Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
ai
sso
Commits
eda0d422
Commit
eda0d422
authored
Mar 20, 2016
by
godog
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
mod_sso: check /sso_login /sso_logout during access checker exception
parent
2ff21e09
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
57 additions
and
19 deletions
+57
-19
src/mod_sso/mod_sso.c
src/mod_sso/mod_sso.c
+57
-19
No files found.
src/mod_sso/mod_sso.c
View file @
eda0d422
...
...
@@ -427,19 +427,22 @@ static int mod_sso_method_handler(request_rec *r)
ap_get_module_config
(
r
->
per_dir_config
,
&
sso_module
);
uri
=
r
->
uri
;
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: handler
\"
%s
\"
"
,
r
->
handler
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: handler
\"
%s
\"
"
,
r
->
handler
);
// Return immediately if there's nothing to do (check the AuthType)
type
=
ap_auth_type
(
r
);
if
(
!
type
||
strcasecmp
(
type
,
"SSO"
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: invalid authentication type
\"
%s
\"
"
,
type
);
"sso: invalid authentication type
\"
%s
\"
"
,
type
);
return
DECLINED
;
}
sso_cookie_name
=
get_cookie_name
(
r
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: cookie_name
\"
%s
\"
"
,
sso_cookie_name
);
// Check if the required parameters are defined.
if
(
!
check_config
(
r
,
s_cfg
))
{
return
HTTP_INTERNAL_SERVER_ERROR
;
...
...
@@ -448,13 +451,15 @@ static int mod_sso_method_handler(request_rec *r)
// Parse the service into host/path (guess it if not specified).
if
(
parse_service
(
r
,
s_cfg
,
&
service
,
&
service_host
,
&
service_path
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_ERR
,
0
,
r
->
server
,
"sso: could not parse service
\"
%s
\"
"
,
s_cfg
->
service
);
"sso: could not parse service
\"
%s
\"
"
,
s_cfg
->
service
);
return
HTTP_BAD_REQUEST
;
}
// Handle /sso_logout
sso_logout_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_logout"
,
NULL
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: logout?
\"
%s
\"
\"
%s
\"
"
,
sso_logout_path
,
uri
);
if
(
!
strcmp
(
uri
,
sso_logout_path
))
{
modsso_del_cookie
(
r
,
sso_cookie_name
);
return
http_sendstring
(
r
,
"OK"
);
...
...
@@ -462,6 +467,8 @@ static int mod_sso_method_handler(request_rec *r)
// Handle /sso_login
sso_login_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_login"
,
NULL
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: login?
\"
%s
\"
\"
%s
\"
"
,
sso_login_path
,
uri
);
if
(
!
strcmp
(
uri
,
sso_login_path
))
{
struct
modsso_params
params
;
char
*
redir
;
...
...
@@ -620,6 +627,8 @@ static int redirect_to_login_server(request_rec *r,
}
ap_log_error
(
APLOG_MARK
,
APLOG_INFO
,
0
,
r
->
server
,
"sso: unauthorized access to %s"
,
dest
);
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso: redirecting to %s"
,
login_url
);
return
http_redirect
(
r
,
login_url
);
}
...
...
@@ -642,10 +651,47 @@ static char *pkey_to_string(const unsigned char *pkey, char *buf) {
* @param r Pointer to the request_rec structure.
*/
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
static
int
mod_sso_check_
user_id
(
request_rec
*
r
)
static
int
mod_sso_check_
access_ex
(
request_rec
*
r
)
{
const
char
*
type
,
*
sso_cookie_name
,
*
sso_cookie
,
*
uri
;
const
char
*
type
,
*
uri
;
const
char
*
sso_login_path
,
*
sso_logout_path
;
const
char
*
service
=
NULL
,
*
service_host
=
NULL
,
*
service_path
=
NULL
;
modsso_config
*
s_cfg
=
(
modsso_config
*
)
ap_get_module_config
(
r
->
per_dir_config
,
&
sso_module
);
type
=
ap_auth_type
(
r
);
if
(
type
==
NULL
||
apr_strnatcasecmp
(
type
,
"sso"
)
!=
0
)
{
return
DECLINED
;
}
// Check if the required parameters are defined.
if
(
!
check_config
(
r
,
s_cfg
))
{
return
HTTP_INTERNAL_SERVER_ERROR
;
}
uri
=
r
->
uri
;
if
(
parse_service
(
r
,
s_cfg
,
&
service
,
&
service_host
,
&
service_path
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_ERR
,
0
,
r
->
server
,
"sso (check_access_ex): could not parse service (cfg->service=%s)"
,
s_cfg
->
service
);
return
HTTP_BAD_REQUEST
;
}
// Everyone is allowed access to /sso_login and /sso_logout
sso_logout_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_logout"
,
NULL
);
sso_login_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_login"
,
NULL
);
if
(
!
strcmp
(
uri
,
sso_logout_path
)
||
!
strcmp
(
uri
,
sso_login_path
))
{
return
OK
;
}
return
DECLINED
;
}
static
int
mod_sso_check_user_id
(
request_rec
*
r
)
{
const
char
*
type
,
*
sso_cookie_name
,
*
sso_cookie
;
const
char
*
service
=
NULL
,
*
service_host
=
NULL
,
*
service_path
=
NULL
;
int
retval
,
err
,
do_redirect
=
1
;
...
...
@@ -658,9 +704,6 @@ static int mod_sso_check_user_id(request_rec *r)
return
DECLINED
;
}
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso (check_user_id): handler '%s'"
,
r
->
handler
);
// If this is a sub-request, pass existing credentials, if any.
if
(
!
ap_is_initial_req
(
r
))
{
if
(
r
->
main
!=
NULL
)
{
...
...
@@ -673,6 +716,9 @@ static int mod_sso_check_user_id(request_rec *r)
}
}
ap_log_error
(
APLOG_MARK
,
APLOG_DEBUG
,
0
,
r
->
server
,
"sso (check_user_id): handler '%s' uri '%s'"
,
r
->
handler
,
r
->
uri
);
sso_cookie_name
=
get_cookie_name
(
r
);
// Check if the required parameters are defined.
...
...
@@ -680,8 +726,6 @@ static int mod_sso_check_user_id(request_rec *r)
return
HTTP_INTERNAL_SERVER_ERROR
;
}
uri
=
r
->
uri
;
if
(
parse_service
(
r
,
s_cfg
,
&
service
,
&
service_host
,
&
service_path
)
!=
0
)
{
ap_log_error
(
APLOG_MARK
,
APLOG_ERR
,
0
,
r
->
server
,
"sso (check_user_id): could not parse service (cfg->service=%s)"
,
...
...
@@ -689,13 +733,6 @@ static int mod_sso_check_user_id(request_rec *r)
return
HTTP_BAD_REQUEST
;
}
// Everyone is allowed access to /sso_login and /sso_logout
sso_logout_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_logout"
,
NULL
);
sso_login_path
=
apr_pstrcat
(
r
->
pool
,
service_path
,
"sso_login"
,
NULL
);
if
(
!
strcmp
(
uri
,
sso_logout_path
)
||
!
strcmp
(
uri
,
sso_login_path
))
{
return
OK
;
}
// Test for valid cookie
sso_cookie
=
get_cookie
(
r
,
sso_cookie_name
);
if
(
sso_cookie
!=
NULL
)
{
...
...
@@ -958,6 +995,7 @@ static void mod_sso_register_hooks (apr_pool_t *p)
ap_hook_handler
(
mod_sso_method_handler
,
NULL
,
NULL
,
APR_HOOK_FIRST
);
#if MODULE_MAGIC_NUMBER_MAJOR >= 20100714
ap_hook_check_authn
(
mod_sso_check_user_id
,
NULL
,
NULL
,
APR_HOOK_MIDDLE
,
AP_AUTH_INTERNAL_PER_CONF
);
ap_hook_check_access_ex
(
mod_sso_check_access_ex
,
NULL
,
NULL
,
APR_HOOK_MIDDLE
,
AP_AUTH_INTERNAL_PER_CONF
);
ap_register_auth_provider
(
p
,
AUTHZ_PROVIDER_GROUP
,
SSO_REQUIRE_NAME
,
"0"
,
&
authz_sso_provider
,
AP_AUTH_INTERNAL_PER_CONF
);
#else
static
const
char
*
const
authzSucc
[]
=
{
"mod_sso.c"
,
NULL
};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
