NewModularAuthenticationArchitectureinApache2.2and

1、 New Modular Authentication Architecture in Apache 2.2 and BeyondBrad NicholesSr. Software Engineer, Novell Inc.Member, Apache Software Foundation 2Agenda Introduction Difference between Apache 2.0 and 2.2 ConfigurationAuthentication and AuthorizationMix and match providers and methods Mod_authn_ali

2、as Coding for the new architecture New features already in Apache 2.3 3IntroductionTerms / Authentication Elements: Authentication Type Type of encryption used during transport of the authentication credentials (Basic or Digest) Authentication Method/Provider Process by which a user is verified to b

3、e who they say they are Authorization Process by which authenticated users are granted or denied access based on specific criteria Previous to Apache 2.2, every authentication module had to implement all three elementsChoosing an AuthType limited which authentication and authorization methods could

4、be usedPotential for inconsistencies across authentication modulesNote: Pay close attention to the words Authentication vs. Authorization throughout the presentation 4What Are the Advantages? Flexibility:Ability to choose between Authentication Type vs. Authentication Method vs. Authorization Method

5、Ability to use multiple different authentication methodsMixing and matching is not a problem Consistency:Authorization methods are guaranteed to work the same no matter which authentication method is chosenAbility to use the same authentication and authorization methods for all authentication types

6、Reuse:Implementing a new authentication provider module does not require the reimplementation or duplication of existing authorization methodsThe inverse of the above statement is also trueAbility to create your own custom authentication providers and reuse them throughout your configuration 5New Mo

7、dules - Introduction The functionality of each Apache 2.0 authentication module has been split out into the three authentication elements for Apache 2.2 Overlapping functionality among the modules was simply eliminated in favor of a base implementation The module name indicates which element of the

8、authentication functionality it performsMod_auth_xxx Implements an Authentication TypeMod_authn_xxx Implements an Authentication Method or ProviderMod_authz_xxx Implements an Authorization Method 6New Modules Authentication TypeModulesDirectivesMod_Auth_BasicBasic authentication User credentials are

9、 received by the server as unencrypted dataAuthBasicAuthoritativeAuthBasicProviderMod_Auth_DigestMD5 Digest authentication User credentials are received by the server in encrypted format AuthDigestAlgorithmAuthDigestDomainAuthDigestNcCheckAuthDigestNonceFormatAuthDigestNonceLifetimeAuthDigestProvide

10、rAuthDigestQopAuthDigestShmemSize 7New Modules Authentication ProvidersModulesDirectivesMod_Authn_AnonAllows “anonymous” user access to authenticated areasAnonymousAnonymous_LogEmailAnonymous_MustGiveEmailAnonymous_NoUserIDAnonymous_VerifyEmail Mod_Authn_DBMDBM user authenticationAuthDBMTypeAuthDBMU

11、serFile Mod_Authn_DefaultAuthentication fallback moduleAuthDefaultAuthoritative 8New Modules Authentication ProvidersModulesDirectivesMod_Authn_File user authenticationAuthUserFileMod_Authnz_LDAPLDAP directory based authenticationAuthLDAPBindDNAuthLDAPBindPasswordAuthLDAPCharsetConfigAuthLDAPDerefer

12、enceAliasesAuthLDAPRemoteUserIsDNAuthLDAPUrl 9New Modules - AuthorizationModulesDirectivesMod_Authnz_LDAPLDAP directory based authorizationRequire ldap-userRequire ldap-groupRequire ldap-dnRequire ldap-attributeRequire ldap-filter AuthLDAPCompareDNOnServerAuthLDAPGroupAttributeAuthLDAPGroupAttribute

13、IsDNAuthzLDAPAuthoritativeMod_Authz_DefaultAuthorization fallback moduleAuthzDefaultAuthoritative 10New Modules - AuthorizationModulesDirectivesMod_Authz_DBMDBM group authorizationRequire *Require groupAuthDBMGroupFileAuthzDBMAuthoritativeAuthzDBMType Mod_Authz_GroupFile group authorizationRequire *

