diff options
Diffstat (limited to 'sca-cpp/trunk/modules/http')
| -rwxr-xr-x | sca-cpp/trunk/modules/http/form-auth-conf | 12 | ||||
| -rw-r--r-- | sca-cpp/trunk/modules/http/htdocs/login/index.html | 2 | ||||
| -rw-r--r-- | sca-cpp/trunk/modules/http/htdocs/logout/index.html | 2 | ||||
| -rw-r--r-- | sca-cpp/trunk/modules/http/http.hpp | 1 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/httpd-conf | 10 | ||||
| -rw-r--r-- | sca-cpp/trunk/modules/http/httpd.hpp | 8 | ||||
| -rw-r--r-- | sca-cpp/trunk/modules/http/mod-openauth.cpp | 15 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/open-auth-conf | 10 | ||||
| -rw-r--r-- | sca-cpp/trunk/modules/http/openauth.hpp | 26 |
9 files changed, 63 insertions, 23 deletions
diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf index ba2f99dbf1..6a68da3972 100755 --- a/sca-cpp/trunk/modules/http/form-auth-conf +++ b/sca-cpp/trunk/modules/http/form-auth-conf @@ -44,6 +44,14 @@ else sslsuffix="-ssl" fi +# Configure session crypto +cat >>$root/conf/httpd.conf <<EOF +# Configure session crypto +SessionCryptoPassphrase $pw +SessionCryptoDriver openssl + +EOF + # Disallow public access to server resources cat >$root/conf/noauth$sslsuffix.conf <<EOF # Generated by: form-auth-conf $* @@ -64,8 +72,8 @@ AuthnCacheProvideFor $providers AuthnCacheContext / AuthFormLoginRequiredLocation /login/ Session On -SessionCookieName TuscanyFormAuth domain=.$host; path=/; secure; httponly -SessionCryptoPassphrase $pw +SessionCookieName TuscanyFormAuth domain=.$host; max-age=604800; path=/; secure; httponly +SessionMaxAge 0 Require valid-user </Location> diff --git a/sca-cpp/trunk/modules/http/htdocs/login/index.html b/sca-cpp/trunk/modules/http/htdocs/login/index.html index fd3bc21889..636a385f5c 100644 --- a/sca-cpp/trunk/modules/http/htdocs/login/index.html +++ b/sca-cpp/trunk/modules/http/htdocs/login/index.html @@ -32,7 +32,7 @@ <script type="text/javascript"> function submitFormSignin() { - clearauthcookie(); + clearAuthCookie(); document.formSignin.httpd_location.value = '/'; document.formSignin.submit(); } diff --git a/sca-cpp/trunk/modules/http/htdocs/logout/index.html b/sca-cpp/trunk/modules/http/htdocs/logout/index.html index 218dd5d52c..1dd09fd56c 100644 --- a/sca-cpp/trunk/modules/http/htdocs/logout/index.html +++ b/sca-cpp/trunk/modules/http/htdocs/logout/index.html @@ -33,7 +33,7 @@ <form name="signout" action="/login" method="GET"> <script type="text/javascript"> function submitSignout() { - clearauthcookie(); + clearAuthCookie(); document.signout.submit(); return true; } diff --git a/sca-cpp/trunk/modules/http/http.hpp b/sca-cpp/trunk/modules/http/http.hpp index 04b0d4e490..c5e3bdcb4b 100644 --- a/sca-cpp/trunk/modules/http/http.hpp +++ b/sca-cpp/trunk/modules/http/http.hpp @@ -423,6 +423,7 @@ template<typename R> const failable<list<R> > apply(const list<list<string> >& h // Set the request headers curl_slist* hl = headers(NULL, car(hdr)); hl = curl_slist_append(hl, "X-Accept: text/x-scheme; charset=utf-8"); + hl = curl_slist_append(hl, "X-Cache-Control: no-cache"); curl_easy_setopt(ch, CURLOPT_HTTPHEADER, hl); // Convert request body to a string diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf index 3f96304ae8..8a029eaec2 100755 --- a/sca-cpp/trunk/modules/http/httpd-conf +++ b/sca-cpp/trunk/modules/http/httpd-conf @@ -74,7 +74,7 @@ ServerSignature Off ServerTokens Prod Timeout 45 RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 -LimitRequestBody 1048576 +LimitRequestBody 8388608 HostNameLookups Off #MaxKeepAliveRequests 25 #MaxConnectionsPerChild 100 @@ -93,9 +93,9 @@ AddCharset utf-8 .html .js .css # Configure cache control <Directory /> -ExpiresActive On -ExpiresDefault A604800 -Header onsuccess merge Cache-Control public env=!private-cache +SetEnvIf X-Cache-Control no-cache x-no-cache +Header merge Cache-Control max-age=604800 env=!x-no-cache +Header merge Cache-Control public env=!x-no-cache </Directory> # Enable Linux Kernel sendfile @@ -262,8 +262,6 @@ cat >$root/conf/pubauth.conf <<EOF AuthType None Session Off Require all granted -# Mark login page with a header -Header set X-Login open-auth </Location> <Location /login/dologin> Session Off diff --git a/sca-cpp/trunk/modules/http/httpd.hpp b/sca-cpp/trunk/modules/http/httpd.hpp index bf06ed5d91..8bd74f3403 100644 --- a/sca-cpp/trunk/modules/http/httpd.hpp +++ b/sca-cpp/trunk/modules/http/httpd.hpp @@ -418,9 +418,7 @@ const failable<int> writeResult(const failable<list<string> >& ls, const string& const string ob(str(os)); // Make sure browsers come back and check for updated dynamic content - apr_table_set(r->headers_out, "Cache-Control", "must-revalidate, max-age=0"); - apr_table_set(r->headers_out, "Expires", "Tue, 01 Jan 1980 00:00:00 GMT"); - apr_table_set(r->subprocess_env, "private-cache", "1"); + apr_table_setn(r->headers_out, "Cache-Control", "must-revalidate, max-age=0"); // Compute and return an Etag for the returned content const string etag(ap_md5_binary(r->pool, (const unsigned char*)c_str(ob), (int)length(ob))); @@ -698,8 +696,8 @@ const int externalRedirect(const string& uri, request_rec* const r) { debug(uri, "httpd::externalRedirect"); r->status = HTTP_MOVED_TEMPORARILY; apr_table_setn(r->headers_out, "Location", apr_pstrdup(r->pool, c_str(uri))); - apr_table_setn(r->headers_out, "Cache-Control", "no-store"); - apr_table_addn(r->err_headers_out, "Cache-Control", "no-store"); + apr_table_setn(r->headers_out, "Cache-Control", "no-cache, no-store, must-revalidate, max-age=0"); + apr_table_setn(r->err_headers_out, "Cache-Control", "no-cache, no-store, must-revalidate, max-age=0"); r->filename = apr_pstrdup(r->pool, c_str(string("/redirect:/") + uri)); return HTTP_MOVED_TEMPORARILY; } diff --git a/sca-cpp/trunk/modules/http/mod-openauth.cpp b/sca-cpp/trunk/modules/http/mod-openauth.cpp index 3adc488301..1a45473caf 100644 --- a/sca-cpp/trunk/modules/http/mod-openauth.cpp +++ b/sca-cpp/trunk/modules/http/mod-openauth.cpp @@ -28,6 +28,7 @@ * - OAuth2 using Tuscany's mod-tuscany-oauth2 * - OpenID using mod_auth_openid * - Form-based using HTTPD's mod_auth_form + * - HTTP basic auth using mod_auth_basic * - SSL certificate using SSLFakeBasicAuth and mod_auth_basic */ @@ -142,7 +143,7 @@ const failable<int> checkAuthnzProviders(const string& user, const string& pw, r } const failable<int> checkAuthnz(const string& user, const string& pw, request_rec* const r, const DirConf& dc) { - if(substr(user, 0, 1) == "/" && pw == "password") + if(substr(user, 0, 1) == "/") return mkfailure<int>(string("Encountered FakeBasicAuth spoof: ") + user, HTTP_UNAUTHORIZED); if(isNull((const list<AuthnProviderConf>)dc.apcs)) { @@ -224,9 +225,17 @@ const failable<int> authenticated(const list<value>& info, request_rec* const r) const list<value> id = assoc<value>("id", info); if(isNull(id) || isNull(cdr(id))) return mkfailure<int>("Couldn't retrieve user id", HTTP_UNAUTHORIZED); - r->user = apr_pstrdup(r->pool, c_str(cadr(id))); + const string sid = cadr(id); + if (find(sid, '@') != length(sid)) + apr_table_set(r->subprocess_env, apr_pstrdup(r->pool, "EMAIL"), apr_pstrdup(r->pool, c_str(sid))); + r->user = apr_pstrdup(r->pool, c_str(sid)); - apr_table_set(r->subprocess_env, apr_pstrdup(r->pool, "NICKNAME"), apr_pstrdup(r->pool, c_str(cadr(id)))); + // Update the request user field with the authorized user id returned by the authnz hooks + const char* auser = apr_table_get(r->subprocess_env, "AUTHZ_USER"); + if (auser != NULL) + r->user = apr_pstrdup(r->pool, auser); + + apr_table_set(r->subprocess_env, apr_pstrdup(r->pool, "NICKNAME"), apr_pstrdup(r->pool, r->user)); return OK; } diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf index 5a8db92972..a93eb98011 100755 --- a/sca-cpp/trunk/modules/http/open-auth-conf +++ b/sca-cpp/trunk/modules/http/open-auth-conf @@ -59,6 +59,14 @@ LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth$libsuffix EOF +# Configure session crypto +cat >>$root/conf/httpd.conf <<EOF +# Configure session crypto +SessionCryptoPassphrase $pw +SessionCryptoDriver openssl + +EOF + # Disallow public access to server resources cat >$root/conf/noauth$sslsuffix.conf <<EOF # Generated by: open-auth-conf $* @@ -78,7 +86,7 @@ AuthnCacheProvideFor $providers AuthnCacheContext / AuthOpenAuthLoginPage /login/ Session On -SessionCryptoPassphrase $pw +SessionMaxAge 0 AuthOpenAuth On Require valid-user </Location> diff --git a/sca-cpp/trunk/modules/http/openauth.hpp b/sca-cpp/trunk/modules/http/openauth.hpp index 70c6f658ad..d448311cca 100644 --- a/sca-cpp/trunk/modules/http/openauth.hpp +++ b/sca-cpp/trunk/modules/http/openauth.hpp @@ -72,6 +72,16 @@ const maybe<string> sessionID(const request_rec* const r, const string& key) { } /** + * Convert a number of seconds to an expiration date. + */ +const string expires(const int s) { + const time_t t = time(NULL) + s; + char exp[32]; + strftime(exp, 32, "%a, %d-%b-%Y %H:%M:%S GMT", gmtime(&t)); + return string(exp); +} + +/** * Convert a session id to a cookie string. */ const string cookie(const string& key, const string& sid, const string& domain) { @@ -80,10 +90,8 @@ const string cookie(const string& key, const string& sid, const string& domain) debug(c, "openauth::cookie"); return c; } - const time_t t = time(NULL) + 86400; - char exp[32]; - strftime(exp, 32, "%a, %d-%b-%Y %H:%M:%S GMT", gmtime(&t)); - const string c = key + string("=") + sid + "; expires=" + string(exp) + "; domain=." + httpd::realm(domain) + "; path=/; secure; httponly"; + const string exp = "604800"; + const string c = key + string("=") + sid + (length(exp) != 0? string("; max-age=") + exp : emptyString) + "; domain=." + httpd::realm(domain) + "; path=/; secure; httponly"; debug(c, "openauth::cookie"); return c; } @@ -92,6 +100,16 @@ const string cookie(const string& key, const string& sid, const string& domain) * Redirect to the configured login page. */ const failable<int> login(const string& page, const value& ref, const value& attempt, request_rec* const r) { + + // Don't redirect non-cacheable requests, just respond with an uncacheable 403 response + const char* cc = apr_table_get(r->headers_in, "X-Cache-Control"); + if(cc != NULL && !strcmp(cc, "no-cache")) { + apr_table_setn(r->headers_out, "Cache-Control", "no-cache, no-store, must-revalidate, max-age=0"); + apr_table_setn(r->err_headers_out, "Cache-Control", "no-cache, no-store, must-revalidate, max-age=0"); + return HTTP_FORBIDDEN; + } + + // Redirect to the login page const list<value> rarg = ref == string("/")? nilListValue : mklist<value>(mklist<value>("openauth_referrer", httpd::escape(httpd::url(isNull(ref)? r->uri : ref, r)))); const list<value> aarg = isNull(attempt)? nilListValue : mklist<value>(mklist<value>("openauth_attempt", attempt)); const list<value> largs = append(rarg, aarg); |