Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:mdelves:apache
apache2-mod_auth_kerb
mod_auth_kerb-cache_auth.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mod_auth_kerb-cache_auth.patch of Package apache2-mod_auth_kerb
--- src/mod_auth_kerb.c.orig 2008-12-04 11:14:03.000000000 +0100 +++ src/mod_auth_kerb.c 2009-07-17 23:10:15.000000000 +0200 @@ -157,6 +157,7 @@ const char *krb_service_name; int krb_authoritative; int krb_delegate_basic; + int krb_cache_auth; #if 0 int krb_ssl_preauthentication; #endif @@ -220,6 +221,9 @@ command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic, FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."), + command("KrbCacheAuthentication", ap_set_flag_slot, krb_cache_auth, + FLAG, "Cache authentication per connection, which provides a substantial performance boost."), + #if 0 command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication, FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."), @@ -325,6 +329,7 @@ ((kerb_auth_config *)rec)->krb_service_name = NULL; ((kerb_auth_config *)rec)->krb_authoritative = 1; ((kerb_auth_config *)rec)->krb_delegate_basic = 0; + ((kerb_auth_config *)rec)->krb_cache_auth = 0; #if 0 ((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0; #endif @@ -936,6 +941,7 @@ const char *sent_name = NULL; const char *realms = NULL; const char *realm = NULL; + const char *cached_auth_info = NULL; krb5_context kcontext = NULL; krb5_error_code code; krb5_principal client = NULL; @@ -954,6 +960,20 @@ return HTTP_INTERNAL_SERVER_ERROR; } + /* see if we already authenticated this connection */ + if (conf->krb_delegate_basic) { + cached_auth_info = apr_table_get(r->connection->notes, "KRBCACHEDAUTHINFO"); + if (cached_auth_info) { + if (!strcmp(auth_line, cached_auth_info)) { + MK_USER = apr_pstrdup(r->pool, apr_table_get(r->connection->notes, "KRBCACHEDUSER")); + ret = OK; + goto end; + } else { + apr_table_unset(r->connection->notes, "KRBCACHEDAUTHINFO"); + } + } + } + sent_pw = ap_pbase64decode(r->pool, auth_line); sent_name = ap_getword_nulls_nc (r->pool, (char **) &sent_pw, ':'); @@ -1067,6 +1087,12 @@ if (conf->krb_save_credentials) store_krb5_creds(kcontext, r, conf, ccache); + + if (conf->krb_delegate_basic) { + apr_table_set(r->connection->notes, "KRBCACHEDAUTHINFO", auth_line); + apr_table_set(r->connection->notes, "KRBCACHEDUSER", MK_USER); + } + ret = OK; end: --- README.orig 2009-07-17 23:10:29.000000000 +0200 +++ README 2009-07-17 23:12:16.000000000 +0200 @@ -93,6 +93,15 @@ authentication scheme in Apache (Apache 2.1 seems to provide better support for multiple various authentication mechanisms). +KrbCacheAuthentication on | off (set to off by default) + Enabling this option causes authentication information to be cached by + connection. Thus, if the principal has already been authenticated on + the same connection, the result of that authentication is re-used, + instead of authenticating against the KDC again. + This option provides a substantial performance boost, but is disabled by + default because it has not yet been merged upstream and is to be regarded + as experimental. + Note on server principals ------------------------- Now you have to create an service key for the module, which is needed to
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor