[open-ils-commits] [GIT] Evergreen ILS branch master updated. cd4438a812041664a7d3f11993a902d98e8f8acf
Evergreen Git
git at git.evergreen-ils.org
Fri May 1 16:17:04 EDT 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, master has been updated
via cd4438a812041664a7d3f11993a902d98e8f8acf (commit)
from ab23f660bdd18d52e31367b66744410cdf321744 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit cd4438a812041664a7d3f11993a902d98e8f8acf
Author: Galen Charlton <gmc at esilibrary.com>
Date: Thu Apr 30 11:07:14 2015 -0700
LP#1449283: fix auth when running under Apache 2.4
When running under Apache 2.4 using the stock configuration
derived from apache_24/eg_vhost.conf.in, protected
URLs such as https://eghost/reporter/ that are meant to
require valid EG staff credentials were not in fact
requiring authentication.
This patch does the following to fix this:
[1] Removes several uses of "Require all granted" that
was causing authentication to be ignored.
[2] Changes OpenILS::WWW::Proxy::Authen so that it always
sets the username in the Apache request object if
authentication was successful; it appears that starting
with Apache 2.4, authentication handlers must ensure
that a user name is set for a "Require valid-user"
directive to work.
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Bill Erickson <berickxx at gmail.com>
diff --git a/Open-ILS/examples/apache_24/eg_vhost.conf.in b/Open-ILS/examples/apache_24/eg_vhost.conf.in
index 3d60fda..d4bbd78 100644
--- a/Open-ILS/examples/apache_24/eg_vhost.conf.in
+++ b/Open-ILS/examples/apache_24/eg_vhost.conf.in
@@ -441,11 +441,10 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
PerlHandler OpenILS::WWW::Exporter
Options +ExecCGI
PerlSendHeader On
- Require all granted
</Location>
<Location /opac/extras/merge_template>
@@ -455,11 +454,10 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
PerlHandler OpenILS::WWW::TemplateBatchBibUpdate
PerlSendHeader On
Options +ExecCGI
- Require all granted
</Location>
<Location /opac/extras/circ>
@@ -468,10 +466,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
Options +ExecCGI
PerlSendHeader On
- Require all granted
</Location>
<Location /collections>
@@ -481,10 +478,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "money.collections_tracker.create"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
Options +ExecCGI
PerlSendHeader On
- Require all granted
</Location>
# ----------------------------------------------------------------------------------
@@ -496,7 +492,7 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
PerlSendHeader On
allow from all
SSLRequireSSL
@@ -511,10 +507,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "VIEW_REPORT_OUTPUT"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
Options +ExecCGI
PerlSendHeader On
- Require all granted
</Location>
# ----------------------------------------------------------------------------------
@@ -526,10 +521,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
Options +ExecCGI
PerlSendHeader On
- Require all granted
</LocationMatch>
@@ -600,10 +594,9 @@ RewriteRule ^/conify/([a-z]{2}-[A-Z]{2})/global/(.*)$ /conify/global/$2 [E=local
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
Options +ExecCGI
PerlSendHeader On
- Require all granted
</Location>
# ----------------------------------------------------------------------------------
@@ -613,14 +606,13 @@ RewriteRule ^/conify/([a-z]{2}-[A-Z]{2})/global/(.*)$ /conify/global/$2 [E=local
SetHandler perl-script
AuthType Basic
AuthName "PhoneList Login"
- require valid-user
+ Require valid-user
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlHandler OpenILS::WWW::PhoneList
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
Options +ExecCGI
PerlSendHeader On
- allow from all
<IfModule mod_headers.c>
Header onsuccess set Cache-Control no-cache
</IfModule>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
index 2e33aa1..5b1c64b 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
@@ -102,6 +102,10 @@ sub handler {
-expires=>'-1h'
);
} else {
+ # it appears that as of Apache 2.4, authentication
+ # handlers are expected to ensure that the request
+ # object has ->user set.
+ $apache->user($user->usrname);
$bad_auth = 0;
}
}
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/apache_24/eg_vhost.conf.in | 26 +++++++-------------
.../src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm | 4 +++
2 files changed, 13 insertions(+), 17 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list