to authorize an authenticated user via a "require ldap-group X" directive
where the user is not in group X, but is in a subgroup contained in X.
PR 42891 [Paul J. Reder]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@560373 13f79535-47bb-0310-9956-ffa450edef68
* configure.in: Check for getpgid.
* include/mpm_common.h (ap_mpm_safe_kill): New prototype.
* server/mpm_common.c (reclaim_one_pid): Ensure pid validity before
calling apr_proc_wait().
(ap_mpm_safe_kill): New function.
* server/mpm/prefork/prefork.c, server/mpm/worker/worker.c,
server/mpm/experimental/event/event.c: Use ap_mpm_safe_kill() on pids
from the scoreboard, throughout.
* include/ap_mmn.h: Minor bump.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@551843 13f79535-47bb-0310-9956-ffa450edef68
locking method and the lockfile location, I never
liked how AcceptMutex was linked to LockFile. This
seemed unnecessary. Much better to have AcceptMutex
do both as well. Plus, now that we will likely see
other modules require a "standard" way of setting
mutexes, why not have Apache provide that as
an API of sorts.
Anyway, LockFile is now depreciated and AcceptMutex
is now SSLMutex-like. We also provide a short
function that "parses" out a mutex parameter
and strips out the mechanism and lockfile location.
AcceptMutex and SSLMutex is this capability.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@467326 13f79535-47bb-0310-9956-ffa450edef68
If a handler returns a value that is neither reserved nor a valid
HTTP response code, log an error and substitute HTTP_INTERNAL_SERVER_ERROR.
Allow a handler to override this explicitly by setting a note.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@448711 13f79535-47bb-0310-9956-ffa450edef68
ap_get_server_description().
High-level summary:
The full server version information is now included in the error log at
startup as well as server status reports, irrespective of the setting
of the ServerTokens directive.
Third-party modules must now use ap_get_server_banner() or
ap_get_server_description() in place of ap_get_server_version().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@440337 13f79535-47bb-0310-9956-ffa450edef68
to allow modules to review interdependent configuration directive
values and adjust them while messages can still be logged to the
console.
The open_logs phase is already used somewhat for this purpose by
certain MPMs (winnt, prefork, worker, and event) but only by forcing
their functions ahead of the core ap_open_logs() function, and
since this phase runs after the ap_signal_server function during startup,
it can not be used to generate messages on the console when restarting.
Add the check_config phase to mod_info and mod_example.
Handle relevant MPM directives during this phase and format messages
for both the console and the error log, as appropriate. Bounds and sanity
checks on the values of the MPM directives are handled in sequence in
this phase instead of in the various directive handling functions, since
those functions (e.g., set_max_clients()) may not be called at all if their
directives do not appear in the configuration files, and even if they
are called, there is no guarantee that this will occur in any particular
order.
Remove from the worker and event MPMs the code in the pre_config phase
that alters the configuration node tree by re-ordering ThreadsPerChild
ahead of MaxClients. This code is effective but insufficient; for
example, if ServerLimit follows MaxClients, the test against server_limit
in set_max_clients() is invalid. (In practice, this only results in
incorrect or absent warnings on the console, because server_limit is
set to its configured value when the main loop re-runs the configuration
process.)
Prevent ap_threads_per_child from exceeding thread_limit in the
winnt, worker, and event MPMs. This situation could occur if
ThreadsPerChild was not specified in the configuration files and
ThreadLimit was set to a value smaller than DEFAULT_THREADS_PER_CHILD,
because set_threads_per_child() would never be called and therefore
its bounds check against thread_limit would not be performed.
Remove from the winnt, prefork, worker, and event MPMs the
changed_limit_at_restart flag. Set the first_server_limit and
first_thread_limit values during the first execution of the check_config
function, and use them to detect changes to ServerLimit and ThreadLimit
across restarts and issue appropriately formatted warnings. Remove the
comments about the error log being a "bit bucket"; this was true when
the code was originally committed in r92530 but that was due to a bug
fixed in r92769.
Be consistent about setting all MPM configuration directive values in the
pre_config phase.
Rephrase and reformat the console and log file messages relating to
MPM configuration directives to be consistent across all MPMs. Use
briefer messages when logging to the error log than to the console.
Update miscellaneous stale comments and messages (e.g., reference to
daemons_min_free in worker and event MPMs, "prefork open_logs" in
winnt MPM, and StartServers in netware MPM).
The winnt, netware, beos, and mpmt_os2 MPMs should be tested by developers
with access to those platforms, especially the winnt MPM, which has
unique logic with respect to distinguishing between parent and child
processes during the configuration phases.
Update the English documentation for the worker MPM's ThreadsPerChild
directive, which no longer needs to precede other MPM directives in the
configuration files if it has a non-default value. The German (.de) and
Japanese (.ja) translations should be updated by developers fluent in
those languages.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@431460 13f79535-47bb-0310-9956-ffa450edef68
'https', mod_http returns "https" for the ap_hook_http_scheme and
DEFAULT_HTTPS_PORT for ap_hook_default_port. This fixes Redirect
responses to requests for directories without a trailing slash
when httpd runs behind a proxy or offload device that processes
SSL. It also enables support for Subversion in that
configuration. This change is completely backwards compatible
and passes the perl-framework. Minor mmn bump because I add a
field to server_rec.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@399947 13f79535-47bb-0310-9956-ffa450edef68
nearly every .rc compilation (giving the output .res file a different
name for each component). Adds AP_SERVER_BASEPROJECT to ap_revision.h
so we can display the proper name of "Apache HTTP Server" as opposed
to AP_SERVER_BASEPRODUCT (which is, and should remain, simply "Apache"
for the server string tokens.)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@395418 13f79535-47bb-0310-9956-ffa450edef68
from the connection pool twice. This causes this connection to be present
in the connection pool twice. Thus it may be used by different threads
at the same time which causes many troubles (segfaults in this case).
