[open-ils-commits] [GIT] Evergreen ILS branch rel_2_6 updated. 2ac41553c0bddea43f015466995248cdbee30abe
Evergreen Git
git at git.evergreen-ils.org
Fri May 1 16:17:57 EDT 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_6 has been updated
via 2ac41553c0bddea43f015466995248cdbee30abe (commit)
from 78c06b7d7975b8755c08dc9474128afa17029b19 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2ac41553c0bddea43f015466995248cdbee30abe
Author: Galen Charlton <gmc at esilibrary.com>
Date: Thu Apr 30 11:07:14 2015 -0700
LP#1449283: fix auth when running under Apache 2.4
When running under Apache 2.4 using the stock configuration
derived from apache_24/eg_vhost.conf.in, protected
URLs such as https://eghost/reporter/ that are meant to
require valid EG staff credentials were not in fact
requiring authentication.
This patch does the following to fix this:
[1] Removes several uses of "Require all granted" that
was causing authentication to be ignored.
[2] Changes OpenILS::WWW::Proxy::Authen so that it always
sets the username in the Apache request object if
authentication was successful; it appears that starting
with Apache 2.4, authentication handlers must ensure
that a user name is set for a "Require valid-user"
directive to work.
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Bill Erickson <berickxx at gmail.com>
diff --git a/Open-ILS/examples/apache_24/eg_vhost.conf.in b/Open-ILS/examples/apache_24/eg_vhost.conf.in
index 6bbe1e1..6aefa06 100644
--- a/Open-ILS/examples/apache_24/eg_vhost.conf.in
+++ b/Open-ILS/examples/apache_24/eg_vhost.conf.in
@@ -441,11 +441,10 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
PerlHandler OpenILS::WWW::Exporter
Options +ExecCGI
PerlSendHeader On
- Require all granted
</Location>
<Location /opac/extras/merge_template>
@@ -455,11 +454,10 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
PerlHandler OpenILS::WWW::TemplateBatchBibUpdate
PerlSendHeader On
Options +ExecCGI
- Require all granted
</Location>
<Location /opac/extras/circ>
@@ -468,10 +466,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
Options +ExecCGI
PerlSendHeader On
- Require all granted
</Location>
<Location /collections>
@@ -481,10 +478,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "money.collections_tracker.create"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
Options +ExecCGI
PerlSendHeader On
- Require all granted
</Location>
# ----------------------------------------------------------------------------------
@@ -496,7 +492,7 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
PerlSendHeader On
allow from all
SSLRequireSSL
@@ -511,10 +507,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "VIEW_REPORT_OUTPUT"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
Options +ExecCGI
PerlSendHeader On
- Require all granted
</Location>
# ----------------------------------------------------------------------------------
@@ -526,10 +521,9 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
Options +ExecCGI
PerlSendHeader On
- Require all granted
</LocationMatch>
@@ -600,10 +594,9 @@ RewriteRule ^/conify/([a-z]{2}-[A-Z]{2})/global/(.*)$ /conify/global/$2 [E=local
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
- require valid-user
+ Require valid-user
Options +ExecCGI
PerlSendHeader On
- Require all granted
</Location>
# ----------------------------------------------------------------------------------
@@ -613,14 +606,13 @@ RewriteRule ^/conify/([a-z]{2}-[A-Z]{2})/global/(.*)$ /conify/global/$2 [E=local
SetHandler perl-script
AuthType Basic
AuthName "PhoneList Login"
- require valid-user
+ Require valid-user
PerlOptions +GlobalRequest
PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
PerlHandler OpenILS::WWW::PhoneList
PerlAuthenHandler OpenILS::WWW::Proxy::Authen
Options +ExecCGI
PerlSendHeader On
- allow from all
<IfModule mod_headers.c>
Header onsuccess set Cache-Control no-cache
</IfModule>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
index 2e33aa1..5b1c64b 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
@@ -102,6 +102,10 @@ sub handler {
-expires=>'-1h'
);
} else {
+ # it appears that as of Apache 2.4, authentication
+ # handlers are expected to ensure that the request
+ # object has ->user set.
+ $apache->user($user->usrname);
$bad_auth = 0;
}
}
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/examples/apache_24/eg_vhost.conf.in | 26 +++++++-------------
.../src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm | 4 +++
2 files changed, 13 insertions(+), 17 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list