@@ -71,6 +71,7 @@ APR_HOOK_STRUCT(
7171 APR_HOOK_LINK (create_request )
7272 APR_HOOK_LINK (post_perdir_config )
7373 APR_HOOK_LINK (dirwalk_stat )
74+ APR_HOOK_LINK (force_authn )
7475)
7576
7677AP_IMPLEMENT_HOOK_RUN_FIRST (int ,translate_name ,
@@ -97,6 +98,8 @@ AP_IMPLEMENT_HOOK_RUN_ALL(int, post_perdir_config,
9798AP_IMPLEMENT_HOOK_RUN_FIRST (apr_status_t ,dirwalk_stat ,
9899 (apr_finfo_t * finfo , request_rec * r , apr_int32_t wanted ),
99100 (finfo , r , wanted ), AP_DECLINED )
101+ AP_IMPLEMENT_HOOK_RUN_FIRST (int ,force_authn ,
102+ (request_rec * r ), (r ), DECLINED )
100103
101104static int auth_internal_per_conf = 0 ;
102105static int auth_internal_per_conf_hooks = 0 ;
@@ -118,6 +121,39 @@ static int decl_die(int status, const char *phase, request_rec *r)
118121 }
119122}
120123
124+ AP_DECLARE (int ) ap_some_authn_required (request_rec * r )
125+ {
126+ int access_status ;
127+
128+ switch (ap_satisfies (r )) {
129+ case SATISFY_ALL :
130+ case SATISFY_NOSPEC :
131+ if ((access_status = ap_run_access_checker (r )) != OK ) {
132+ break ;
133+ }
134+
135+ access_status = ap_run_access_checker_ex (r );
136+ if (access_status == DECLINED ) {
137+ return TRUE;
138+ }
139+
140+ break ;
141+ case SATISFY_ANY :
142+ if ((access_status = ap_run_access_checker (r )) == OK ) {
143+ break ;
144+ }
145+
146+ access_status = ap_run_access_checker_ex (r );
147+ if (access_status == DECLINED ) {
148+ return TRUE;
149+ }
150+
151+ break ;
152+ }
153+
154+ return FALSE;
155+ }
156+
121157/* This is the master logic for processing requests. Do NOT duplicate
122158 * this logic elsewhere, or the security model will be broken by future
123159 * API changes. Each phase must be individually optimized to pick up
@@ -236,15 +272,8 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
236272 }
237273
238274 access_status = ap_run_access_checker_ex (r );
239- if (access_status == OK ) {
240- ap_log_rerror (APLOG_MARK , APLOG_TRACE3 , 0 , r ,
241- "request authorized without authentication by "
242- "access_checker_ex hook: %s" , r -> uri );
243- }
244- else if (access_status != DECLINED ) {
245- return decl_die (access_status , "check access" , r );
246- }
247- else {
275+ if (access_status == DECLINED
276+ || (access_status == OK && ap_run_force_authn (r ) == OK )) {
248277 if ((access_status = ap_run_check_user_id (r )) != OK ) {
249278 return decl_die (access_status , "check user" , r );
250279 }
@@ -262,6 +291,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
262291 return decl_die (access_status , "check authorization" , r );
263292 }
264293 }
294+ else if (access_status == OK ) {
295+ ap_log_rerror (APLOG_MARK , APLOG_TRACE3 , 0 , r ,
296+ "request authorized without authentication by "
297+ "access_checker_ex hook: %s" , r -> uri );
298+ }
299+ else {
300+ return decl_die (access_status , "check access" , r );
301+ }
265302 break ;
266303 case SATISFY_ANY :
267304 if ((access_status = ap_run_access_checker (r )) == OK ) {
@@ -273,15 +310,8 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
273310 }
274311
275312 access_status = ap_run_access_checker_ex (r );
276- if (access_status == OK ) {
277- ap_log_rerror (APLOG_MARK , APLOG_TRACE3 , 0 , r ,
278- "request authorized without authentication by "
279- "access_checker_ex hook: %s" , r -> uri );
280- }
281- else if (access_status != DECLINED ) {
282- return decl_die (access_status , "check access" , r );
283- }
284- else {
313+ if (access_status == DECLINED
314+ || (access_status == OK && ap_run_force_authn (r ) == OK )) {
285315 if ((access_status = ap_run_check_user_id (r )) != OK ) {
286316 return decl_die (access_status , "check user" , r );
287317 }
@@ -299,6 +329,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
299329 return decl_die (access_status , "check authorization" , r );
300330 }
301331 }
332+ else if (access_status == OK ) {
333+ ap_log_rerror (APLOG_MARK , APLOG_TRACE3 , 0 , r ,
334+ "request authorized without authentication by "
335+ "access_checker_ex hook: %s" , r -> uri );
336+ }
337+ else {
338+ return decl_die (access_status , "check access" , r );
339+ }
302340 break ;
303341 }
304342 }
0 commit comments