Skip to content

LucaFilipozzi/mod_auth_override

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
dist/rpm
dist/rpm
 
 
LICENSE.md
LICENSE.md
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
mod_auth_override.c
mod_auth_override.c
 
 

Repository files navigation

mod_auth_override

Installation

Ensure that apxs (Redhat) / apxs2 (Debian) is installed.

apxs2 -c -i -a mod_auth_override.c

Configuration

Where needed, add the AuthOverride directive to cause REMOTE_USER to be updated.

<Directory "/srv/www.example.com/htdocs">
    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile "/srv/www.example.com/etc/htpasswd"
    Require valid-user
    RequestHeaderPlus set SOME_HEADER bob
    AuthOverride SOME_HEADER
</Directory>

Suppose that the 'htpasswd' file contains an entry for a user 'alice'.

After successful authentication (based on the standard behaviour of mod_authn_file), REMOTE_USER is set to 'alice'.

This module, mod_auth_override, implements a fixhup hook that will update REMOTE_USER to the value of the request header, SOME_HEADER (in this case, 'bob').

It is critical, from a security perspective, that SOME_HEADER be set by an AuthN or AuthZ provider such as mod_auth_cas rather than passed in by the client.

A CAS example

RequestHeaderPlus, from mod_setenvifplus, is used in the example above solely to demonstrate the use of AuthOverride.

It is assumed that the request header used with AuthOverride will be set by mod_auth_cas.

For example, suppose that the orginal value of REMOTE_USER as set by mod_auth_cas is 'alice' but that the value desired by the application is '[email protected]' and that this desired value is available from the CAS_eduPersonPrincipalName header in the request; then the configuration could be:

<IfModule mod_auth_cas.c>
    # ... other CAS directives ...
    CASValidateSAML on
    CASAuthoritative on
    CASAttributePrefix CAS_
</IfModule>

<VirtualHost www.example.com:443>
    # ... other VirtualHost directives ...
    <IfModule mod_auth_cas.c>
        <Location "/secure">
            AuthType CAS
            CASScrubRequestHeaders on
            CASAuthNHeader CAS_user
            Require cas-attribute eduPersonPrincipalName~.+
            AuthOverride CAS_eduPersonPrincipalName
        </Location>
    </IfModule>
</VirtualHost>

Use of the combination of directives 'CASScrubRequestHeaders' and 'Require cas-attribute' ensures that the header used with AuthOverride is, in fact, set by mod_auth_cas.

PLEASE NOTE that a recent version of mod_auth_cas is required for 'Require cas-attribute' functionality: specifically, one that supports the 'CASAuthoritative' directive.

Patches providing rpm or deb packaging welcome.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

4 tags

Packages

No packages published

Languages