diff options
author | Stefan Fritsch <sf@apache.org> | 2010-07-14 19:59:31 +0000 |
---|---|---|
committer | Stefan Fritsch <sf@apache.org> | 2010-07-14 19:59:31 +0000 |
commit | f14218c7ad848377d62b7c24240832b67794eafd (patch) | |
tree | 6d7554660d4505da1c356991121b9c5ef0aeaf3f /include/mod_auth.h | |
parent | ed67c11e05656a9536b457083d7ec5279ecf33c9 (diff) | |
download | httpd-f14218c7ad848377d62b7c24240832b67794eafd.tar.gz |
The approach for allowing authorization by user or IP introduced in r956387,
etc. causes problems because the authentication module calls
note_*_auth_failure if authentication fails. This is inappropriate if access is
later allowed because of the IP.
So, instead of calling the auth_checker hook even if authentication failed, we
introduce a new access_checker_ex hook that runs between the access_checker and
the check_user_id hooks. If an access_checker_ex functions returns OK, the
request will be allowed without authentication.
To make use of this, change mod_authz_core to walk the require blocks in the
access_checker_ex phase and deny/allow the request if the authz result does not
depend on an authenticated user. To distinguish a real AUTHZ_DENIED from an
authz provider from an authz provider needing an authenticated user, the latter
must return the new AUTHZ_DENIED_NO_USER code.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@964156 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'include/mod_auth.h')
-rw-r--r-- | include/mod_auth.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/include/mod_auth.h b/include/mod_auth.h index 7c05a50d60..69cab09b7f 100644 --- a/include/mod_auth.h +++ b/include/mod_auth.h @@ -73,7 +73,8 @@ typedef enum { AUTHZ_DENIED, AUTHZ_GRANTED, AUTHZ_NEUTRAL, - AUTHZ_GENERAL_ERROR + AUTHZ_GENERAL_ERROR, + AUTHZ_DENIED_NO_USER, /* denied because r->user == NULL */ } authz_status; typedef struct { |