14、Require groupAuthGroupFileAuthzGroup Mod_Authz_HostGroup authorization based on host (name or IP address)AllowDenyOrder 11New Modules - AuthorizationModulesDirectivesMod_Authz_OwnerAuthorization based on Require AuthzOwnerAuthoritativeMod_Authz_UserUser authorizationRequire valid-userRequire userAut

15、hzUserAuthoritative 12Differences Between Apache 2.0 & 2.2 New DirectivesAuthBasicProvider On|Off|provider-name provider-nameAuthDigestProvider On|Off|provider-name provider-nameAuthzXXXAuthoritative On|Off Renamed DirectivesAuthBasicAuthoritative On|Off Multiple modules must be loaded (auth, au

16、thn, authz) rather than a single mod_auth_xxx module 13Differences More Authorization Types Apache 2.0Require Valid-UserRequire User user-id user-id Require Group group-name group-name Apache 2.2Same as Apache 2.0LDAP - ldap-user, ldap-group, ldap-dn, ldap-filter, ldap-attribute GroupFile *DBM *Owne

17、r Since multiple authorization methods can be used, in most cases the type names should be unique 14“” Authorization Type Unique because it depends on the Authz_Owner module for base functionality but other Authz_xxx modules to do the work Allows authorization based on group membership Implemented i

18、n Apache 1.3.20 but missing from Apache 2.0 The authenticated user must be a member of the group to which the requested The group name is derived from the group permission of the requested file Authorization is actually performed by secondary authz modules (Mod_Authz_Groupfile, Mod_Authz_DBM, others

19、?) 15“l(fā)dap-xxx” Authorization Types The standard types, ldap-user, ldap-group and ldap-dn were renamed to avoid conflicts and for consistency New LDAP authorization typesldap-attribute allows the administrator to grant access based on attributes of the authenticated user in the LDAP directory. If mu

20、ltiple attributes are listed then the result is an OR operation. require ldap-attribute city=San Jose status=activeldap-filter allows the administrator to grant access based on a complex LDAP search filter. If the dn returned by the filter search matches the authenticated user dn, access is granted.

21、 require ldap-filter &(cell=*)(department=marketing) 16Configuring Simple AuthenticationLoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_ modules/mod_authn_LoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.so Order den

22、y,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUser require valid-userThe authentication provider is and the authorization method is any valid-user 17Requiring Group AuthorizationLoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_ mo

23、dules/mod_authn_#LoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_group modules/mod_authz_group Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUser AuthGroup require gr

24、oup my-valid-groupThe authentication provider is but the authorization method is group 18Multiple Authentication ProvidersLoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_ modules/mod_authn_LoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modul

25、es/mod_authz_host.soLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider AuthUser AuthLDAPURL ldap:/ AuthzLDAPAuthoritative off require valid-userThe authentica

26、tion includes both LDAP providers with the taking precedence followed by LDAP 19Multiple Authorization MethodsLoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_ modules/mod_authn_#LoadModule authz_user_module modules/mod_authz_user.soLoadModule authz_host_module modules/mod_auth

27、z_host.soLoadModule authz_group modules/mod_authz_groupLoadModule authnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUser AuthzLDAPAuthoritative OFF AuthGroup A

28、uthLDAPURL ldap:/ require ldap-group cn=public-users,o=my-context require group my-valid-groupSet AuthzLDAPAuthoritative to “OFF” to allow the LDAP authorization method to defer if necessary 20 AuthorizationLoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_ modules/mod_authn_Loa

29、dModule authz_host_module modules/mod_authz_host.soLoadModule authz_group modules/mod_authz_groupLoadModule authnz_owner_module modules/mod_authz_owner.so Order deny,allow Allow from all AuthType Basic AuthName Authentication_Test AuthBasicProvider file AuthUser AuthGroup require The group that the

