@@ -124,9 +124,6 @@ void *cas_create_server_config(apr_pool_t *pool, server_rec *svr)
124
124
c -> CASValidateSAML = CAS_DEFAULT_VALIDATE_SAML ;
125
125
c -> CASAttributeDelimiter = CAS_DEFAULT_ATTRIBUTE_DELIMITER ;
126
126
c -> CASAttributePrefix = CAS_DEFAULT_ATTRIBUTE_PREFIX ;
127
- #if MODULE_MAGIC_NUMBER_MAJOR < 20120211
128
- c -> CASAuthoritative = CAS_DEFAULT_AUTHORITATIVE ;
129
- #endif
130
127
c -> CASPreserveTicket = CAS_DEFAULT_PRESERVE_TICKET ;
131
128
cas_setURL (pool , & (c -> CASLoginURL ), CAS_DEFAULT_LOGIN_URL );
132
129
cas_setURL (pool , & (c -> CASValidateURL ), CAS_DEFAULT_VALIDATE_URL );
@@ -161,9 +158,6 @@ void *cas_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD)
161
158
c -> CASCookieSecure = (add -> CASCookieSecure != CAS_DEFAULT_COOKIE_SECURE ? add -> CASCookieSecure : base -> CASCookieSecure );
162
159
c -> CASSSOEnabled = (add -> CASSSOEnabled != CAS_DEFAULT_SSO_ENABLED ? add -> CASSSOEnabled : base -> CASSSOEnabled );
163
160
c -> CASValidateSAML = (add -> CASValidateSAML != CAS_DEFAULT_VALIDATE_SAML ? add -> CASValidateSAML : base -> CASValidateSAML );
164
- #if MODULE_MAGIC_NUMBER_MAJOR < 20120211
165
- c -> CASAuthoritative = (add -> CASAuthoritative != CAS_DEFAULT_AUTHORITATIVE ? add -> CASAuthoritative : base -> CASAuthoritative );
166
- #endif
167
161
c -> CASPreserveTicket = (add -> CASPreserveTicket != CAS_DEFAULT_PRESERVE_TICKET ? add -> CASPreserveTicket : base -> CASPreserveTicket );
168
162
c -> CASAttributeDelimiter = (apr_strnatcasecmp (add -> CASAttributeDelimiter , CAS_DEFAULT_ATTRIBUTE_DELIMITER ) != 0 ? add -> CASAttributeDelimiter : base -> CASAttributeDelimiter );
169
163
c -> CASAttributePrefix = (apr_strnatcasecmp (add -> CASAttributePrefix , CAS_DEFAULT_ATTRIBUTE_PREFIX ) != 0 ? add -> CASAttributePrefix : base -> CASAttributePrefix );
@@ -423,16 +417,6 @@ const char *cfg_readCASParameter(cmd_parms *cmd, void *cfg, const char *value)
423
417
else
424
418
return (apr_psprintf (cmd -> pool , "MOD_AUTH_CAS: Invalid argument to CASSSOEnabled - must be 'On' or 'Off'" ));
425
419
break ;
426
- #if MODULE_MAGIC_NUMBER_MAJOR < 20120211
427
- case cmd_authoritative :
428
- if (apr_strnatcasecmp (value , "On" ) == 0 )
429
- c -> CASAuthoritative = TRUE;
430
- else if (apr_strnatcasecmp (value , "Off" ) == 0 )
431
- c -> CASAuthoritative = FALSE;
432
- else
433
- return (apr_psprintf (cmd -> pool , "MOD_AUTH_CAS: Invalid argument to CASAuthoritative - must be 'On' or 'Off'" ));
434
- break ;
435
- #endif
436
420
case cmd_preserve_ticket :
437
421
if (apr_strnatcasecmp (value , "On" ) == 0 )
438
422
c -> CASPreserveTicket = TRUE;
@@ -473,11 +457,7 @@ apr_byte_t cas_setURL(apr_pool_t *pool, apr_uri_t *uri, const char *url)
473
457
apr_byte_t isSSL (const request_rec * r )
474
458
{
475
459
476
- #ifdef APACHE2_0
477
- if (apr_strnatcasecmp ("https" , ap_http_method (r )) == 0 )
478
- #else
479
460
if (apr_strnatcasecmp ("https" , ap_http_scheme (r )) == 0 )
480
- #endif
481
461
return TRUE;
482
462
483
463
return FALSE;
@@ -602,11 +582,7 @@ char *getCASService(const request_rec *r, const cas_cfg *c)
602
582
char * scheme , * port_str = "" , * service ;
603
583
apr_byte_t print_port = TRUE;
604
584
605
- #ifdef APACHE2_0
606
- scheme = (char * ) ap_http_method (r );
607
- #else
608
585
scheme = (char * ) ap_http_scheme (r );
609
- #endif
610
586
611
587
if (root_proxy -> is_initialized ) {
612
588
service = apr_psprintf (r -> pool , "%s%s%s%s" ,
