From cd4438a812041664a7d3f11993a902d98e8f8acf Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Thu, 30 Apr 2015 11:07:14 -0700 Subject: [PATCH] LP#1449283: fix auth when running under Apache 2.4 When running under Apache 2.4 using the stock configuration derived from apache_24/eg_vhost.conf.in, protected URLs such as https://eghost/reporter/ that are meant to require valid EG staff credentials were not in fact requiring authentication. This patch does the following to fix this: [1] Removes several uses of "Require all granted" that was causing authentication to be ignored. [2] Changes OpenILS::WWW::Proxy::Authen so that it always sets the username in the Apache request object if authentication was successful; it appears that starting with Apache 2.4, authentication handlers must ensure that a user name is set for a "Require valid-user" directive to work. Signed-off-by: Galen Charlton Signed-off-by: Jason Stephenson Signed-off-by: Bill Erickson --- Open-ILS/examples/apache_24/eg_vhost.conf.in | 26 ++++++++-------------- .../src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm | 4 ++++ 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/Open-ILS/examples/apache_24/eg_vhost.conf.in b/Open-ILS/examples/apache_24/eg_vhost.conf.in index 3d60fda7a5..d4bbd785cd 100644 --- a/Open-ILS/examples/apache_24/eg_vhost.conf.in +++ b/Open-ILS/examples/apache_24/eg_vhost.conf.in @@ -441,11 +441,10 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}] PerlOptions +GlobalRequest PerlSetVar OILSProxyPermissions "STAFF_LOGIN" PerlAuthenHandler OpenILS::WWW::Proxy::Authen - require valid-user + Require valid-user PerlHandler OpenILS::WWW::Exporter Options +ExecCGI PerlSendHeader On - Require all granted @@ -455,11 +454,10 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}] PerlOptions +GlobalRequest PerlSetVar OILSProxyPermissions "STAFF_LOGIN" PerlAuthenHandler OpenILS::WWW::Proxy::Authen - require valid-user + Require valid-user PerlHandler OpenILS::WWW::TemplateBatchBibUpdate PerlSendHeader On Options +ExecCGI - Require all granted @@ -468,10 +466,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}] PerlOptions +GlobalRequest PerlSetVar OILSProxyPermissions "STAFF_LOGIN" PerlAuthenHandler OpenILS::WWW::Proxy::Authen - require valid-user + Require valid-user Options +ExecCGI PerlSendHeader On - Require all granted @@ -481,10 +478,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}] PerlOptions +GlobalRequest PerlSetVar OILSProxyPermissions "money.collections_tracker.create" PerlAuthenHandler OpenILS::WWW::Proxy::Authen - require valid-user + Require valid-user Options +ExecCGI PerlSendHeader On - Require all granted # ---------------------------------------------------------------------------------- @@ -496,7 +492,7 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}] PerlOptions +GlobalRequest PerlSetVar OILSProxyPermissions "STAFF_LOGIN" PerlAuthenHandler OpenILS::WWW::Proxy::Authen - require valid-user + Require valid-user PerlSendHeader On allow from all SSLRequireSSL @@ -511,10 +507,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}] PerlOptions +GlobalRequest PerlSetVar OILSProxyPermissions "VIEW_REPORT_OUTPUT" PerlAuthenHandler OpenILS::WWW::Proxy::Authen - require valid-user + Require valid-user Options +ExecCGI PerlSendHeader On - Require all granted # ---------------------------------------------------------------------------------- @@ -526,10 +521,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}] PerlOptions +GlobalRequest PerlSetVar OILSProxyPermissions "STAFF_LOGIN" PerlAuthenHandler OpenILS::WWW::Proxy::Authen - require valid-user + Require valid-user Options +ExecCGI PerlSendHeader On - Require all granted @@ -600,10 +594,9 @@ RewriteRule ^/conify/([a-z]{2}-[A-Z]{2})/global/(.*)$ /conify/global/$2 [E=local PerlOptions +GlobalRequest PerlSetVar OILSProxyPermissions "STAFF_LOGIN" PerlAuthenHandler OpenILS::WWW::Proxy::Authen - require valid-user + Require valid-user Options +ExecCGI PerlSendHeader On - Require all granted # ---------------------------------------------------------------------------------- @@ -613,14 +606,13 @@ RewriteRule ^/conify/([a-z]{2}-[A-Z]{2})/global/(.*)$ /conify/global/$2 [E=local SetHandler perl-script AuthType Basic AuthName "PhoneList Login" - require valid-user + Require valid-user PerlOptions +GlobalRequest PerlSetVar OILSProxyPermissions "STAFF_LOGIN" PerlHandler OpenILS::WWW::PhoneList PerlAuthenHandler OpenILS::WWW::Proxy::Authen Options +ExecCGI PerlSendHeader On - allow from all Header onsuccess set Cache-Control no-cache diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm index 2e33aa159e..5b1c64b77d 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm @@ -102,6 +102,10 @@ sub handler { -expires=>'-1h' ); } else { + # it appears that as of Apache 2.4, authentication + # handlers are expected to ensure that the request + # object has ->user set. + $apache->user($user->usrname); $bad_auth = 0; } } -- 2.11.0