Description: Define authtype TKT
 This patch introduces a new authtype 'TKT', to allow usage of the module
 without redirect urls or guest access. In that case, it is only possible to
 get access if the user already has a cookie from a previous visit to the
 login page. Otherwise, access will be denied.
Author: Ivo De Decker <ivodd@debian.org>
Forwarded: no
Last-Update: 2012-05-17

Index: libapache2-mod-auth-tkt/src/mod_auth_tkt.c
===================================================================
--- libapache2-mod-auth-tkt.orig/src/mod_auth_tkt.c
+++ libapache2-mod-auth-tkt/src/mod_auth_tkt.c
@@ -1467,6 +1467,7 @@
   auth_tkt_serv_conf *sconf =
     ap_get_module_config(r->server->module_config, &auth_tkt_module);
   const char *scheme = ap_http_method(r);
+  const char *current_auth;
   int guest = 0;
   int timeout;
   int force_cookie_refresh = 0;
@@ -1486,9 +1487,13 @@
   if (conf->debug >= 2)
     dump_config(r, sconf, conf);
 
-  /* Module not configured unless login_url or guest_login is set */
+  /* Module not configured unless login_url or guest_login is set
+   * or AuthType is TKT*/
   if (! conf->login_url && conf->guest_login <= 0) {
-    return DECLINED;
+    current_auth = ap_auth_type(r);
+    if (!current_auth || strcasecmp(current_auth, "TKT")) {
+      return DECLINED;
+    }
   }
   /* Module misconfigured unless secret set */
   if (! sconf->secret) {
@@ -1526,11 +1531,16 @@
             "TKT: no valid ticket found - redirecting to login url");
           return redirect(r, conf->login_url);
         }
-        else {
+        else if (conf->guest_login > 0) {
           /* Fatal error: guest setup failed, but we have no login url defined */
           ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
             "TKT: guest login failed and no login url to fall back to - aborting");
           return HTTP_INTERNAL_SERVER_ERROR;
+        } else {
+          /* No access: no guest setup and we have no login url defined */
+          ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
+            "TKT: no guest login and no login url to fall back to - no access");
+          return HTTP_FORBIDDEN;
         }
       }
     }
@@ -1553,11 +1563,16 @@
       if (url) {
         return redirect(r, url);
       }
-      else {
+      else if (conf->guest_login > 0) {
         /* Fatal error: guest setup failed, but we have no url to redirect to */
         ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r,
           "TKT: ticket timeout, guest login failed, and no url to fall back to - aborting");
         return HTTP_INTERNAL_SERVER_ERROR;
+      } else {
+        /* No access: no guest setup and we have no url to redirect to */
+        ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r,
+          "TKT: ticket timeout, no guest login and no url to fall back to - no access");
+        return HTTP_UNAUTHORIZED;
       }
     }
   }