30、user belongs to that is defined by the AuthGroupFile, must match the actual of the requested file 21Introduction Mod_Authn_Alias Ability to create extended providers Ability to reference the same base provider multiple times from a single AuthnxxxProvider directive Extended providers are assigned a

31、new name or Alias Extended provider aliases are referenced by the directives AuthBasicProvider or AuthDigestProvider in the same manner as base providers Extended providers can be re-referenced by multiple configuration blocks 22Creating Custom ProvidersLoadModule authn_alias_module modules/mod_auth

32、n_alias.soAuthLDAPBindDN cn=youruser,o=ctxAuthLDAPBindPassword yourpasswordAuthLDAPURL ldap:/ldap.host/o=ctxAuthLDAPBindDN cn=yourotheruser,o=devAuthLDAPBindPassword yourotherpasswordAuthLDAPURL ldap:/other.ldap.host/o=dev?cnUse an block to combine authentication directives 23Creating Custom Provide

33、rsLoadModule authn_alias_module modules/mod_authn_alias.soAuthLDAPBindDN cn=youruser,o=ctxAuthLDAPBindPassword yourpasswordAuthLDAPURL ldap:/ldap.host/o=ctxAuthLDAPBindDN cn=yourotheruser,o=devAuthLDAPBindPassword yourotherpasswordAuthLDAPURL ldap:/other.ldap.host/o=dev?cnEach block references the b

34、ase provider and assigns a provider alias that will be referenced in the AuthXXXProvider directives 24Using Custom ProvidersLoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule aut

35、hnz_ldap_module modules/mod_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so Order deny,allowAllow from allAuthBasicProvider ldap-other-alias ldap-alias1AuthType BasicAuthName LDAP_Protected_PlaceAuthzLDAPAuthoritative offrequire valid-userWhenever an Authn_alias provider is referenced, the

36、entire set of AuthnProviderAlias directives are added to the configuration 25Using Custom ProvidersLoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule authz_user_module modules/mod_authz_user.soLoadModule authnz_ldap_module modules/m

37、od_authnz_ldap.soLoadModule ldap_module modules/mod_ldap.so Order deny,allowAllow from allAuthBasicProvider ldap-other-alias ldap-alias1AuthType BasicAuthName LDAP_Protected_PlaceAuthzLDAPAuthoritative offrequire valid-userCreating Authn_alias extended providers allows the “l(fā)dap” base provider to be

38、 referenced multiple times under different conditions, from a single AuthBasicProvider directive 26Converting Mod_Simple_Auth to Apache 2.2 An Apache 2.0 Implementationstatic int authenticate_basic_user(request_rec *r) /* Locked into basic authentication with this call */ ap_get_basic_auth_pw (r, &a

39、mp;sent_pw); /* Determine if the credentials are good and then send the appropriate response */ if (!good_credentials) return HTTP_UNAUTHORIZED; return OK; static int check_user_access (request_rec *r) /* Much of this code reimplements existingauthorization types */ for (x = 0; x all_possible_author

40、ization_types; x+) authorization_type = all_possible_authorization_typesx; if (!strcmp(authorization_type, valid-user) return OK; if (!strcmp(authorization_type, user) if (authorized_user) return OK; if (!strcmp(authorization_type, group) if (user_is_member_of_authorized_group) return OK; if (!strcm

41、p(authorization_type, simple-user) if (authorized_simple_user) return OK; return HTTP_UNAUTHORIZED; 27Converting Mod_Simple_Auth to Apache 2.2 An Apache 2.0 Implementationstatic void register_hooks (apr_pool_t *p) ap_hook_check_user_id(authenticate_basic_user,NULL,NULL,APR_HOOK_MIDDLE); ap_hook_auth