Furthermore implement a logic to prevent double releases to the connection
pool if they are triggered by buggy code and log an error message in this
case.
- mod_proxy_http.c: remove double calls to ap_proxy_http_cleanup
- proxy_util.c: Add logic to prevent double releases of a
connection to the connection pool.
PR: 38793
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@394088 13f79535-47bb-0310-9956-ffa450edef68
so eliminate a substitute declaration.
Correct version and copyright generation, this involves 'long line'
flavor of the first ASF copyright line; next step will be no more
awk generation of .rc files, so there we will use the new macro
AP_SERVER_COPYRIGHT and defined tokens from this file for versions.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@368395 13f79535-47bb-0310-9956-ffa450edef68
Merge from branches/authz-dev
Basically here is a list of what has been done:
- Convert all of the authz modules from hook based to provider based
- Remove the ap_requires field from the core_dir_config structure
- Remove the function ap_requires() since its functionality is no
longer supported or necessary in the refactoring
- Remove the calls to ap_some_auth_required() in the core request
handling to allow the hooks to be called in all cases.
- Add the new module mod_authz_core which will act as the authorization
provider vector and contain common authz directives such as 'Require',
'Reject' and '<RequireAlias>'
- Add the new module mod_authn_core which will contain common
authentication directives such as 'AuthType', 'AuthName' and
'<AuthnProviderAlias>'
- Move the check for METHOD_MASK out of the authz providers and into
the authz_core provider vector
- Define the status codes that can be returned by the authz providers
as AUTHZ_DENIED, AUTHZ_GRANTED and AUTHZ_GENERAL_ERROR
- Remove the 'Satisfy' directive
- Implement the '<RequireAll>', '<RequireOne>' block directives to
handle the 'and' and 'or' logic for authorization.
- Remove the 'AuthzXXXAuthoritative' directives from all of the authz
providers
- Implement the 'Reject' directive that will deny authorization if the
argument is true
- Fold the 'Reject' directive into the '<RequireAll>', '<RequireOne>'
logic
- Reimplement the host based authorization functionality provided by
'allow', 'deny' and 'order' as authz providers
- Remove the 'allow', 'deny' and 'order' directives
- Merge mod_authn_alias into mod_authn_core
- Add '<RequireAlias>' functionality which is similar to
'<AuthnProviderAlias>' but specific to authorization aliasing
- Remove all of the references to the 'authzxxxAuthoritative'
directives from the documentation
- Remove the 'Satisfy' directive from the documentation
- Remove 'Allow', 'Deny', 'Order' directives from the documentation
- Document '<RequireAll>', '<RequireOne>', 'Reject' directives
- Reimplement the APIs ap_auth_type(), ap_auth_name() as optional
functions and move the actual implementation into mod_authn_core
- Reimplement the API ap_some_auth_required() as an optional function
and move the actual implementation into mod_authz_core
Major Changes:
- Added the directives <RequireAll>, <RequireOne>, <RequireAlias>,
Reject
- Expanded the functionality of the directive 'Require' to handle all
authorization and access control
- Added the new authz providers 'env', 'ip', 'host', 'all' to handle
host-based access control
- Removed the directives 'Allow', 'Deny', 'Order', 'Satisfy',
'AuthzXXXAuthoritative'
- Removed the ap_require() API
- Moved the directives 'AuthType', 'AuthName' out of mod_core and into
mod_authn_core
- Moved the directive 'Require' out of mod_core and into
mod_authz_core
- Merged mod_authn_alias into mod_authn_core
- Renamed mod_authz_dbm authz providers from 'group' and 'file-group'
to 'dbm-group' and 'dbm-file-group'
Benefits:
- All authorization and access control is now handle through two
directives, 'Require' and 'Reject'
- Authorization has been expanded to allow for complex 'AND/OR' control
logic through the directives '<RequireAll>' and '<RequireOne>'
- Configuration is now much simpler and consistent across the board
- Other modules like mod_ssl and mod_proxy should be able to plug into
and take advantage of the same provider based authorization mechanism
by implementing their own providers
Issues:
- Backwards compatibility between 2.2 and 2.3 configurations will be
broken in the area of authorization and access control due to the fact
that the directives 'allow', 'deny', 'order' and 'satisfy' have been
removed. When moving from 2.2 to 2.3 these directives will have to be
changed to 'Require all granted', 'Require all denied' or some variation
of the authz host-based providers.
- Existing third party authorization modules will have to adapt to the
new structure.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@368027 13f79535-47bb-0310-9956-ffa450edef68
in the request rec. The point of this is to allow asynchronous
MPMs do do nonblocking reads of requests. (Backported from the
async-read-dev branch)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@360461 13f79535-47bb-0310-9956-ffa450edef68
(but not G++) or any compiler which claims C99 support.
* configure.in: Don't define AP_HAVE_DESIGNATED_INITIALIZER here.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@356234 13f79535-47bb-0310-9956-ffa450edef68
basically allows Apache to configurably ( :) )
use the physical port when constructing the
canonical port. Also add the exact ordering to
the docs, so people can easily see how it works.
We now have compatibility with both 2.0 and 1.3.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@344369 13f79535-47bb-0310-9956-ffa450edef68
