Browse Source

[auth] new method "extern" to use already present REMOTE_USER (from magnet, ssl, ...) (fixes #2436)

can be combined with ssl:
    ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID"
	auth.require = ("/" => ( "require" => "valid-user", "method" => "extern") )

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2894 152afb58-edef-0310-8abb-c4023f1b3aa9
svn/tags/lighttpd-1.4.33
Stefan Bühler 8 years ago
parent
commit
f9d58670d5
  1. 1
      NEWS
  2. 36
      src/mod_auth.c

1
NEWS

@ -27,6 +27,7 @@ NEWS
* [ssl] accept ssl renegotiations if they are not disabled (fixes #2491)
* [ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492)
* [auth] put REMOTE_USER into cgi environment, making it accessible to lua via lighty.req_env (fixes #2495)
* [auth] new method "extern" to use already present REMOTE_USER (from magnet, ssl, ...) (fixes #2436)
- 1.4.32 - 2012-11-21
* Code cleanup with clang/sparse (fixes #2437, thx kibi)

36
src/mod_auth.c

@ -185,6 +185,7 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
data_string *ds;
mod_auth_plugin_data *p = p_d;
array *req;
data_string *req_method;
/* select the right config */
mod_auth_patch_connection(srv, con, p);
@ -227,18 +228,30 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
if (auth_required == 0) return HANDLER_GO_ON;
req = ((data_array *)(p->conf.auth_require->data[k]))->value;
req_method = (data_string *)array_get_element(req, "method");
/* try to get Authorization-header */
if (NULL != (ds = (data_string *)array_get_element(con->request.headers, "Authorization"))) {
http_authorization = ds->value->ptr;
if (0 == strcmp(req_method->value->ptr, "extern")) {
/* require REMOTE_USER to be already set */
if (NULL == (ds = (data_string *)array_get_element(con->environment, "REMOTE_USER"))) {
con->http_status = 401;
con->mode = DIRECT;
return HANDLER_FINISHED;
} else if (http_auth_match_rules(srv, req, ds->value->ptr, NULL, NULL)) {
log_error_write(srv, __FILE__, __LINE__, "s", "rules didn't match");
con->http_status = 401;
con->mode = DIRECT;
return HANDLER_FINISHED;
} else {
return HANDLER_GO_ON;
}
}
if (ds && ds->value && ds->value->used) {
/* try to get Authorization-header */
if (NULL != (ds = (data_string *)array_get_element(con->request.headers, "Authorization")) && ds->value->used) {
char *auth_realm;
data_string *method;
method = (data_string *)array_get_element(req, "method");
http_authorization = ds->value->ptr;
/* parse auth-header */
if (NULL != (auth_realm = strchr(http_authorization, ' '))) {
@ -248,13 +261,13 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
(0 == strncasecmp(http_authorization, "Basic", auth_type_len))) {
auth_type = "Basic";
if (0 == strcmp(method->value->ptr, "basic")) {
if (0 == strcmp(req_method->value->ptr, "basic")) {
auth_satisfied = http_auth_basic_check(srv, con, p, req, auth_realm+1);
}
} else if ((auth_type_len == 6) &&
(0 == strncasecmp(http_authorization, "Digest", auth_type_len))) {
auth_type = "Digest";
if (0 == strcmp(method->value->ptr, "digest")) {
if (0 == strcmp(req_method->value->ptr, "digest")) {
if (-1 == (auth_satisfied = http_auth_digest_check(srv, con, p, req, auth_realm+1))) {
con->http_status = 400;
con->mode = DIRECT;
@ -494,9 +507,10 @@ SETDEFAULTS_FUNC(mod_auth_set_defaults) {
return HANDLER_ERROR;
} else {
if (0 != strcmp(method, "basic") &&
0 != strcmp(method, "digest")) {
0 != strcmp(method, "digest") &&
0 != strcmp(method, "extern")) {
log_error_write(srv, __FILE__, __LINE__, "ss",
"method has to be either \"basic\" or \"digest\" in",
"method has to be either \"basic\", \"digest\" or \"extern\" in",
"auth.require = ( \"...\" => ( ..., \"method\" => \"...\") )");
return HANDLER_ERROR;
}

Loading…
Cancel
Save