static int authenticate_basic_user(request_rec *r) { auth_config_rec *sec = (auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_module); conn_rec *c = r->connection; const char *sent_pw; char *real_pw; char *invalid_pw; int res; if ((res = ap_get_basic_auth_pw(r, &sent_pw))) return res; if (!sec->auth_pwfile) return DECLINED; if (!(real_pw = get_pw(r, c->user, sec->auth_pwfile))) { if (!(sec->auth_authoritative)) return DECLINED; ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, "user %s not found: %s", c->user, r->uri); ap_note_basic_auth_failure(r); return AUTH_REQUIRED; } invalid_pw = ap_validate_password(sent_pw, real_pw); if (invalid_pw != NULL) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, "user %s: authentication failure for \"%s\": %s", c->user, r->uri, invalid_pw); ap_note_basic_auth_failure(r); return AUTH_REQUIRED; } return OK; }
static int psx_auth_fail(request_rec *r, qEnvApache *renv) { // this is kinda wrong.... but for now we keep it.... if (!r->header_only) { CStr resp = renv->GetCtx()->Eval("http-noauth"); if (!resp.IsEmpty()) { qStrBuf bufin(resp); qStrBuf bufout; renv->GetCtx()->ParseTry(&bufin, &bufout); ap_custom_response(r, HTTP_UNAUTHORIZED, bufout.GetBuffer()); } } if (!ap_auth_type(r)) { ap_table_setn(r->err_headers_out, r->proxyreq ? "Proxy-Authenticate" : "WWW-Authenticate", ap_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), "\"", NULL)); } else { ap_note_basic_auth_failure(r); } renv->Free(); ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, AP2STATUS r, "returning unauthorized: %d, status : %d", HTTP_UNAUTHORIZED, r->status); return HTTP_UNAUTHORIZED; }
CAMLprim value netcgi2_apache_request_note_basic_auth_failure (value rv) { CAMLparam1 (rv); request_rec *r = Request_rec_val (rv); ap_note_basic_auth_failure (r); CAMLreturn (Val_unit); }
static int dbm_authenticate_basic_user(request_rec *r) { dbm_auth_config_rec *conf = ap_get_module_config(r->per_dir_config, &auth_dbm_module); const char *sent_pw; char *real_pw, *colon_pw; apr_status_t invalid_pw; int res; if ((res = ap_get_basic_auth_pw(r, &sent_pw))) return res; if (!conf->auth_dbmpwfile) return DECLINED; if (!(real_pw = get_dbm_pw(r, r->user, conf->auth_dbmpwfile, conf->auth_dbmtype))) { if (!(conf->auth_dbmauthoritative)) return DECLINED; ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "DBM user %s not found: %s", r->user, r->filename); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; } /* Password is up to first : if exists */ colon_pw = strchr(real_pw, ':'); if (colon_pw) { *colon_pw = '\0'; } invalid_pw = apr_password_validate(sent_pw, real_pw); if (invalid_pw != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "DBM user %s: authentication failure for \"%s\": " "Password Mismatch", r->user, r->uri); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; } return OK; }
static int authenticate_basic_user(request_rec *r) { auth_config_rec *conf = ap_get_module_config(r->per_dir_config, &auth_module); const char *sent_pw; char *real_pw; apr_status_t invalid_pw; int res; if ((res = ap_get_basic_auth_pw(r, &sent_pw))) { return res; } if (!conf->auth_pwfile) { return DECLINED; } if (!(real_pw = get_pw(r, r->user, conf->auth_pwfile))) { if (!(conf->auth_authoritative)) { return DECLINED; } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "user %s not found: %s", r->user, r->uri); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; } invalid_pw = apr_password_validate(sent_pw, real_pw); if (invalid_pw != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "user %s: authentication failure for \"%s\": " "Password Mismatch", r->user, r->uri); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; } return OK; }
static int dbm_authenticate_basic_user(request_rec *r) { dbm_auth_config_rec *sec = (dbm_auth_config_rec *) ap_get_module_config(r->per_dir_config, &dbm_auth_module); conn_rec *c = r->connection; char *sent_pw, *real_pw, *colon_pw; int res; if ((res = ap_get_basic_auth_pw(r, &sent_pw))) return res; if (!sec->auth_dbmpwfile) return DECLINED; if (!(real_pw = get_dbm_pw(r, c->user, sec->auth_dbmpwfile))) { if (!(sec->auth_dbmauthoritative)) return DECLINED; ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, "DBM user %s not found: %s", c->user, r->filename); ap_note_basic_auth_failure(r); return AUTH_REQUIRED; } /* Password is up to first : if exists */ colon_pw = strchr(real_pw, ':'); if (colon_pw) *colon_pw = '\0'; /* anyone know where the prototype for crypt is? */ if (strcmp(real_pw, (char *) crypt(sent_pw, real_pw))) { ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, "user %s: password mismatch: %s", c->user, r->uri); ap_note_basic_auth_failure(r); return AUTH_REQUIRED; } return OK; }