@@ -2238,17 +2214,10 @@ int cas_authenticate(request_rec *r)
2238
2214
if (c -> CASRootProxiedAs .is_initialized ) {
2239
2215
newLocation = apr_psprintf (r -> pool , "%s%s%s%s" , apr_uri_unparse (r -> pool , & c -> CASRootProxiedAs , 0 ), r -> uri , ((r -> args != NULL ) ? "?" : "" ), ((r -> args != NULL ) ? r -> args : "" ));
2240
2216
} else {
2241
- #ifdef APACHE2_0
2242
- if (printPort == TRUE)
2243
- newLocation = apr_psprintf (r -> pool , "%s://%s:%u%s%s%s" , ap_http_method (r ), r -> server -> server_hostname , r -> connection -> local_addr -> port , r -> uri , ((r -> args != NULL ) ? "?" : "" ), ((r -> args != NULL ) ? r -> args : "" ));
2244
- else
2245
- newLocation = apr_psprintf (r -> pool , "%s://%s%s%s%s" , ap_http_method (r ), r -> server -> server_hostname , r -> uri , ((r -> args != NULL ) ? "?" : "" ), ((r -> args != NULL ) ? r -> args : "" ));
2246
- #else
2247
2217
if (printPort == TRUE)
2248
2218
newLocation = apr_psprintf (r -> pool , "%s://%s:%u%s%s%s" , ap_http_scheme (r ), r -> server -> server_hostname , r -> connection -> local_addr -> port , r -> uri , ((r -> args != NULL ) ? "?" : "" ), ((r -> args != NULL ) ? r -> args : "" ));
2249
2219
else
2250
2220
newLocation = apr_psprintf (r -> pool , "%s://%s%s%s%s" , ap_http_scheme (r ), r -> server -> server_hostname , r -> uri , ((r -> args != NULL ) ? "?" : "" ), ((r -> args != NULL ) ? r -> args : "" ));
2251
- #endif
2252
2221
}
2253
2222
apr_table_add (r -> headers_out , "Location" , newLocation );
2254
2223
return HTTP_MOVED_TEMPORARILY ;
@@ -2431,7 +2400,6 @@ int cas_match_attribute(const char *const attr_spec, const cas_saml_attr *const
2431
2400
}
2432
2401
return CAS_ATTR_NO_MATCH ;
2433
2402
}
2434
- #if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
2435
2403
2436
2404
authz_status cas_check_authorization (request_rec * r ,
2437
2405
const char * require_line ,
@@ -2478,157 +2446,6 @@ static const authz_provider authz_cas_provider =
2478
2446
NULL ,
2479
2447
};
2480
2448
2481
- #else
2482
-
2483
- /* CAS authorization module, code adopted from Nick Kew's Apache Modules Book, 2007, p. 190f */
2484
- int cas_authorize (request_rec * r )
2485
- {
2486
- const cas_saml_attr * const attrs = cas_get_attributes (r );
2487
-
2488
- const apr_array_header_t * const reqs_arr = ap_requires (r );
2489
- const require_line * const reqs =
2490
- reqs_arr ? (require_line * ) reqs_arr -> elts : NULL ;
2491
- const cas_cfg * const c =
2492
- ap_get_module_config (r -> server -> module_config ,
2493
- & auth_cas_module );
2494
-
2495
- if (c -> CASDebug )
2496
- ap_log_rerror (APLOG_MARK , APLOG_DEBUG , 0 , r ,
2497
- "Entering cas_authorize." );
2498
-
2499
- if (!reqs_arr ) {
2500
- if (c -> CASDebug )
2501
- ap_log_rerror (APLOG_MARK , APLOG_DEBUG , 0 , r ,
2502
- "No require statements found, "
2503
- "so declining to perform authorization." );
2504
- return DECLINED ;
2505
- }
2506
-
2507
- return (cas_authorize_worker (r , attrs , reqs , reqs_arr -> nelts , c ));
2508
- }
2509
-
2510
- /* Pulled out from cas_authorize to enable unit-testing */
2511
-
2512
- int cas_authorize_worker (request_rec * r , const cas_saml_attr * const attrs , const require_line * const reqs , int nelts , const cas_cfg * const c )
2513
- {
2514
- const int m = r -> method_number ;
2515
- const char * token ;
2516
- const char * requirement ;
2517
- int i ;
2518
- int have_casattr = 0 ;
2519
- int count_casattr = 0 ;
2520
-
2521
- // Q: why don't we use ap_some_auth_required here?? performance?
