Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

We’re showing branches in this repository, but you can also compare across forks.

...
  • 3 commits
  • 3 files changed
  • 0 commit comments
  • 2 contributors
Commits on May 14, 2012
John Wittkoski Add TKTAuthBadIPURL
Unique URL to redirect to if request IP doesn't match cookie IP.
Allows Login server to handle IP mismatch condition separately from
the default login URL behavior.
Defaults to TKTAuthLoginURL if not specified.
c69ae61
Commits on May 16, 2012
Manuel Kasper manuelkasper Merge pull request #3 from jwittkoski/badip_url_redirect
Add TKTAuthBadIPURL
612854b
Commits on May 18, 2012
Manuel Kasper manuelkasper Make module compile with Apache 2.4. b77379b
Showing with 28 additions and 4 deletions.
  1. +4 −1 configure
  2. +23 −3 src/mod_auth_pubtkt.c
  3. +1 −0  src/mod_auth_pubtkt.h
5 configure
View
@@ -72,7 +72,8 @@ test $VERSION = '1' && VERSION=1.3
test $VERSION = '2.0' && VERSION=2
test $VERSION = '20' && VERSION=2
test $VERSION = '22' && VERSION=2.2
-if [ $VERSION != '1.3' -a $VERSION != '2' -a $VERSION != '2.2' ]; then
+test $VERSION = '24' && VERSION=2.4
+if [ $VERSION != '1.3' -a $VERSION != '2' -a $VERSION != '2.2' -a $VERSION != '2.4' ]; then
die "Error: apache version '$VERSION' not supported"
fi
@@ -94,6 +95,8 @@ if [ "$VERSION" = "1.3" ]; then
else
if [ $VERSION = "2.2" ]; then
echo "CFLAGS += -DAPACHE22" >> Makedefs
+ elif [ $VERSION = "2.4" ]; then
+ echo "CFLAGS += -DAPACHE24" >> Makedefs
fi
echo "TARGET = mod_auth_pubtkt.la" >> Makedefs
fi
26 src/mod_auth_pubtkt.c
View
@@ -67,6 +67,7 @@ static void* create_auth_pubtkt_config(apr_pool_t *p, char* path) {
conf->auth_cookie_name = NULL;
conf->back_arg_name = NULL;
conf->refresh_url = NULL;
+ conf->badip_url = NULL;
conf->require_ssl = -1;
conf->debug = -1;
conf->fake_basic_auth = -1;
@@ -89,6 +90,7 @@ static void* merge_auth_pubtkt_config(apr_pool_t *p, void* parent_dirv, void* su
conf->auth_cookie_name = (subdir->auth_cookie_name) ? subdir->auth_cookie_name : parent->auth_cookie_name;
conf->back_arg_name = (subdir->back_arg_name) ? subdir->back_arg_name : parent->back_arg_name;
conf->refresh_url = (subdir->refresh_url) ? subdir->refresh_url : parent->refresh_url;
+ conf->badip_url = (subdir->badip_url) ? subdir->badip_url : parent->badip_url;
conf->require_ssl = (subdir->require_ssl >= 0) ? subdir->require_ssl : parent->require_ssl;
conf->debug = (subdir->debug >= 0) ? subdir->debug : parent->debug;
conf->fake_basic_auth = (subdir->fake_basic_auth >= 0) ? subdir->fake_basic_auth : parent->fake_basic_auth;
@@ -287,6 +289,9 @@ static const command_rec auth_pubtkt_cmds[] =
AP_INIT_TAKE1("TKTAuthRefreshURL", ap_set_string_slot,
(void *)APR_OFFSETOF(auth_pubtkt_dir_conf, refresh_url),
OR_AUTHCFG, "URL to redirect to if cookie reach grace period"),
+ AP_INIT_TAKE1("TKTAuthBadIPURL", ap_set_string_slot,
+ (void *)APR_OFFSETOF(auth_pubtkt_dir_conf, badip_url),
+ OR_AUTHCFG, "URL to redirect to if request IP doesn't match cookie IP"),
AP_INIT_FLAG("TKTAuthRequireSSL", ap_set_flag_slot,
(void *)APR_OFFSETOF(auth_pubtkt_dir_conf, require_ssl),
OR_AUTHCFG, "whether to refuse non-HTTPS requests"),
@@ -401,7 +406,11 @@ static int cookie_match(void *result, const char *key, const char *cookie) {
}
/* URL-unescape cookie */
+#ifdef APACHE24
+ if (ap_unescape_url_keep2f(cookiebuf, 1) != 0) {
+#else
if (ap_unescape_url_keep2f(cookiebuf) != 0) {
+#endif
ap_log_rerror(APLOG_MARK, APLOG_WARNING, APR_SUCCESS, cr->r,
"TKT cookie_match: error while URL-unescaping cookie");
continue;
@@ -607,7 +616,11 @@ static int check_clientip(request_rec *r, auth_pubtkt *tkt) {
if (!tkt->clientip[0])
return 1; /* no clientip in ticket */
+#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
+ return (strcmp(tkt->clientip, r->connection->client_ip) == 0);
+#else
return (strcmp(tkt->clientip, r->connection->remote_ip) == 0);
+#endif
}
/* Check whether the given ticket has timed out
@@ -735,6 +748,7 @@ void dump_config(request_rec *r) {
fprintf(stderr,"TKTAuthCookieName: %s\n", conf->auth_cookie_name);
fprintf(stderr,"TKTAuthBackArgName: %s\n", conf->back_arg_name);
fprintf(stderr,"TKTAuthRefreshURL: %s\n", conf->refresh_url);
+ fprintf(stderr,"TKTAuthBadIPURL: %s\n", conf->badip_url);
fprintf(stderr,"TKTAuthRequireSSL: %d\n", conf->require_ssl);
if (conf->auth_token->nelts > 0) {
char ** auth_token = (char **) conf->auth_token->elts;
@@ -809,10 +823,16 @@ static int auth_pubtkt_check(request_rec *r) {
/* Check client IP address (if present in ticket) */
if (!check_clientip(r, parsed)) {
ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
- "TKT: client IP mismatch (ticket: %s, request: %s) - redirecting to login URL",
- parsed->clientip, r->connection->remote_ip);
+ "TKT: client IP mismatch (ticket: %s, request: %s) - redirecting to badip URL",
+ parsed->clientip,
+#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
+ r->connection->client_ip
+#else
+ r->connection->remote_ip
+#endif
+ );
- return redirect(r, conf->login_url);
+ return redirect(r, (conf->badip_url ? conf->badip_url : conf->login_url));
}
/* Valid ticket, check timeout - redirect/timed-out if so */
1  src/mod_auth_pubtkt.h
View
@@ -63,6 +63,7 @@ typedef struct {
char *auth_cookie_name;
char *back_arg_name;
char *refresh_url;
+ char *badip_url;
apr_array_header_t *auth_token;
int require_ssl;
int debug;

No commit comments for this range

Something went wrong with that request. Please try again.