simo pushed to mod_auth_gssapi (f21). "Fix sbrequests authentication"
notifications at fedoraproject.org
notifications at fedoraproject.org
Wed Apr 1 12:49:09 UTC 2015
>From b33b3701183dcdbfab0609e26095fb4f68f4ebc4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo at redhat.com>
Date: Tue, 31 Mar 2015 17:22:15 -0400
Subject: Fix sbrequests authentication
diff --git a/0001-Handle-authentication-on-subrequests.patch b/0001-Handle-authentication-on-subrequests.patch
new file mode 100644
index 0000000..4cc6fb7
--- /dev/null
+++ b/0001-Handle-authentication-on-subrequests.patch
@@ -0,0 +1,70 @@
+From e5db7c1f5738c7874e73869a2f4511193f956b81 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo at redhat.com>
+Date: Mon, 30 Mar 2015 12:48:30 -0400
+Subject: [PATCH] Handle authentication on subrequests
+
+In some cases (like during directory listing) Apache will re-run the
+authentication code. Many GSSAPI mechanism have replay detection so
+we cannot simply rerun the accept_sec_context phase. Others require
+multiple steps. When authntication has already been estalished just
+implicitly consider the authentication successfully performed and
+copy the user name. Otherwise fail.
+If a subrequest hits a location with a different mod_auth_gssapi
+configuration warn but do not error off right away.
+
+Fixes #15
+---
+ src/mod_auth_gssapi.c | 35 ++++++++++++++++++++++++++++++-----
+ 1 file changed, 30 insertions(+), 5 deletions(-)
+
+diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
+index c7881bf9e149bb190ad73741250d94541abfd0e8..e2331107b89734bd5da3a742a884c6a92489d5a8 100644
+--- a/src/mod_auth_gssapi.c
++++ b/src/mod_auth_gssapi.c
+@@ -245,13 +245,38 @@ static int mag_auth(request_rec *req)
+ return DECLINED;
+ }
+
+- /* ignore auth for subrequests */
+- if (!ap_is_initial_req(req)) {
+- return OK;
+- }
+-
+ cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
+
++ /* implicit auth for subrequests if main auth already happened */
++ if (!ap_is_initial_req(req)) {
++ type = ap_auth_type(req->main);
++ if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
++ /* warn if the subrequest location and the main request
++ * location have different configs */
++ if (cfg != ap_get_module_config(req->main->per_dir_config,
++ &auth_gssapi_module)) {
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0,
++ req, "Subrequest authentication bypass on "
++ "location with different configuration!");
++ }
++ if (req->main->user) {
++ req->user = apr_pstrdup(req->pool, req->main->user);
++ return OK;
++ } else {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
++ "The main request is tasked to establish the "
++ "security context, can't proceed!");
++ return HTTP_UNAUTHORIZED;
++ }
++ } else {
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
++ "Subrequest GSSAPI auth with no auth on the main "
++ "request. This operation may fail if other "
++ "subrequests already established a context or the "
++ "mechanism requires multiple roundtrips.");
++ }
++ }
++
+ if (cfg->ssl_only) {
+ if (!mag_conn_is_https(req->connection)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+--
+2.1.0
+
diff --git a/mod_auth_gssapi.spec b/mod_auth_gssapi.spec
index cf6605e..1c26f54 100644
--- a/mod_auth_gssapi.spec
+++ b/mod_auth_gssapi.spec
@@ -1,6 +1,6 @@
Name: mod_auth_gssapi
Version: 1.1.0
-Release: 2.simotest%{?dist}
+Release: 3%{?dist}
Summary: A GSSAPI Authentication module for Apache
Group: System Environment/Daemons
@@ -13,7 +13,7 @@ Requires: httpd-mmn = %{_httpd_mmn}
Requires: krb5-libs >= 1.11.5
Patch01: 0001-Escape-principal-name-to-remove-the-path-separator.patch
-Patch02: 0001-wip-15.patch
+Patch02: 0001-Handle-authentication-on-subrequests.patch
%description
The mod_auth_gssapi module is an authentication service that implements the
@@ -48,6 +48,9 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
%{_httpd_moddir}/mod_auth_gssapi.so
%changelog
+* Thu Mar 31 2015 Simo Sorce <simo at redhat.com> 1.1.0-3
+- Fix some authentication issues
+
* Thu Mar 26 2015 Simo Sorce <simo at redhat.com> 1.1.0-2
- Fix saving delegated credentials for SPNs
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/mod_auth_gssapi.git/commit/?h=f21&id=b33b3701183dcdbfab0609e26095fb4f68f4ebc4
More information about the scm-commits
mailing list