2522
-
2523
- /* Go through applicable Require directives */
2524
- for (i = 0 ; i < nelts ; ++ i ) {
2525
- /* Ignore this Require if it's in a <Limit> section
2526
- * that exclude this method
2527
- */
2528
-
2529
- if (!(reqs [i ].method_mask & (AP_METHOD_BIT << m ))) {
2530
- continue ;
2531
- }
2532
-
2533
- /* ignore if it's not a "Require cas-attribute ..." */
2534
- requirement = reqs [i ].requirement ;
2535
-
2536
- token = ap_getword_white (r -> pool , & requirement );
2537
-
2538
- if (apr_strnatcasecmp (token , "cas-attribute" ) != 0 ) {
2539
- continue ;
2540
- }
2541
-
2542
- /* OK, we have a "Require cas-attribute" to satisfy */
2543
- have_casattr = 1 ;
2544
-
2545
- /* If we have an applicable cas-attribute, but no
2546
- * attributes were sent in the request, then we can
2547
- * just stop looking here, because it's not
2548
- * satisfiable. The code after this loop will give the
2549
- * appropriate response. */
2550
- if (!attrs ) {
2551
- break ;
2552
- }
2553
-
2554
- /* Iterate over the attribute specification strings in this
2555
- * require directive searching for a specification that
2556
- * matches one of the attributes. */
2557
- while (* requirement ) {
2558
- token = ap_getword_conf (r -> pool , & requirement );
2559
- count_casattr ++ ;
2560
-
2561
- if (c -> CASDebug )
2562
- ap_log_rerror (APLOG_MARK , APLOG_DEBUG , 0 , r ,
2563
- "Evaluating attribute specification: %s" ,
2564
- token );
2565
-
2566
- if (cas_match_attribute (token , attrs , r ) ==
2567
- CAS_ATTR_MATCH ) {
2568
-
2569
- /* If *any* attribute matches, then
2570
- * authorization has succeeded and all
2571
- * of the others are ignored. */
2572
- if (c -> CASDebug )
2573
- ap_log_rerror (APLOG_MARK , APLOG_DEBUG , 0 , r ,
2574
- "Require cas-attribute "
2575
- "'%s' matched" , token );
2576
- return OK ;
2577
- }
2578
- }
2579
- }
2580
-
2581
- /* If there weren't any "Require cas-attribute" directives,
2582
- * we're irrelevant.
2583
- */
2584
- if (!have_casattr ) {
2585
- if (c -> CASDebug )
2586
- ap_log_rerror (APLOG_MARK , APLOG_DEBUG , 0 , r ,
2587
- "No cas-attribute statements found. "
2588
- "Not performing authZ." );
2589
- return DECLINED ;
2590
- }
2591
-
2592
- /* If we have no attributes to evaluate, it's worth reporting (may be attribute release upstream has yet to be approved)
2593
- */
2594
- if (have_casattr && !attrs ) {
2595
- ap_log_rerror (APLOG_MARK , APLOG_WARNING , 0 , r ,
2596
- "'Require cas-attribute' cannot be satisfied; no attributes were available for authorization." );
2597
- return DECLINED ;
2598
- }
2599
-
2600
- /* If there was a "Require cas-attribute", but no actual attributes,
2601
- * that's cause to warn the admin of an iffy configuration.
