Re: [modauthtkt-users] Thoughts on how to resolve "require user chains to basic auth" issue
Status: Beta
Brought to you by:
gonzai
From: Gavin C. <ga...@op...> - 2006-09-12 11:36:52
|
Hi John, On Mon, Sep 11, 2006 at 09:35:01AM -0500, John Wade wrote: > First thanks to Gavin and all for putting together a great module, this > is clean, straightforward, and manageable and really meets our needs. > Thanks! You're welcome, and thanks. :-) > Back in April there was a discussion on this list about the issue of > apache reverting to basic authentication when the config has a "require > user" directive, but the authenticated user is not authorized to access > the directory. Gavin had responded that the behavior was > "non-optimal" but that no one had had time to look at it in depth. > > I took a look at it, and my guess is that the problem is that in the > cases where we are not using tokens, (i.e. either require valid-user or > require user) the module authenticates users, but does not authorize > them. Since the "auth_tkt_check function is registered as > APR_HOOK_FIRST, the authorization for both of these cases is passed down > the chain and handled by the "check_user_access" function in mod_auth > (see /modules/aaa/mod_auth.c in the apache 2.0 source tree) Since > mod_auth knows nothing about mod_auth_tkt, it returns HTTP_UNAUTHORIZED > which triggers the basic auth retry instead of the preferred redirect to > the TKTAuthUnauthURL I think you're basically correct - this is authz land interacting badly with our authentication module. It seems to be a recognised problem for others as well - compare this paragraph from the PubCookie docs http://www.pubcookie.org/docs/overview-apache.html#authz > It would seem that there are two possible solutions to this. > > 1. Add a directive to the mod_auth_tkt configuration like: > TKTAuthRequire. This could use the same syntax as "require user" or > "require valid-user". We would then have to implement the > authorization check by replicating the code from the "check_user_access" > function in mod_auth.c in the "auth_tkt_check" function with the > appropriate changes to redirect to the TKTAuthUnauthURL if the user is > not authorized. This approach has the advantage that it should not > break any existing configuration. > > 2. Continue to use the standard "require user" and require "valid-user" > directives, but implement the authorization in the "auth_tkt_check" > function (once again by essentially copying the section from the > check_user_access" function in mod_auth.c ) I am not sure of the > feasibility of this for several reasons, but I will defer to those more > knowledgeable. The first potential problem is that I suspect this > function gets called for all check_user_id calls, thus it would probably > break the fail through to basic authentication for those who wanted to > use both techniques in different directories. I also am not sure if > the function call "ap_get_module_config(r->per_dir_config, > &auth_tkt_module)" will return the "require user" directives which are > probably registered by the mod_auth module. Of these, I'd prefer the second, if it's doable. It's much cleaner to use the existing well-understood directives than implement our own. But as you say, John, it's potentially tricky. > I am willing to give a stab at putting together a patch for this if > anyone has any suggestions about the correct way to implement this or if > anyone has any other insights. Sounds great. Another place you might want to look is the Apache::AuthCookie perl module (perhaps depending how your perl is) - they do something similar in perl that handles both the authen and authz sides of things, so they must have wrestled with these issues too. Cheers, Gavin |