LP#1449283: fix auth when running under Apache 2.4
authorGalen Charlton <gmc@esilibrary.com>
Thu, 30 Apr 2015 18:07:14 +0000 (11:07 -0700)
committerBill Erickson <berickxx@gmail.com>
Fri, 1 May 2015 20:15:34 +0000 (16:15 -0400)
When running under Apache 2.4 using the stock configuration
derived from apache_24/eg_vhost.conf.in, protected
URLs such as https://eghost/reporter/ that are meant to
require valid EG staff credentials were not in fact
requiring authentication.

This patch does the following to fix this:

[1] Removes several uses of "Require all granted" that
    was causing authentication to be ignored.
[2] Changes OpenILS::WWW::Proxy::Authen so that it always
    sets the username in the Apache request object if
    authentication was successful; it appears that starting
    with Apache 2.4, authentication handlers must ensure
    that a user name is set for a "Require valid-user"
    directive to work.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Jason Stephenson <jstephenson@mvlc.org>
Signed-off-by: Bill Erickson <berickxx@gmail.com>
Open-ILS/examples/apache_24/eg_vhost.conf.in
Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm

index 3d60fda..d4bbd78 100644 (file)
@@ -441,11 +441,10 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     PerlHandler OpenILS::WWW::Exporter
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </Location>
 
 <Location /opac/extras/merge_template>
@@ -455,11 +454,10 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     PerlHandler OpenILS::WWW::TemplateBatchBibUpdate
     PerlSendHeader On
     Options +ExecCGI
-    Require all granted 
 </Location>
 
 <Location /opac/extras/circ>
@@ -468,10 +466,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </Location>
 
 <Location /collections>
@@ -481,10 +478,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "money.collections_tracker.create"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </Location>
 
 # ----------------------------------------------------------------------------------
@@ -496,7 +492,7 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     PerlSendHeader On
     allow from all
     SSLRequireSSL
@@ -511,10 +507,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "VIEW_REPORT_OUTPUT"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </Location>
 
 # ----------------------------------------------------------------------------------
@@ -526,10 +521,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </LocationMatch>
 
 
@@ -600,10 +594,9 @@ RewriteRule ^/conify/([a-z]{2}-[A-Z]{2})/global/(.*)$ /conify/global/$2 [E=local
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
-    require valid-user
+    Require valid-user
     Options +ExecCGI
     PerlSendHeader On
-    Require all granted 
 </Location>
 
 # ----------------------------------------------------------------------------------
@@ -613,14 +606,13 @@ RewriteRule ^/conify/([a-z]{2}-[A-Z]{2})/global/(.*)$ /conify/global/$2 [E=local
     SetHandler perl-script
     AuthType Basic
     AuthName "PhoneList Login"
-    require valid-user
+    Require valid-user
     PerlOptions +GlobalRequest
     PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
     PerlHandler OpenILS::WWW::PhoneList
     PerlAuthenHandler OpenILS::WWW::Proxy::Authen
     Options +ExecCGI
     PerlSendHeader On
-    allow from all
     <IfModule mod_headers.c>
         Header onsuccess set Cache-Control no-cache
     </IfModule>
index 2e33aa1..5b1c64b 100644 (file)
@@ -102,6 +102,10 @@ sub handler {
                         -expires=>'-1h'
                 );
             } else {
+                # it appears that as of Apache 2.4, authentication
+                # handlers are expected to ensure that the request
+                # object has ->user set.
+                $apache->user($user->usrname);
                 $bad_auth = 0;
             }
         }