Skip to content

Commit e5db7c1

Browse files
committed
Handle authentication on subrequests
In some cases (like during directory listing) Apache will re-run the authentication code. Many GSSAPI mechanism have replay detection so we cannot simply rerun the accept_sec_context phase. Others require multiple steps. When authntication has already been estalished just implicitly consider the authentication successfully performed and copy the user name. Otherwise fail. If a subrequest hits a location with a different mod_auth_gssapi configuration warn but do not error off right away. Fixes #15
1 parent 286e3da commit e5db7c1

File tree

1 file changed

+29
-4
lines changed

1 file changed

+29
-4
lines changed

src/mod_auth_gssapi.c

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -245,13 +245,38 @@ static int mag_auth(request_rec *req)
245245
return DECLINED;
246246
}
247247

248-
/* ignore auth for subrequests */
248+
cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
249+
250+
/* implicit auth for subrequests if main auth already happened */
249251
if (!ap_is_initial_req(req)) {
250-
return OK;
252+
type = ap_auth_type(req->main);
253+
if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
254+
/* warn if the subrequest location and the main request
255+
* location have different configs */
256+
if (cfg != ap_get_module_config(req->main->per_dir_config,
257+
&auth_gssapi_module)) {
258+
ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0,
259+
req, "Subrequest authentication bypass on "
260+
"location with different configuration!");
261+
}
262+
if (req->main->user) {
263+
req->user = apr_pstrdup(req->pool, req->main->user);
264+
return OK;
265+
} else {
266+
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
267+
"The main request is tasked to establish the "
268+
"security context, can't proceed!");
269+
return HTTP_UNAUTHORIZED;
270+
}
271+
} else {
272+
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
273+
"Subrequest GSSAPI auth with no auth on the main "
274+
"request. This operation may fail if other "
275+
"subrequests already established a context or the "
276+
"mechanism requires multiple roundtrips.");
277+
}
251278
}
252279

253-
cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
254-
255280
if (cfg->ssl_only) {
256281
if (!mag_conn_is_https(req->connection)) {
257282
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,

0 commit comments

Comments
 (0)