static int authz_unixgroup_check_user_access(request_rec *r) { authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *) ap_get_module_config(r->per_dir_config, &authz_unixgroup_module); int m= r->method_number; int required_group= 0; register int x; const char *t, *w; const apr_array_header_t *reqs_arr= ap_requires(r); const char *filegroup= NULL; require_line *reqs; /* If not enabled, pass */ if ( !dir->enabled ) return DECLINED; /* If there are no Require arguments, pass */ if (!reqs_arr) return DECLINED; reqs= (require_line *)reqs_arr->elts; /* Loop through the "Require" argument list */ for(x= 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) continue; t= reqs[x].requirement; w= ap_getword_white(r->pool, &t); /* The 'file-group' directive causes mod_authz_owner to store the * group name of the file we are trying to access in a note attached * to the request. It's our job to decide if the user actually is * in that group. If the note is missing, we just ignore it. * Probably mod_authz_owner is not installed. */ if ( !strcasecmp(w, "file-group")) { filegroup= apr_table_get(r->notes, AUTHZ_GROUP_NOTE); if (filegroup == NULL) continue; } if ( !strcmp(w,"group") || filegroup != NULL) { required_group= 1; if (filegroup) { /* Check if user is in the group that owns the file */ if (check_unix_group(r,filegroup)) return OK; } else if (t[0]) { /* Pass rest of require line to authenticator */ if (check_unix_group(r,t)) return OK; } } } /* If we didn't see a 'require group' or aren't authoritive, decline */ if (!required_group || !dir->authoritative) return DECLINED; /* Authentication failed and we are authoritive, declare unauthorized */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "access to %s failed, reason: user %s not allowed access", r->uri, r->user); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; }
static int dbm_check_auth(request_rec *r) { dbm_auth_config_rec *conf = ap_get_module_config(r->per_dir_config, &auth_dbm_module); char *user = r->user; int m = r->method_number; const apr_array_header_t *reqs_arr = ap_requires(r); require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; register int x; const char *t; char *w; if (!conf->auth_dbmgrpfile) return DECLINED; if (!reqs_arr) return DECLINED; for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) continue; t = reqs[x].requirement; w = ap_getword_white(r->pool, &t); if (!strcmp(w, "group") && conf->auth_dbmgrpfile) { const char *orig_groups, *groups; char *v; if (!(groups = get_dbm_grp(r, user, conf->auth_dbmgrpfile, conf->auth_dbmtype))) { if (!(conf->auth_dbmauthoritative)) return DECLINED; ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "user %s not in DBM group file %s: %s", user, conf->auth_dbmgrpfile, r->filename); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; } orig_groups = groups; while (t[0]) { w = ap_getword_white(r->pool, &t); groups = orig_groups; while (groups[0]) { v = ap_getword(r->pool, &groups, ','); if (!strcmp(v, w)) return OK; } } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "user %s not in right group: %s", user, r->filename); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; } } return DECLINED; }
