- add possibility to have expressions that evaluate to a string and not to
a boolean value
- modify ap_expr_parse_cmd() interface to support this and make it more
convenient to use in general
- rename AP_EXPR_FLAGS_* to AP_EXPR_FLAG_* for consistency
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1142164 13f79535-47bb-0310-9956-ffa450edef68
section->op == AUTHZ_LOGIC_AND
auth_result == AUTHZ_DENIED_NO_USER
child_result == AUTHZ_GRANTED
to return AUTHZ_GRANTED instead of AUTHZ_DENIED_NO_USER.
While there, refactor the if blocks to make them a bit more readable.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1056713 13f79535-47bb-0310-9956-ffa450edef68
- implement regex backreferences and make them available for setting
envvars in SetEnvIfExpr
- implement nested function calls in %-syntax: %{func1:%{func2:arg}}
- actually implement evaluation of concatenation operator (oops...)
- Fix <If ... > treating an internal error as success
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1037504 13f79535-47bb-0310-9956-ffa450edef68
the new parser. Rework ap_expr's public interface and provide hooks for modules
to add variables and functions.
The Netware and Windows build files still need to be adjusted
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1032073 13f79535-47bb-0310-9956-ffa450edef68
arbitrary expressions in Require lines.
The main issue I wanted to fix was that the env provider only allows to
check for the existance of an envvar but not the contents.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1002363 13f79535-47bb-0310-9956-ffa450edef68
etc. causes problems because the authentication module calls
note_*_auth_failure if authentication fails. This is inappropriate if access is
later allowed because of the IP.
So, instead of calling the auth_checker hook even if authentication failed, we
introduce a new access_checker_ex hook that runs between the access_checker and
the check_user_id hooks. If an access_checker_ex functions returns OK, the
request will be allowed without authentication.
To make use of this, change mod_authz_core to walk the require blocks in the
access_checker_ex phase and deny/allow the request if the authz result does not
depend on an authenticated user. To distinguish a real AUTHZ_DENIED from an
authz provider from an authz provider needing an authenticated user, the latter
must return the new AUTHZ_DENIED_NO_USER code.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@964156 13f79535-47bb-0310-9956-ffa450edef68
mod_authz_core.c: In function ‘authz_core_check_section’:
mod_authz_core.c:579: warning: format not a string literal and no format arguments
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@775460 13f79535-47bb-0310-9956-ffa450edef68
- remove Match directive, allow Require to be negated
- rename <Match*> directives to <Require*>
- rename <RequireNotAny> to <RequireNone>
- disable <RequireNotAll>
- rename MergeAuthz to AuthMerging and change its arguments to Off|And|Or
Also convert text formatting macros into functions, and revise
authz_core_check_section() so that check for non-negative directives
follows De Morgan optimization.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@726082 13f79535-47bb-0310-9956-ffa450edef68
2.2.x authz logic and support existing configurations (including .htaccess
files), and replace <Satisfy*>, Reject, and AuthzMergeRules directives
with Match, <Match*>, and AuthzMerge directives.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@709838 13f79535-47bb-0310-9956-ffa450edef68
which allows optional functions that just wrapped ap_list_provider_names()
to be removed from authn/z modules.
This change requires modules/aaa/mod_auth.h to be included into
server/request.c, which necessitates a minor change to configure.in for
Unix platforms.
I'm unable to tell whether a similar change is necessary for Windows and
NetWare builds or not. Could developers with access to those platforms
please test and make any needed configuration or build alterations? Thanks!
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@659160 13f79535-47bb-0310-9956-ffa450edef68
configurations which match those of the initial request. Revert to
the original behaviour (call access control hooks for internal requests
with URIs different from the initial request) if any access control hooks
or providers are not registered as permitting this optimization.
Introduce wrappers for access control hook and provider registration
which can accept additional mode and flag data.
The configuration walk optimizations were originally proposed a while
ago (see http://marc.info/?l=apache-httpd-dev&m=116536713506234&w=2);
they have been used since then in production systems and appear to be
stable and effective. They permit certain combinations of modules
and clients to function efficiently, especially when a deeply recursive
series of internal requests, such as those generated by certain WebDAV
requests, are all subject to the identical authentication and authorization
directives.
The major change from the original proposal is a cleaner mechanism for
detecting modules which may expect the old behaviour. This has been
tested successfully with Subversion's mod_authz_svn, which specifically
requires the old behaviour when performing path-based authorization based
against its own private access control configuration files.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@644525 13f79535-47bb-0310-9956-ffa450edef68
PR 38699, 39518, 42005, 42006, 42007, 42008, 42009
The patches are all his, and are sufficiently trivial to review
at a glance.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@557837 13f79535-47bb-0310-9956-ffa450edef68
