Mailing List Archive: Apache: Dev

Struggling with AuthMerging

Index | Next | Previous | View Threaded

mi+thun at aldan

Jul 30, 2013, 4:18 PM

Post #1 of 4 (54 views)
Permalink

Struggling with AuthMerging

Hello!

I realize, configurations questions aren't meant for this list, but I'm
beginning to suspect a bug...

Here is the configuration:

<Location />
AuthType form
AuthFormProvider tiv
Session On
SessionCookieName ti2f
Include conf/sessionpw.conf
AuthName TI
<RequireAll>
Require tiv ipaddress
Require tiv expiration
</RequireAll>
</Location>

<Location /tiv>
AuthMerging Or
Require all granted
DirectoryIndex index.php
</Location>

The idea is, the entire site is protected by our special authn/authz
module we wrote (named "tiv"), except for a subdirectory /tiv, which
everybody is supposed to be able to access without questions.

Unfortunately, access to /tiv is denied as well. This is, what to
authz_core:debug lists for each hit:

authorization result of Require all granted: granted
authorization result of <RequireAny>: granted
authorization result of AuthMerging Any: granted
authorization result of Require all granted: granted
authorization result of <RequireAny>: granted
authorization result of AuthMerging Any: granted
authorization result of Require tiv ipaddress: denied (no
authenticated user yet)
authorization result of Require tiv expiration: denied (no
authenticated user yet)
authorization result of <RequireAll>: denied (no authenticated user yet)
authorization result of <RequireAny>: denied (no authenticated user yet)

What makes me think, there is a bug:

1. The "Require all granted: granted" and "AuthMerging Any: granted"
are mentioned multiple times -- instead of once per hit.
2. AuthMerging settings -- and I tried all legal values (Off, And, Or)
-- does not seem to have an effect, I'm denied access to /tiv no
matter what.
3. RequireAll -- from Location / -- is examined at all, despite
Location /tiv declaring "AuthMerging Or" (tried all values,
actually, just in case).
4. "Require tiv expiration" is tested, even though its AND-connected
sibling "Require tiv ipaddress" has already failed.

How can I grant open access to a subdirectory (sublocation), while
keeping the rest of the server locked-up? Thanks!

-mi

isoma at jellybaby

Jul 30, 2013, 4:27 PM

Post #2 of 4 (54 views)
Permalink

Re: Struggling with AuthMerging [In reply to]

On 31 Jul 2013, at 00:18, "Mikhail T." wrote:

> Hello!
>
> I realize, configurations questions aren't meant for this list, but I'm beginning to suspect a bug...

I'd try the users list first. The server might be working properly and it's just the documentation that has fallen short.

Tim

--
Tim Bannister – isoma [at] jellybaby

mi+thun at aldan

Jul 31, 2013, 8:02 AM

Post #3 of 4 (46 views)
Permalink

Re: Struggling with AuthMerging [In reply to]

30.07.2013 19:27, Tim Bannister ???????(??):
> The server might be working properly and it's just the documentation that has fallen short.
>
As a minimum, testing the subsequent children of RequireAll after one of
them already responded with "denied" seems like a bug...

-mi

ben at reser

Aug 1, 2013, 6:05 PM

Post #4 of 4 (35 views)
Permalink

Re: Struggling with AuthMerging [In reply to]

On Wed, Jul 31, 2013 at 8:02 AM, Mikhail T. <mi+thun [at] aldan> wrote:
> As a minimum, testing the subsequent children of RequireAll after one of
> them already responded with "denied" seems like a bug...

I'm not sure about the AuthMerging but I can say that trying the "tiv
expiration" is not a bug.

First of all you should understand that authz providers are called
TWICE. The general process for authz handling is as such:
1) authz providers are called before authentication is processed to
check for anonymous access (i.e. r->user == NULL). If the resulting
response is AUTHZ_GRANTED then access is provided and no other
authn/authz processing occurs. If the resulting response is
AUTHZ_DENIED or AUTHZ_NEUTRAL then the request is provided with
HTTP_FORBIDDEN. If the resulting response is AUTHZ_DENIED_NO_USER
then processing continues.
2) authentication is processed. r->user gets set. Errors out here if
the user can't authenticate.
3) authz providers are called this time with r->user set. If the
result is AUTHZ_GRANTED then access is granted and http starts the
work to server the request. If AUTHZ_DENIED_USER HTTP_UNAUTHORIZED is
returned. If AUTHZ_DENIED_ or AUTHZ_NEUTRAL then the response is
HTTP_FORBIDDEN.

Your log shows:
"authorization result of Require tiv ipaddress: denied (no
authenticated user yet)"

This only happens when your module returns AUTHZ_DENIED_NO_USER. If
you return this value httpd must call into each module since one of
your RequireAll directives might be able to return AUTHZ_DENIED and
then we would need to deny the request without going through the authn
processing or the second authz pass.

A good way of thinking of this is that with RequireAll and RequireNone
the priority of response codes are:
AUTHZ_GENERAL_ERROR (immediate return)
AUTHZ_DENIED (short-circuits other siblings and continues with processing)
AUTHZ_DENIED_NO_USER
AUTHZ_GRANTED
AUTHZ_NEUTRAL

RequireAny:
AUTHZ_GENERAL_ERROR (immediate return)
AUTHZ_GRANTED (short-circuits other siblings and continues with processing)
AUTHZ_DENIED_NO_USER
AUTHZ_DENIED
AUTHZ_NEUTRAL

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads