diff options
| author | Chris Darroch <chrisd@apache.org> | 2008-04-03 21:51:07 +0000 |
|---|---|---|
| committer | Chris Darroch <chrisd@apache.org> | 2008-04-03 21:51:07 +0000 |
| commit | c8ba67fb8353858e536fd40cd9ea314a9dc54da2 (patch) | |
| tree | 25ac9179608e3d687485d29df91b914bed63e00c /include/http_request.h | |
| parent | 312d0bf2e1da61ac2d43e337d80762904fa27c2e (diff) | |
| download | httpd-c8ba67fb8353858e536fd40cd9ea314a9dc54da2.tar.gz | |
Avoid calling access control hooks for internal requests with
configurations which match those of the initial request. Revert to
the original behaviour (call access control hooks for internal requests
with URIs different from the initial request) if any access control hooks
or providers are not registered as permitting this optimization.
Introduce wrappers for access control hook and provider registration
which can accept additional mode and flag data.
The configuration walk optimizations were originally proposed a while
ago (see http://marc.info/?l=apache-httpd-dev&m=116536713506234&w=2);
they have been used since then in production systems and appear to be
stable and effective. They permit certain combinations of modules
and clients to function efficiently, especially when a deeply recursive
series of internal requests, such as those generated by certain WebDAV
requests, are all subject to the identical authentication and authorization
directives.
The major change from the original proposal is a cleaner mechanism for
detecting modules which may expect the old behaviour. This has been
tested successfully with Subversion's mod_authz_svn, which specifically
requires the old behaviour when performing path-based authorization based
against its own private access control configuration files.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@644525 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'include/http_request.h')
| -rw-r--r-- | include/http_request.h | 142 |
1 files changed, 138 insertions, 4 deletions
diff --git a/include/http_request.h b/include/http_request.h index edad37087e..ce491da76c 100644 --- a/include/http_request.h +++ b/include/http_request.h @@ -18,6 +18,12 @@ * @file http_request.h * @brief Apache Request library * + * @defgroup APACHE_CORE_REQ Apache Request Processing + * @ingroup APACHE_CORE + * @{ + */ + +/* * request.c is the code which handles the main line of request * processing, once a request has been read in (finding the right per- * directory configuration, building it if necessary, and calling all @@ -42,6 +48,7 @@ #define APACHE_HTTP_REQUEST_H #include "apr_hooks.h" +#include "apr_optional.h" #include "util_filter.h" #ifdef __cplusplus @@ -181,7 +188,73 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *sub_req, request_rec *r) * @return 1 if authentication is required, 0 otherwise */ AP_DECLARE(int) ap_some_auth_required(request_rec *r); - + +/** + * @defgroup APACHE_CORE_REQ_AUTH Access Control for Sub-Requests and + * Internal Redirects + * @ingroup APACHE_CORE_REQ + * @{ + */ + +#define AP_AUTH_INTERNAL_PER_URI 0 /**< Run access control hooks on all + internal requests with URIs + distinct from that of initial + request */ +#define AP_AUTH_INTERNAL_PER_CONF 1 /**< Run access control hooks only on + internal requests with + configurations distinct from + that of initial request */ +#define AP_AUTH_INTERNAL_MASK 0x000F /**< mask to extract internal request + processing mode */ + +/** + * Clear flag which determines when access control hooks will be run for + * internal requests. + */ +AP_DECLARE(void) ap_clear_auth_internal(); + +/** + * Determine whether access control hooks will be run for all internal + * requests with URIs distinct from that of the initial request, or only + * those for which different configurations apply than those which applied + * to the initial request. To accomodate legacy external modules which + * may expect access control hooks to be run for all internal requests + * with distinct URIs, this is the default behaviour unless all access + * control hooks and authentication and authorization providers are + * registered with AP_AUTH_INTERNAL_PER_CONF. + * @param ptemp Pool used for temporary allocations + */ +AP_DECLARE(void) ap_setup_auth_internal(apr_pool_t *ptemp); + +/** + * Register an authentication or authorization provider with the global + * provider pool. + * @param pool The pool to create any storage from + * @param provider_group The group to store the provider in + * @param provider_name The name for this provider + * @param provider_version The version for this provider + * @param provider Opaque structure for this provider + * @param type Internal request processing mode, either + * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF + * @return APR_SUCCESS if all went well + */ +AP_DECLARE(apr_status_t) ap_register_auth_provider(apr_pool_t *pool, + const char *provider_group, + const char *provider_name, + const char *provider_version, + const void *provider, + int type); + +/** @} */ + +/* Optional functions coming from mod_authn_core and mod_authz_core + * that list all registered authn/z providers. + */ +APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, authn_ap_list_provider_names, + (apr_pool_t *ptemp)); +APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, authz_ap_list_provider_names, + (apr_pool_t *ptemp)); + /** * Determine if the current request is the main request or a subrequest * @param r The current request @@ -300,11 +373,13 @@ AP_DECLARE_HOOK(int,map_to_storage,(request_rec *r)) * r->ap_auth_type). This hook is only run when Apache determines that * authentication/authorization is required for this resource (as determined * by the 'Require' directive). It runs after the access_checker hook, and - * before the auth_checker hook. + * before the auth_checker hook. This hook should be registered with + * ap_hook_check_authn(). * * @param r The current request * @return OK, DECLINED, or HTTP_... * @ingroup hooks + * @see ap_hook_check_authn */ AP_DECLARE_HOOK(int,check_user_id,(request_rec *r)) @@ -331,11 +406,13 @@ AP_DECLARE_HOOK(int,type_checker,(request_rec *r)) * This hook is used to apply additional access control to this resource. * It runs *before* a user is authenticated, so this hook is really to * apply additional restrictions independent of a user. It also runs - * independent of 'Require' directive usage. + * independent of 'Require' directive usage. This hook should be registered + * with ap_hook_check_access(). * * @param r the current request * @return OK, DECLINED, or HTTP_... * @ingroup hooks + * @see ap_hook_check_access */ AP_DECLARE_HOOK(int,access_checker,(request_rec *r)) @@ -344,15 +421,71 @@ AP_DECLARE_HOOK(int,access_checker,(request_rec *r)) * is available for the authenticated user (r->user and r->ap_auth_type). * It runs after the access_checker and check_user_id hooks. Note that * it will *only* be called if Apache determines that access control has - * been applied to this resource (through a 'Require' directive). + * been applied to this resource (through a 'Require' directive). This + * hook should be registered with ap_hook_check_authz(). * * @param r the current request * @return OK, DECLINED, or HTTP_... * @ingroup hooks + * @see ap_hook_check_authz */ AP_DECLARE_HOOK(int,auth_checker,(request_rec *r)) /** + * Register a hook function that will apply additional access control to + * the current request. + * @param pf An access_checker hook function + * @param aszPre A NULL-terminated array of strings that name modules whose + * hooks should precede this one + * @param aszSucc A NULL-terminated array of strings that name modules whose + * hooks should succeed this one + * @param nOrder An integer determining order before honouring aszPre and + * aszSucc (for example, HOOK_MIDDLE) + * @param type Internal request processing mode, either + * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF + */ +AP_DECLARE(void) ap_hook_check_access(ap_HOOK_access_checker_t *pf, + const char * const *aszPre, + const char * const *aszSucc, + int nOrder, int type); + +/** + * Register a hook function that will analyze the request headers, + * authenticate the user, and set the user information in the request record. + * @param pf A check_user_id hook function + * @param aszPre A NULL-terminated array of strings that name modules whose + * hooks should precede this one + * @param aszSucc A NULL-terminated array of strings that name modules whose + * hooks should succeed this one + * @param nOrder An integer determining order before honouring aszPre and + * aszSucc (for example, HOOK_MIDDLE) + * @param type Internal request processing mode, either + * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF + */ +AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t *pf, + const char * const *aszPre, + const char * const *aszSucc, + int nOrder, int type); + +/** + * Register a hook function that determine if the resource being requested + * is available for the currently authenticated user. + * @param pf An auth_checker hook function + * @param aszPre A NULL-terminated array of strings that name modules whose + * hooks should precede this one + * @param aszSucc A NULL-terminated array of strings that name modules whose + * hooks should succeed this one + * @param nOrder An integer determining order before honouring aszPre and + * aszSucc (for example, HOOK_MIDDLE) + * @param type Internal request processing mode, either + * AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF + */ +AP_DECLARE(void) ap_hook_check_authz(ap_HOOK_auth_checker_t *pf, + const char * const *aszPre, + const char * const *aszSucc, + int nOrder, int type); + +/** * This hook allows modules to insert filters for the current request * @param r the current request * @ingroup hooks @@ -398,3 +531,4 @@ AP_DECLARE(apr_bucket *) ap_bucket_eor_create(apr_bucket_alloc_t *list, #endif #endif /* !APACHE_HTTP_REQUEST_H */ +/** @} */ |