static int pg_check_auth(request_rec * r) { pg_auth_config_rec *sec = (pg_auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_pgsql_module); char *user = r->user; int m = r->method_number; int group_result = DECLINED; apr_array_header_t *reqs_arr = (apr_array_header_t *) ap_requires(r); require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; register int x, res; const char *t; char *w; pg_errstr[0] = '\0'; #ifdef DEBUG_AUTH_PGSQL ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - pg_check_auth - going to check auth for user \"%s\" ", user); #endif /* DEBUG_AUTH_PGSQL */ /* if we cannot do it; leave it to some other guy */ if ((!sec->auth_pg_grp_table) && (!sec->auth_pg_grp_group_field) && (!sec->auth_pg_grp_user_field)) return DECLINED; if (!reqs_arr) { if (sec->auth_pg_authoritative) { /* force error and access denied */ apr_snprintf(pg_errstr, MAX_STRING_LEN, "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); ap_note_basic_auth_failure(r); res = HTTP_UNAUTHORIZED; } else { return DECLINED; } } for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (1 << m))) continue; t = reqs[x].requirement; w = ap_getword(r->pool, &t, ' '); if (!strcmp(w, "valid-user")) return OK; if (!strcmp(w, "user")) { while (t[0]) { w = ap_getword_conf(r->pool, &t); if (!strcmp(user, w)) return OK; } if (sec->auth_pg_authoritative) { /* force error and access denied */ apr_snprintf(pg_errstr, MAX_STRING_LEN, "mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; } } else if (!strcmp(w, "group")) { /* look up the membership for each of the groups in the table */ pg_errstr[0] = '\0'; while (t[0]) { if (get_pg_grp(r, ap_getword(r->pool, &t, ' '), user, sec)) { group_result = OK; }; }; if (pg_errstr[0]) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); return HTTP_INTERNAL_SERVER_ERROR; } if (group_result == OK) return OK; if (sec->auth_pg_authoritative) { apr_snprintf(pg_errstr, MAX_STRING_LEN, "[mod_auth_pgsql.c] - user %s not in right groups (PG-Authoritative)", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; }; } } return DECLINED; }
/* Process authentication request from Apache*/ static int pg_authenticate_basic_user(request_rec * r) { pg_auth_config_rec *sec = (pg_auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_pgsql_module); char *val = NULL; char *sent_pw, *real_pw; int res; char *user; if ((res = ap_get_basic_auth_pw(r, (const char **) &sent_pw))) return res; user = r->user; #ifdef DEBUG_AUTH_PGSQL ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - pg_authenticate_basic_user - going to auth user \"%s\" pass \"%s\" uri \"%s\"", user, sent_pw, r->unparsed_uri); #endif /* DEBUG_AUTH_PGSQL */ /* if *password* checking is configured in any way, i.e. then * handle it, if not decline and leave it to the next in line.. * We do not check on dbase, group, userid or host name, as it is * perfectly possible to only do group control and leave * user control to the next guy in line. */ if ((!sec->auth_pg_pwd_table) && (!sec->auth_pg_pwd_field)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - missing configuration parameters"); return DECLINED; } pg_errstr[0] = '\0'; if (sec->auth_pg_cache_passwords && (!apr_is_empty_table(sec->cache_pass_table))) { val = (char *) apr_table_get(sec->cache_pass_table, user); if (val) real_pw = val; else real_pw = get_pg_pw(r, user, sec); } else real_pw = get_pg_pw(r, user, sec); if (!real_pw) { if (pg_errstr[0]) { res = HTTP_INTERNAL_SERVER_ERROR; } else { if (sec->auth_pg_authoritative) { /* force error and access denied */ apr_snprintf(pg_errstr, MAX_STRING_LEN, "mod_auth_pgsql: Password for user %s not found (PG-Authoritative)", user); ap_note_basic_auth_failure(r); res = HTTP_UNAUTHORIZED; } else { /* allow fall through to another module */ return DECLINED; } } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); return res; } /* allow no password, if the flag is set and the password * is empty. But be sure to log this. */ if ((sec->auth_pg_nopasswd) && (!strlen(real_pw))) { apr_snprintf(pg_errstr, MAX_STRING_LEN, "[mod_auth_pgsql.c] - Empty password accepted for user \"%s\"", user); ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); pg_log_auth_user(r, sec, user, sent_pw); return OK; }; /* if the flag is off however, keep that kind of stuff at * an arms length. */ if ((!strlen(real_pw)) || (!strlen(sent_pw))) { apr_snprintf(pg_errstr, MAX_STRING_LEN, "[mod_auth_pgsql.c] - Empty password rejected for user \"%s\"", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; }; if (sec->auth_pg_encrypted) switch (sec->auth_pg_hash_type) { case AUTH_PG_HASH_TYPE_MD5: sent_pw = auth_pg_md5(sent_pw); break; case AUTH_PG_HASH_TYPE_CRYPT: sent_pw = (char *) crypt(sent_pw, real_pw); break; case AUTH_PG_HASH_TYPE_BASE64: sent_pw = auth_pg_base64(sent_pw); break; } if (sec->auth_pg_hash_type == AUTH_PG_HASH_TYPE_NETEPI) { char *netepi_pw; if (netepi_pw = netepi_pwd_check(sec, r, real_pw, sent_pw)) goto netepi_ok; apr_snprintf(pg_errstr, MAX_STRING_LEN, "PG user %s: password mismatch", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; netepi_ok: sent_pw = netepi_pw; } else if ((sec->auth_pg_hash_type == AUTH_PG_HASH_TYPE_MD5 || sec->auth_pg_hash_type == AUTH_PG_HASH_TYPE_BASE64 || sec->auth_pg_pwdignorecase) ? strcasecmp(real_pw, sent_pw) : strcmp(real_pw, sent_pw)) { apr_snprintf(pg_errstr, MAX_STRING_LEN, "PG user %s: password mismatch", user); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; } /* store password in the cache */ if (sec->auth_pg_cache_passwords && !val && sec->cache_pass_table) { if ((apr_table_elts(sec->cache_pass_table))->nelts >= MAX_TABLE_LEN) { apr_table_clear(sec->cache_pass_table); } apr_table_set(sec->cache_pass_table, user, real_pw); } pg_log_auth_user(r, sec, user, sent_pw); return OK; }
static int dbm_check_auth(request_rec *r) { dbm_auth_config_rec *sec = (dbm_auth_config_rec *) ap_get_module_config(r->per_dir_config, &dbm_auth_module); char *user = r->connection->user; int m = r->method_number; array_header *reqs_arr = ap_requires(r); require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL; register int x; const char *t; char *w; if (!sec->auth_dbmgrpfile) return DECLINED; if (!reqs_arr) return DECLINED; for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (1 << m))) continue; t = reqs[x].requirement; w = ap_getword(r->pool, &t, ' '); if (!strcmp(w, "group") && sec->auth_dbmgrpfile) { const char *orig_groups, *groups; char *v; if (!(groups = get_dbm_grp(r, user, sec->auth_dbmgrpfile))) { if (!(sec->auth_dbmauthoritative)) return DECLINED; ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, "user %s not in DBM group file %s: %s", user, sec->auth_dbmgrpfile, r->filename); ap_note_basic_auth_failure(r); return AUTH_REQUIRED; } orig_groups = groups; while (t[0]) { w = ap_getword(r->pool, &t, ' '); groups = orig_groups; while (groups[0]) { v = ap_getword(r->pool, &groups, ','); if (!strcmp(v, w)) return OK; } } ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r->server, "user %s not in right group: %s", user, r->filename); ap_note_basic_auth_failure(r); return AUTH_REQUIRED; } } return DECLINED; }
static int check_user_access(request_rec *r) { auth_config_rec *sec = (auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_module); char *user = r->connection->user; int m = r->method_number; int method_restricted = 0; register int x; const char *t, *w; table *grpstatus; const array_header *reqs_arr = ap_requires(r); require_line *reqs; /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive, * then any user will do. */ if (reqs_arr == NULL) { return (OK); } reqs = (require_line *) reqs_arr->elts; if (sec->auth_grpfile) { grpstatus = groups_for_user(r->pool, user, sec->auth_grpfile); } else { grpstatus = NULL; } for (x = 0; x < reqs_arr->nelts; x++) { if (! (reqs[x].method_mask & (1 << m))) { continue; } method_restricted = 1; t = reqs[x].requirement; w = ap_getword_white(r->pool, &t); if (strcmp(w, "valid-user") == 0) { return OK; } /* * If requested, allow access if the user is valid and the * owner of the document. */ if (strcmp(w, "file-owner") == 0) { #if defined(WIN32) || defined(NETWARE) || defined(OS2) ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r, "'Require file-owner' not supported " "on this platform, ignored"); continue; #else struct passwd *pwent; ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "checking for 'owner' access for file '%s'", r->filename); if (r->finfo.st_ino == 0) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "no stat info for '%s'", r->filename); continue; } pwent = getpwuid(r->finfo.st_uid); if (pwent == NULL) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "no username for UID %d (owner of '%s')", r->finfo.st_uid, r->filename); } else { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "checking authenticated user '%s' " "against owner '%s' of '%s'", user, pwent->pw_name, r->filename); if (strcmp(user, pwent->pw_name) == 0) { return OK; } else { continue; } } #endif } if (strcmp(w, "file-group") == 0) { #if defined(WIN32) || defined(NETWARE) || defined(OS2) ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r, "'Require