtype functionality.
* apache1/dir_config.c:
* apache2/dir_config.c:
- Settable Location of Keytab/Srvtab
Again, in config instead of compiled in.
-- Authoritative Support
- If Kerberos check fails, don't fall through to other modules.
- Should I used AuthAuthoritative for this or a specific Kerb one?
-
- Lifetime Settable
Set lifetime of tickets in config.
Set a lifetime on tickets, and after expiration, tries to -force-
a reauth (brings up login/password window)
-- Auth Fail Status
- Set how a failure fails. Forbidden or Unauthorized.
-
- Forwardable/Renewable Tickets
Setting in config.
- Browser Mutual Auth Support
Combined with plugins, use auth user already has.
-- AuthKerberosType(name?)
- Way to both have a normal AuthType and a Kerberos authtype,
- in case you want to turn authoritative off and have it punt
- to something else specific
- Re: msg 268 "Jason Gilbert"
-
- Environment Variables
KRB5CCNAME, KRBTKFILE
KRB_PRINC_NAME?
if
#ifdef KRB5
(!strncasecmp(arg, "v5", 2))
- *(char **) (struct_ptr + offset) = "KerberosV5";
+ *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosV5");
else if
#endif /* KRB5 */
#ifdef KRB4
(!strncasecmp(arg, "v4", 2))
- *(char **) (struct_ptr + offset) = "KerberosV4";
+ *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosV4");
#endif /* KRB4 */
else if
(!strncasecmp(arg, "dualv5v4", 2))
- *(char **) (struct_ptr + offset) = "KerberosDualV5V4";
+ *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosDualV5V4");
else if
(!strncasecmp(arg, "dualv4v5", 2))
- *(char **) (struct_ptr + offset) = "KerberosDualV4V5";
+ *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosDualV4V5");
#if defined(KRB4) && defined(KRB5)
#endif /* KRB4 && KRB5 */
else
"If auth fails, return status set here."
},
+ {
+ "KrbAuthoritative",
+ ap_set_flag_slot,
+ (void*)XtOffsetOf(kerb_auth_config, krb_authoritative),
+ OR_AUTHCFG,
+ FLAG,
+ "Refuse to pass request down to lower modules."
+ },
+
{ NULL }
};
typedef struct {
char *krb_auth_type;
int krb_fail_status;
+ int krb_authoritative;
} kerb_auth_config;
static void *rec;
rec = (void *) ap_pcalloc(p, sizeof(kerb_auth_config));
((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED;
+ ((kerb_auth_config *)rec)->krb_authoritative = 0;
((kerb_auth_config *)rec)->krb_auth_type = ap_pstrdup(p, "None");
return rec;
}
*(int *) ((char *)struct_ptr + offset) = HTTP_UNAUTHORIZED;
else if (!strncasecmp(arg, "forbidden", 9))
*(int *) ((char *)struct_ptr + offset) = HTTP_FORBIDDEN;
- else if (!strncasecmp(arg, "declined", 9))
+ else if (!strncasecmp(arg, "declined", 8))
*(int *) ((char *)struct_ptr + offset) = DECLINED;
else
return apr_pstrcat(cmd->pool, "KrbAuthFailStatus must be Forbidden, Unauthorized, or Declined.", NULL);
if
#ifdef KRB5
(!strncasecmp(arg, "v5", 2))
- *(char **) ((char *)struct_ptr + offset) = "KerberosV5";
+ *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosV5");
else if
#endif /* KRB5 */
#ifdef KRB4
(!strncasecmp(arg, "v4", 2))
- *(char **) ((char *)struct_ptr + offset) = "KerberosV4";
+ *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosV4");
#endif /* KRB4 */
#if defined(KRB5) && defined(KRB4)
else if
(!strncasecmp(arg, "dualv5v4", 8))
- *(char **) ((char *)struct_ptr + offset) = "KerberosDualV5V4";
+ *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosDualV5V4");
else if
(!strncasecmp(arg, "dualv4v5", 8))
- *(char **) ((char *)struct_ptr + offset) = "KerberosDualV4V5";
+ *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosDualV4V5");
#endif /* KRB5 && KRB4 */
else
return "AuthKerberos must be V5, V4, DualV4V5, or DualV5V4.";
"If auth fails, return status set here."
),
+ AP_INIT_FLAG(
+ "KrbAuthoritative",
+ ap_set_flag_slot,
+ (void*)APR_XtOffsetOf(kerb_auth_config, krb_authoritative),
+ OR_AUTHCFG,
+ "Refuse to pass request down to lower modules."
+ ),
+
{ NULL }
};
typedef struct {
char *krb_auth_type;
int krb_fail_status;
+ int krb_authoritative;
} kerb_auth_config;
}
if (!KerberosV4 && !KerberosV5) {
- return DECLINED;
+ if (conf->krb_authoritative) {
+ return HTTP_UNAUTHORIZED;
+ }
+ else {
+ return DECLINED;
+ }
}
name = ap_auth_name(r);
}
#endif /* KRB5 && KRB4 */
- return retcode;
+ if (conf->krb_authoritative && retcode == DECLINED) {
+ return HTTP_UNAUTHORIZED;
+ }
+ else {
+ return retcode;
+ }
}
static void *rec;
rec = (void *) ap_pcalloc(p, sizeof(kerb_auth_config));
((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED;
+ ((kerb_auth_config *)rec)->krb_authoritative = 0;
((kerb_auth_config *)rec)->krb_auth_type = apr_pstrdup(p, "None");
return rec;
}