2602
- */
2603
- if (count_casattr == 0 ) {
2604
- if (c -> CASDebug )
2605
- ap_log_rerror (APLOG_MARK , APLOG_WARNING , 0 , r ,
2606
- "'Require cas-attribute' missing specification(s) in configuration. Declining." );
2607
- return DECLINED ;
2608
- }
2609
-
2610
- /* If we're not authoritative, hand over to other authz modules */
2611
- if (!c -> CASAuthoritative ) {
2612
- if (c -> CASDebug )
2613
- ap_log_rerror (APLOG_MARK , APLOG_DEBUG , 0 , r ,
2614
- "Authorization failed, but we are not "
2615
- "authoritative, thus handing over to other "
2616
- "module(s)." );
2617
- return DECLINED ;
2618
- }
2619
-
2620
- /* OK, our decision is final and binding */
2621
- if (c -> CASDebug )
2622
- ap_log_rerror (APLOG_MARK , APLOG_DEBUG , 0 , r ,
2623
- "Authorization denied for client session" );
2624
-
2625
- ap_note_auth_failure (r );
2626
-
2627
- return HTTP_UNAUTHORIZED ;
2628
- }
2629
-
2630
- #endif
2631
-
2632
2449
#if OPENSSL_VERSION_NUMBER < 0x10100000L && defined(OPENSSL_THREADS ) && APR_HAS_THREADS
2633
2450
2634
2451
/* shamelessly based on code from mod_ssl */
@@ -2849,34 +2666,15 @@ apr_status_t cas_in_filter(ap_filter_t *f, apr_bucket_brigade *bb, ap_input_mode
2849
2666
2850
2667
void cas_register_hooks (apr_pool_t * p )
2851
2668
{
2852
- #if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
2853
2669
ap_register_auth_provider (p , AUTHZ_PROVIDER_GROUP , "cas-attribute" ,
2854
2670
AUTHZ_PROVIDER_VERSION ,
2855
2671
& authz_cas_provider , AP_AUTH_INTERNAL_PER_CONF );
2856
- #else
2857
- /* make sure we run before mod_authz_user so that a "require valid-user"
2858
- * directive doesn't just automatically pass us. */
2859
- static const char * const authzSucc [] = { "mod_authz_user.c" , NULL };
2860
- ap_hook_auth_checker (cas_authorize , NULL , authzSucc , APR_HOOK_MIDDLE );
2861
- #endif
2862
-
2863
- #if MODULE_MAGIC_NUMBER_MAJOR >= 20120211
2864
2672
ap_hook_check_authn (
2865
2673
cas_authenticate ,
2866
2674
NULL ,
2867
2675
NULL ,
2868
2676
APR_HOOK_MIDDLE ,
2869
2677
AP_AUTH_INTERNAL_PER_URI );
2870
- #elif MODULE_MAGIC_NUMBER_MAJOR >= 20100714
2871
- ap_hook_check_access_ex (
2872
- cas_authenticate ,
2873
- NULL ,
2874
- NULL ,
2875
- APR_HOOK_MIDDLE ,
2876
- AP_AUTH_INTERNAL_PER_URI );
2877
- #else
2878
- ap_hook_check_user_id (cas_authenticate , NULL , NULL , APR_HOOK_MIDDLE );
2879
- #endif
2880
2678
ap_hook_post_config (cas_post_config , NULL , NULL , APR_HOOK_LAST );
2881
2679
ap_register_input_filter ("CAS" , cas_in_filter , NULL , AP_FTYPE_RESOURCE );
2882
2680
}
@@ -2921,9 +2719,6 @@ const command_rec cas_cmds [] = {
2921
2719
AP_INIT_TAKE1 ("CASRootProxiedAs" , cfg_readCASParameter , (void * ) cmd_root_proxied_as , RSRC_CONF , "URL used to access the root of the virtual server (only needed when the server is proxied)" ),
2922
2720
AP_INIT_TAKE1 ("CASScrubRequestHeaders" , ap_set_string_slot , (void * ) APR_OFFSETOF (cas_dir_cfg , CASScrubRequestHeaders ), ACCESS_CONF , "Scrub CAS user name and SAML attribute headers from the user's request." ),
2923
2721
/* authorization options */
2924
- #if MODULE_MAGIC_NUMBER_MAJOR < 20120211
2925
- AP_INIT_TAKE1 ("CASAuthoritative" , cfg_readCASParameter , (void * ) cmd_authoritative , RSRC_CONF , "Set 'On' to reject if access isn't allowed based on our rules; 'Off' (default) to allow checking against other modules too." ),
2926
- #endif
2927
2722
AP_INIT_TAKE1 ("CASPreserveTicket" , cfg_readCASParameter , (void * ) cmd_preserve_ticket , RSRC_CONF , "Leave CAS ticket parameters intact when a valid session cookie exists. This helps prevent infinite redirect loops when CAS protection is being used at multiple levels." ),
2928
2723
AP_INIT_TAKE1 (0 , 0 , 0 , 0 , 0 )
2929
2724
};
0 commit comments