Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

no longer override Apache's default 401 page text #17

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGES
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@

. Drop override of Apache's misleading default 401 page text, and
recommend to use "AuthzSendForbiddenOnFailure On" instead
(available since Apache 2.3.11).

2.0.4 - 2017-05-24 mgk25

. Fix handling of directive "ErrorDocument 401 ..." on Apache 2.4.13 or later
Expand Down
39 changes: 24 additions & 15 deletions README.Config
Original file line number Diff line number Diff line change
Expand Up @@ -142,20 +142,21 @@ a particular directory to anybody with a Ucam-WebAuth login is, e.g.
AACookieKey "some random string"
<Directory "path to protected directory">
AuthType Ucam-WebAuth
AuthzSendForbiddenOnFailure On
Require valid-user
</Directory>

An alternative simple configuration will allow access to the resources
to users with a Ucam-WebAuth login or to client computers with
hostnames ending .cam.ac.uk, but not otherwise:
hostnames ending .cam.ac.uk or with a CUDN IPv6 address, but not otherwise:

AACookieKey "some random string"
<Directory "path to protected directory">
Order allow,deny
Allow from .cam.ac.uk
Require ip 2001:630:210::/44
Require host .cam.ac.uk
AuthType Ucam-WebAuth
AuthzSendForbiddenOnFailure On
Require valid-user
Satisfy any
</Directory>

In these examples the resources to be protected are selected by a
Expand All @@ -164,8 +165,8 @@ directives can also be protected in the same way. 'AuthType' must be
set to 'Ucam-WebAuth'. A 'Require' directive must appear before
authentication will take place.

See standard Apache documentation for more details of the 'Order',
'Allow', 'Require', and 'Satisfy' directives.
See standard Apache 2.4 documentation for more details of the
'Require' directive.

The AACookieKey directive is required, though it can appear either
outside the <Directory> block, in which case it provides a default for
Expand Down Expand Up @@ -790,15 +791,23 @@ closely match the look and feel of the site.

Error pages for 'Bad Request', 'General server error', 'Forbidden',
and 'Authorization Required' can be established using the standard
ErrorDocument directive for status codes 400, 500, 403, and 401. A
modified 401 page will be provided if a custom one is not defined
since the Apache default is misleading. The default Apache 400 and 500
pages will be used (and may well be satisfactory) if a custom page is
not defined for these codes. Note that under Apache version 1 (though
not version 2), the default 400 page includes the text of messages
recently sent to the error log. While this does not revel any
sensitive information in the case of mod_ucam_webauth, it does make
the pages look somewhat 'messy'.
ErrorDocument directive for status codes 400, 500, 403, and 401.

By default, in case authorization has failed after successful
authentication, Apache shows a 401 page that misleadingly mentions bad
passwords. Therefore, for Apache 2.3.11 or newer, we recommend to set

AuthzSendForbiddenOnFailure On

whenever "AuthType Ucam-Webauth" is active, which results in a more
appropriate "Forbidden" message and 403 status.

The default Apache 400 and 500 pages will be used (and may well be
satisfactory) if a custom page is not defined for these codes. Note
that under Apache version 1 (though not version 2), the default 400
page includes the text of messages recently sent to the error log.
While this does not reveal any sensitive information in the case of
mod_ucam_webauth, it does make the pages look somewhat 'messy'.

Custom error pages for 'User declined to authenticate', 'Interaction
with user would be required', 'User lacking a required ptag', and
Expand Down
108 changes: 0 additions & 108 deletions mod_ucam_webauth.c
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,6 @@ MODULE-DEFINITION-END

#if defined( AP_RELEASE_H ) && AP_SERVER_MAJORVERSION_NUMBER == 2 && AP_SERVER_MINORVERSION_NUMBER >=4
#define APACHE2_4
#if AP_SERVER_MINORVERSION_NUMBER > 4 || AP_SERVER_PATCHLEVEL_NUMBER >= 13
#define APACHE2_4_13
#endif
#endif

