Fix handling of login session expiration and incorrect caching of login redirect responses.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1517413 13f79535-47bb-0310-9956-ffa450edef68
author: jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> 2013-08-26 03:04:28 +0000
committer: jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68> 2013-08-26 03:04:28 +0000
commit: 18b3a48e842d1e13b5a8505f8fd18069836d8fa5 (patch)
tree: 2a95d38899ddddb20356903e163704d6753cf2fb /sca-cpp/trunk/modules/http
parent: 7905926c413e843d9497948cb824059f2c017f6a (diff)
9 files changed, 63 insertions, 23 deletions
diff --git a/sca-cpp/trunk/modules/http/form-auth-conf b/sca-cpp/trunk/modules/http/form-auth-conf
index ba2f99dbf1..6a68da3972 100755
--- a/sca-cpp/trunk/modules/http/form-auth-conf
+++ b/sca-cpp/trunk/modules/http/form-auth-conf
@@ -44,6 +44,14 @@ else
     sslsuffix="-ssl"
 fi
 
+# Configure session crypto
+cat >>$root/conf/httpd.conf <<EOF
+# Configure session crypto
+SessionCryptoPassphrase $pw
+SessionCryptoDriver openssl
+
+EOF
+
 # Disallow public access to server resources
 cat >$root/conf/noauth$sslsuffix.conf <<EOF
 # Generated by: form-auth-conf $*
@@ -64,8 +72,8 @@ AuthnCacheProvideFor $providers
 AuthnCacheContext /
 AuthFormLoginRequiredLocation /login/
 Session On
-SessionCookieName TuscanyFormAuth domain=.$host; path=/; secure; httponly
-SessionCryptoPassphrase $pw
+SessionCookieName TuscanyFormAuth domain=.$host; max-age=604800; path=/; secure; httponly
+SessionMaxAge 0
 Require valid-user
 </Location>
 
diff --git a/sca-cpp/trunk/modules/http/htdocs/login/index.html b/sca-cpp/trunk/modules/http/htdocs/login/index.html
index fd3bc21889..636a385f5c 100644
--- a/sca-cpp/trunk/modules/http/htdocs/login/index.html
+++ b/sca-cpp/trunk/modules/http/htdocs/login/index.html
@@ -32,7 +32,7 @@
 
 <script type="text/javascript">
 function submitFormSignin() {
-    clearauthcookie();
+    clearAuthCookie();
     document.formSignin.httpd_location.value = '/';
     document.formSignin.submit();
 }
diff --git a/sca-cpp/trunk/modules/http/htdocs/logout/index.html b/sca-cpp/trunk/modules/http/htdocs/logout/index.html
index 218dd5d52c..1dd09fd56c 100644
--- a/sca-cpp/trunk/modules/http/htdocs/logout/index.html
+++ b/sca-cpp/trunk/modules/http/htdocs/logout/index.html
@@ -33,7 +33,7 @@
 <form name="signout" action="/login" method="GET">
 <script type="text/javascript">
 function submitSignout() {
-    clearauthcookie();
+    clearAuthCookie();
     document.signout.submit();
     return true;
 }
diff --git a/sca-cpp/trunk/modules/http/http.hpp b/sca-cpp/trunk/modules/http/http.hpp
index 04b0d4e490..c5e3bdcb4b 100644
--- a/sca-cpp/trunk/modules/http/http.hpp
+++ b/sca-cpp/trunk/modules/http/http.hpp
@@ -423,6 +423,7 @@ template<typename R> const failable<list<R> > apply(const list<list<string> >& h
     // Set the request headers
     curl_slist* hl = headers(NULL, car(hdr));
     hl = curl_slist_append(hl, "X-Accept: text/x-scheme; charset=utf-8");
+    hl = curl_slist_append(hl, "X-Cache-Control: no-cache");
     curl_easy_setopt(ch, CURLOPT_HTTPHEADER, hl);
 
     // Convert request body to a string
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 3f96304ae8..8a029eaec2 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -74,7 +74,7 @@ ServerSignature Off
 ServerTokens Prod
 Timeout 45
 RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
-LimitRequestBody 1048576
+LimitRequestBody 8388608
 HostNameLookups Off
 #MaxKeepAliveRequests 25
 #MaxConnectionsPerChild 100
@@ -93,9 +93,9 @@ AddCharset utf-8 .html .js .css
 
 # Configure cache control
 <Directory />
-ExpiresActive On
-ExpiresDefault A604800
-Header onsuccess merge Cache-Control public env=!private-cache
+SetEnvIf X-Cache-Control no-cache x-no-cache
+Header merge Cache-Control max-age=604800 env=!x-no-cache
+Header merge Cache-Control public env=!x-no-cache
 </Directory>
 