file-group' not supported " "on this platform, ignored"); continue; #else struct group *grent; if (sec->auth_grpfile == NULL) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r, "no AuthGroupFile, so 'file-group' " "requirement cannot succeed for file '%s'", r->filename); continue; } if (grpstatus == NULL) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, r, "authenticated user '%s' not a member of " "any groups, so 'file-group' requirement " "cannot succeed for file '%s'", user, r->filename); continue; } ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "checking for 'group' access for file '%s'", r->filename); if (r->finfo.st_ino == 0) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "no stat info for '%s'", r->filename); continue; } grent = getgrgid(r->finfo.st_gid); if (grent == NULL) { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "no group name for GID %d (owner of '%s')", r->finfo.st_gid, r->filename); } else { ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r, "checking groups of authenticated user '%s' " "against owner group '%s' of '%s'", user, grent->gr_name, r->filename); if (ap_table_get(grpstatus, grent->gr_name) != NULL) { return OK; } else { continue; } } #endif } if (strcmp(w, "user") == 0) { while (t[0] != '\0') { w = ap_getword_conf(r->pool, &t); if (strcmp(user, w) == 0) { return OK; } } } else if (strcmp(w, "group") == 0) { if (grpstatus == NULL) { return DECLINED; /* DBM group? Something else? */ } while (t[0]) { w = ap_getword_conf(r->pool, &t); if (ap_table_get(grpstatus, w)) { return OK; } } } else if (sec->auth_authoritative) { /* if we aren't authoritative, any require directive could be * valid even if we don't grok it. However, if we are * authoritative, we can warn the user they did something wrong. * That something could be a missing "AuthAuthoritative off", but * more likely is a typo in the require directive. */ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, "access to %s failed, " "reason: unknown require directive:" "\"%s\"", r->uri, reqs[x].requirement); } } if (! method_restricted) { return OK; } if (! sec->auth_authoritative) { return DECLINED; } ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, "access to %s failed, reason: user %s not allowed access", r->uri, user); ap_note_basic_auth_failure(r); return AUTH_REQUIRED; }
static int check_user_access(request_rec *r) { auth_config_rec *conf = ap_get_module_config(r->per_dir_config, &auth_module); char *user = r->user; int m = r->method_number; int method_restricted = 0; register int x; const char *t, *w; apr_table_t *grpstatus; const apr_array_header_t *reqs_arr = ap_requires(r); require_line *reqs; /* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive, * then any user will do. */ if (!reqs_arr) { return OK; } reqs = (require_line *)reqs_arr->elts; if (conf->auth_grpfile) { grpstatus = groups_for_user(r, user, conf->auth_grpfile); } else { grpstatus = NULL; } for (x = 0; x < reqs_arr->nelts; x++) { if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { continue; } method_restricted = 1; t = reqs[x].requirement; w = ap_getword_white(r->pool, &t); if (!strcmp(w, "valid-user")) { return OK; } if (!strcmp(w, "user")) { while (t[0]) { w = ap_getword_conf(r->pool, &t); if (!strcmp(user, w)) { return OK; } } } else if (!strcmp(w, "group")) { if (!grpstatus) { return DECLINED; /* DBM group? Something else? */ } while (t[0]) { w = ap_getword_conf(r->pool, &t); if (apr_table_get(grpstatus, w)) { return OK; } } } else if (conf->auth_authoritative) { /* if we aren't authoritative, any require directive could be * valid even if we don't grok it. However, if we are * authoritative, we can warn the user they did something wrong. * That something could be a missing "AuthAuthoritative off", but * more likely is a typo in the require directive. */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "access to %s failed, reason: unknown require " "directive:\"%s\"", r->uri, reqs[x].requirement); } } if (!method_restricted) { return OK; } if (!(conf->auth_authoritative)) { return DECLINED; } ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "access to %s failed, reason: user %s not allowed access", r->uri, user); ap_note_basic_auth_failure(r); return HTTP_UNAUTHORIZED; }