/*Facilitate per-module log-level setting in Apache 2.4*/
Expand Down Expand Up @@ -626,53 +623,6 @@ iso2_time_decode(request_rec *r,

}

/* --- */
/* Get current customised response definition, if any */
/* 'Borrowed' from the Apache source, informed by the mod_perl sources */

static char *
wls_response_code_string(request_rec *r,
int status)

{
core_dir_config *conf;
char *result;
int idx;
#ifdef APACHE2_4_13
ap_expr_info_t *expr;
#endif

APACHE_LOG1(APLOG_DEBUG, "wls_response_code_string: status = %d", status);

conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
&core_module);
/* conf = ap_get_core_module_config(r->per_dir_config); */
idx = ap_index_of_response(status);

if (conf->response_code_strings) {
/* Apache before 2.4.13 stored ErrorDocument in array of strings */
result = conf->response_code_strings[idx];
#ifdef APACHE2_4_13
} else if (conf->response_code_exprs) {
/* Apache 2.4.13 and later use a hash table instead */
expr = apr_hash_get(conf->response_code_exprs, &idx, sizeof(idx));
if (expr == NULL) {
result = NULL;
} else {
result = "[expression]";
}
#endif
} else {
result = NULL;
}

APACHE_LOG1(APLOG_DEBUG, "wls_response_code_string: result = %s",
(result == NULL ? "NULL" : result));

return result;

}

/* --- */
/* get CGI parameter */

Expand Down Expand Up @@ -1477,56 +1427,6 @@ interact_required(request_rec *r)

}

/* --- */

static char *
auth_required(request_rec *r)

{

const char *sig = ap_psignature("<hr>", r);
char *admin = ap_escape_html(r->pool, r->server->server_admin);
#ifdef APACHE1_3
char *user = ap_escape_html(r->pool, r->connection->user);
#else
char *user = ap_escape_html(r->pool, r->user);
#endif

/* Apache core seems to default ServerAdmin to the unhelpful "[no
address given]" */

if (admin != NULL && strcmp(admin,"[no address given]") != 0) {
admin = apr_pstrcat(r->pool, "(<tt><b>", admin, "</b></tt>)", NULL);
} else {
admin = apr_pstrdup(r->pool,"");
}
if (user != NULL) {
user = apr_pstrcat(r->pool, "(<tt><b>", user, "</b></tt>)", NULL);
} else {
user = apr_pstrdup(r->pool,"");
}

return apr_pstrcat
(r->pool,
"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">"
"<html><head><title>Error - authorization required</title></head>"
"<body><h1>Error - authorization required</h1>"
"<p>Access to the web page or other resource you are trying to "
"obtain is restricted. The identity that you have established ", user,
" is not currently allowed access. Please contact the "
"administrator of the web server that provides the page ",
admin, " for further information.",
sig,
"\n\n"
"<!-- This is padding to convince STUPID INTERNET EXPLORER that"
" I do know what I'm doing and that this error message"
" contains useful information. Without the padding, IE"
" will by default 'helpfully' display a useless error page"
" in place of my carefully crafted words. Bah!"
"--></body></html>", NULL);

}

/* ---------------------------------------------------------------------- */

/* Config magic */
Expand Down Expand Up @@ -2503,14 +2403,6 @@ decode_cookie(request_rec *r,

}

/* set a custom HTTP_UNAUTHORIZED page if there isn't one already
because the default Apache one if misleading in a Ucam WebAuth
context but will be displayed if the authz phase of mod_auth (or
equivalent) returns HTTP_UNAUTHORIZED */

if (wls_response_code_string(r, HTTP_UNAUTHORIZED) == NULL)
ap_custom_response(r, HTTP_UNAUTHORIZED, auth_required(r));

APACHE_LOG2(APLOG_INFO, "Successfully decoded cookie for %s accessing %s",
apr_table_get(cookie, "principal"),r->uri);

Expand Down