 # Enable Linux Kernel sendfile
@@ -262,8 +262,6 @@ cat >$root/conf/pubauth.conf <<EOF
 AuthType None
 Session Off
 Require all granted
-# Mark login page with a header
-Header set X-Login open-auth
 </Location>
 <Location /login/dologin>
 Session Off
diff --git a/sca-cpp/trunk/modules/http/httpd.hpp b/sca-cpp/trunk/modules/http/httpd.hpp
index bf06ed5d91..8bd74f3403 100644
--- a/sca-cpp/trunk/modules/http/httpd.hpp
+++ b/sca-cpp/trunk/modules/http/httpd.hpp
@@ -418,9 +418,7 @@ const failable<int> writeResult(const failable<list<string> >& ls, const string&
     const string ob(str(os));
 
     // Make sure browsers come back and check for updated dynamic content
-    apr_table_set(r->headers_out, "Cache-Control", "must-revalidate, max-age=0");
-    apr_table_set(r->headers_out, "Expires", "Tue, 01 Jan 1980 00:00:00 GMT");
-    apr_table_set(r->subprocess_env, "private-cache", "1");
+    apr_table_setn(r->headers_out, "Cache-Control", "must-revalidate, max-age=0");
 
     // Compute and return an Etag for the returned content
     const string etag(ap_md5_binary(r->pool, (const unsigned char*)c_str(ob), (int)length(ob)));
@@ -698,8 +696,8 @@ const int externalRedirect(const string& uri, request_rec* const r) {
     debug(uri, "httpd::externalRedirect");
     r->status = HTTP_MOVED_TEMPORARILY;
     apr_table_setn(r->headers_out, "Location", apr_pstrdup(r->pool, c_str(uri)));
-    apr_table_setn(r->headers_out, "Cache-Control", "no-store");
-    apr_table_addn(r->err_headers_out, "Cache-Control", "no-store");
+    apr_table_setn(r->headers_out, "Cache-Control", "no-cache, no-store, must-revalidate, max-age=0");
+    apr_table_setn(r->err_headers_out, "Cache-Control", "no-cache, no-store, must-revalidate, max-age=0");
     r->filename = apr_pstrdup(r->pool, c_str(string("/redirect:/") + uri));
     return HTTP_MOVED_TEMPORARILY;
 }
diff --git a/sca-cpp/trunk/modules/http/mod-openauth.cpp b/sca-cpp/trunk/modules/http/mod-openauth.cpp
index 3adc488301..1a45473caf 100644
--- a/sca-cpp/trunk/modules/http/mod-openauth.cpp
+++ b/sca-cpp/trunk/modules/http/mod-openauth.cpp
@@ -28,6 +28,7 @@
  * - OAuth2 using Tuscany's mod-tuscany-oauth2
  * - OpenID using mod_auth_openid
  * - Form-based using HTTPD's mod_auth_form
+ * - HTTP basic auth using mod_auth_basic
  * - SSL certificate using SSLFakeBasicAuth and mod_auth_basic
  */
 
@@ -142,7 +143,7 @@ const failable<int> checkAuthnzProviders(const string& user, const string& pw, r
 }
 
 const failable<int> checkAuthnz(const string& user, const string& pw, request_rec* const r, const DirConf& dc) {
-    if(substr(user, 0, 1) == "/" && pw == "password")
+    if(substr(user, 0, 1) == "/")
         return mkfailure<int>(string("Encountered FakeBasicAuth spoof: ") + user, HTTP_UNAUTHORIZED);
 
     if(isNull((const list<AuthnProviderConf>)dc.apcs)) {
@@ -224,9 +225,17 @@ const failable<int> authenticated(const list<value>& info, request_rec* const r)
     const list<value> id = assoc<value>("id", info);
     if(isNull(id) || isNull(cdr(id)))
         return mkfailure<int>("Couldn't retrieve user id", HTTP_UNAUTHORIZED);
-    r->user = apr_pstrdup(r->pool, c_str(cadr(id)));
+    const string sid = cadr(id);
+    if (find(sid, '@') != length(sid))
+        apr_table_set(r->subprocess_env, apr_pstrdup(r->pool, "EMAIL"), apr_pstrdup(r->pool, c_str(sid)));
+    r->user = apr_pstrdup(r->pool, c_str(sid));
 
