1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
|
<HEAD>
</HEAD>
<BODY>
<H1>Browser Side Access Authorization Module</H1>
This module is the browser side interface to Access Authorization (AA)
package. It contains code only for browser.<P>
<B>Important</B> to know about memory allocation:<P>
Routines in this module use dynamic allocation, but free
automatically all the memory reserved by them.
<P>
Therefore the caller never has to (and never should)
<CODE>free()</CODE> any object returned by these functions.
<P>
Therefore also all the strings returned by this package
are only valid until the next call to the same function
is made. This approach is selected, because of the nature
of access authorization: no string returned by the package
needs to be valid longer than until the next call.
<P>
This also makes it easy to plug the AA package in:
you don't have to ponder whether to <CODE>free()</CODE>
something here or is it done somewhere else (because it
is always done somewhere else).
<P>
The strings that the package needs to store are copied
so the original strings given as parameters to AA
functions may be freed or modified with no side effects.
<P>
<B>Also note:</B>
The AA package does not <CODE>free()</CODE> anything else
than what it has itself allocated.
<P>
<PRE>
#ifndef HTAABROW_H
#define HTAABROW_H
#include "HTUtils.h" /* BOOL, PARAMS, ARGS */
#include "HTAAUtil.h" /* Common parts of AA */
#include "HTList.h"
#include "HTAssoc.h"
#ifdef SHORT_NAMES
#define HTAAcoAu HTAA_composeAuth
#define HTAAsRWA HTAA_shouldRetryWithAuth
#endif /*SHORT_NAMES*/
/*
** Local datatype definitions
**
** HTAAServer contains all the information about one server.
*/
typedef struct {
char * hostname; /* Host's name */
int portnumber; /* Port number */
HTList * setups; /* List of protection setups */
/* on this server; i.e. valid */
/* authentication schemes and */
/* templates when to use them. */
/* This is actually a list of */
/* HTAASetup objects. */
HTList * realms; /* Information about passwords */
} HTAAServer;
/*
** HTAASetup contains information about one server's one
** protected tree of documents.
*/
typedef struct {
HTAAServer *server; /* Which server serves this tree */
char * template; /* Template for this tree */
HTList * valid_schemes; /* Valid authentic.schemes */
HTAssocList**scheme_specifics;/* Scheme specific params */
BOOL reprompt; /* Failed last time -- reprompt (or whatever)*/
} HTAASetup;
/*
** Information about usernames and passwords in
** Basic and Pubkey authentication schemes;
*/
typedef struct {
char * realmname; /* Password domain name */
char * username; /* Username in that domain */
char * password; /* Corresponding password */
} HTAARealm;
#include "HTAccess.h" /* HTRequest */
</PRE>
<H2>Routines for Browser Side Recording of AA Info</H2>
Most of the browser-side AA is done by the following two functions
(which are called from file <CODE>HTTP.c</CODE> so the browsers using
<CODE>libwww</CODE> only need to be linked with the new library and not
be changed at all):
<UL>
<LI><CODE>HTAA_composeAuth()</CODE> composes the
<CODE>Authorization:</CODE> line contents, if the AA package thinks
that the given document is protected. Otherwise this function returns
NULL. This function also calls the functions <CODE>HTPrompt(),</CODE>
<CODE>HTPromptPassword()</CODE> and <CODE>HTConfirm()</CODE> to get
the username, password and some confirmation from the user.
<LI><CODE>HTAA_shouldRetryWithAuth()</CODE> determines whether to
retry the request with AA or with a new AA (in case username or
password was misspelled).
</UL>
<PRE>
/* BROWSER PUBLIC HTAA_composeAuth()
**
** COMPOSE Authorization: HEADER LINE CONTENTS
** IF WE ALREADY KNOW THAT THE HOST REQUIRES AUTHENTICATION
**
** ON ENTRY:
** req request, which contains
** req->argument document, that we're trying to access.
** req->setup protection setup info on browser.
** req->scheme selected authentication scheme.
** req->realm for Basic scheme the username and password.
**
** ON EXIT:
** returns NO, if no authorization seems to be needed, and
** req->authorization is NULL.
** YES, if it has composed Authorization field,
** in which case the result is in req->authorization,
** e.g.
**
** "Basic AkRDIhEF8sdEgs72F73bfaS=="
*/
PUBLIC BOOL HTAA_composeAuth PARAMS((HTRequest * req));
/* BROWSER PUBLIC HTAA_retryWithAuth()
**
** RETRY THE SERVER WITH AUTHORIZATION (OR IF
** ALREADY RETRIED, WITH A DIFFERENT USERNAME
** AND/OR PASSWORD (IF MISSPELLED)) OR CANCEL
** ON ENTRY:
** req request.
** req->valid_schemes
** This function should only be called when
** server has replied with a 401 (Unauthorized)
** status code, and req structure has been filled
** up according to server reply, especially the
** req->valid_shemes list must have been set up
** according to WWW-Authenticate: headers.
** callback the function to call when username and
** password have been entered (HTLoadHTTP()).
** ON EXIT:
** On GUI clients pops up a username/password dialog box
** with "Ok" and "Cancel".
** "Ok" button press should do a callback
**
** HTLoadHTTP(req);
**
** This actually done by function HTPasswordDialog(),
** which GUI clients redefine.
**
** returns YES, if dialog box was popped up.
** NO, on failure.
*/
PUBLIC BOOL HTAA_retryWithAuth PARAMS((HTRequest * req,
HTRetryCallbackType callback));
/* PUPLIC HTAA_cleanup()
**
** Free the memory used by the entries concerning Access Authorization
** in the request structure and put all pointers to NULL
** Henrik 14/03-94.
**
** ON ENTRY:
** req the request structure
**
** ON EXIT:
** returns nothing.
*/
PUBLIC void HTAACleanup PARAMS((HTRequest *req));
</PRE>
<H2>Enabling Gateway httpds to Forward Authorization</H2>
These functions should only be called from daemon code, and
<CODE>HTAAForwardAuth_reset()</CODE> must be called before the next
request is handled to make sure that authorization string
isn't cached in daemon so that other people can access private
files using somebody elses previous authorization information.
<PRE>
PUBLIC void HTAAForwardAuth_set PARAMS((CONST char * scheme_name,
CONST char * scheme_specifics));
PUBLIC void HTAAForwardAuth_reset NOPARAMS;
</PRE>
<PRE>
#endif /* NOT HTAABROW_H */
</PRE>
End of file HTAABrow.h.
</BODY>
|