-    apr_table_set(r->subprocess_env, apr_pstrdup(r->pool, "NICKNAME"), apr_pstrdup(r->pool, c_str(cadr(id))));
+    // Update the request user field with the authorized user id returned by the authnz hooks
+    const char* auser = apr_table_get(r->subprocess_env, "AUTHZ_USER");
+    if (auser != NULL)
+        r->user = apr_pstrdup(r->pool, auser);
+
+    apr_table_set(r->subprocess_env, apr_pstrdup(r->pool, "NICKNAME"), apr_pstrdup(r->pool, r->user));
     return OK;
 }
 
diff --git a/sca-cpp/trunk/modules/http/open-auth-conf b/sca-cpp/trunk/modules/http/open-auth-conf
index 5a8db92972..a93eb98011 100755
--- a/sca-cpp/trunk/modules/http/open-auth-conf
+++ b/sca-cpp/trunk/modules/http/open-auth-conf
@@ -59,6 +59,14 @@ LoadModule mod_tuscany_openauth $here/libmod_tuscany_openauth$libsuffix
 
 EOF
 
+# Configure session crypto
+cat >>$root/conf/httpd.conf <<EOF
+# Configure session crypto
+SessionCryptoPassphrase $pw
+SessionCryptoDriver openssl
+
+EOF
+
 # Disallow public access to server resources
 cat >$root/conf/noauth$sslsuffix.conf <<EOF
 # Generated by: open-auth-conf $*
@@ -78,7 +86,7 @@ AuthnCacheProvideFor $providers
 AuthnCacheContext /
 AuthOpenAuthLoginPage /login/
 Session On
-SessionCryptoPassphrase $pw
+SessionMaxAge 0
 AuthOpenAuth On
 Require valid-user
 </Location>
diff --git a/sca-cpp/trunk/modules/http/openauth.hpp b/sca-cpp/trunk/modules/http/openauth.hpp
index 70c6f658ad..d448311cca 100644
--- a/sca-cpp/trunk/modules/http/openauth.hpp
+++ b/sca-cpp/trunk/modules/http/openauth.hpp
@@ -72,6 +72,16 @@ const maybe<string> sessionID(const request_rec* const r, const string& key) {
 }
 
 /**
+ * Convert a number of seconds to an expiration date.
+ */
+const string expires(const int s) {
+    const time_t t = time(NULL) + s;
+    char exp[32];
+    strftime(exp, 32, "%a, %d-%b-%Y %H:%M:%S GMT", gmtime(&t));
+    return string(exp);
+}
+
+/**
  * Convert a session id to a cookie string.
  */
 const string cookie(const string& key, const string& sid, const string& domain) {
@@ -80,10 +90,8 @@ const string cookie(const string& key, const string& sid, const string& domain)
         debug(c, "openauth::cookie");
         return c;
     }
-    const time_t t = time(NULL) + 86400;
-    char exp[32];
-    strftime(exp, 32, "%a, %d-%b-%Y %H:%M:%S GMT", gmtime(&t));
-    const string c = key + string("=") + sid + "; expires=" + string(exp) + "; domain=." + httpd::realm(domain) + "; path=/; secure; httponly";
+    const string exp = "604800";
+    const string c = key + string("=") + sid + (length(exp) != 0? string("; max-age=") + exp : emptyString)  + "; domain=." + httpd::realm(domain) + "; path=/; secure; httponly";
     debug(c, "openauth::cookie");
     return c;
 }
@@ -92,6 +100,16 @@ const string cookie(const string& key, const string& sid, const string& domain)
  * Redirect to the configured login page.
  */
 const failable<int> login(const string& page, const value& ref, const value& attempt, request_rec* const r) {
+
+    // Don't redirect non-cacheable requests, just respond with an uncacheable 403 response
+    const char* cc = apr_table_get(r->headers_in, "X-Cache-Control");
+    if(cc != NULL && !strcmp(cc, "no-cache")) {
+        apr_table_setn(r->headers_out, "Cache-Control", "no-cache, no-store, must-revalidate, max-age=0");
+        apr_table_setn(r->err_headers_out, "Cache-Control", "no-cache, no-store, must-revalidate, max-age=0");
+        return HTTP_FORBIDDEN;
+    }
+
+    // Redirect to the login page
     const list<value> rarg = ref == string("/")? nilListValue : mklist<value>(mklist<value>("openauth_referrer", httpd::escape(httpd::url(isNull(ref)? r->uri : ref, r))));
     const list<value> aarg = isNull(attempt)? nilListValue : mklist<value>(mklist<value>("openauth_attempt", attempt));
     const list<value> largs = append(rarg, aarg);
author	jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>	2013-08-26 03:04:28 +0000
committer	jsdelfino <jsdelfino@13f79535-47bb-0310-9956-ffa450edef68>	2013-08-26 03:04:28 +0000
commit	18b3a48e842d1e13b5a8505f8fd18069836d8fa5 (patch)
tree	2a95d38899ddddb20356903e163704d6753cf2fb /sca-cpp/trunk/modules/http
parent	7905926c413e843d9497948cb824059f2c017f6a (diff)