42、_checker(check_user_access,NULL,NULL,APR_HOOK_MIDDLE);module AP_MODULE_DECLARE_DATA auth_module = STANDARD20_MODULE_STUFF, create_auth_dir_config, NULL, NULL, NULL, auth_cmds, register_hooks ; 28Mod_Authn_Simple for Apache 2.2static authn_status check_password(request_rec *r, const char *user, const

43、 char *password) /* Determine if the credentials are good and then send the appropriate response */ if (!good_credentials) return AUTH_DENIED; return AUTH_GRANTED;static authn_status get_realm_hash(request_rec *r, const char *user, const char *realm, char *rethash) /* Determine the hash and do the r

44、ight thing */ the_hash = determine_the_hash(); if (!the_hash) return AUTH_USER_NOT_FOUND; *rethash = the_hash; return AUTH_USER_FOUND; static const authn_provider authn_simple_provider = &check_password, /* password validation function */ &get_realm_hash, /* digest hash function */;static vo

45、id register_hooks (apr_pool_t *p) ap_register_provider(p, AUTHN_PROVIDER_GROUP, simple, 0, &authn_simple_provider);module AP_MODULE_DECLARE_DATA authn_simple_module= STANDARD20_MODULE_STUFF, create_authn_simple_dir_config, NULL, NULL, NULL, authn_simple_cmds, register_hooks; 29Mod_Authz_Simple f

46、or Apache 2.2static int check_user_access (request_rec *r) for (x = 0; x all_possible_authorization_types; x+) authorization_type = all_possible_authorization_typesx; if (!strcmp(authorization_type, simple-user) if (authorized_simple_user) return OK; /* If we arent authoritative then just DECLINE */

47、 if (!authoritative) return DECLINED; /* Return the appropriate response */ return HTTP_UNAUTHORIZED; static void register_hooks (apr_pool_t *p) ap_hook_auth_checker(check_user_access, NULL, NULL, APR_HOOK_MIDDLE);module AP_MODULE_DECLARE_DATA authz_simple_module = STANDARD20_MODULE_STUFF, create_au

48、thz_simple_dir_config, NULL, NULL, NULL, authz_simple_cmds, register_hooks; 30New Features Already in Apache 2.3 Moving from hook-based to provider-based authorization “AND/OR/NOT” logic in authorization Host Access Control as an authorization type Require IP , Require Host , Require Env Require All

49、 Granted, Require All Denied “Order Allow/Deny”, “Satisfy” where did they go? Backward compatibility with the 2.0/2.2 Host Access Control, use the Mod_Access_Compat module 31Mod_Authz_Simple Provider for Apache 2.3static authz_status simple_user_authorization (request_rec *r,const char *require_args

50、) if (authorized_simple_user) return AUTHZ_GRANTED; return AUTHZ_DENIED;static const authz_provider authz_simpleuser_provider = &simple_user_authorization,;static void register_hooks (apr_pool_t *p) ap_register_provider(p,AUTHZ_PROVIDER_GROUP,simple-user, 0, &authz_simpleuser_provider);modul

51、e AP_MODULE_DECLARE_DATA authz_simple_module = STANDARD20_MODULE_STUFF, create_authz_simple_dir_config, NULL, NULL, NULL, authz_simple_cmds, register_hooks; 32Authorization Types 33Adding “AND/OR/NOT” Logic to Authorization Allows authorization to be granted or denied based on a complex set of “Requ

52、ire” statements New Directives - Must satisfy all of the encapsulated statements - Must satisfy at least one of the encapsulated statements - Defines a Require aliasReject Reject all matching elements 34Authorization using AND/OR LogicAuthorization Logicif (user = John) | (Group = admin) & (ldap-group ) & (ldap-attribute dept=sales) | ( contains user)then Authorization Grantedelse Authorization DeniedConfiguration Authname . AuthType . AuthBasicProvider . . Require user John Require Group admins Require ldap-group cn=mygroup,o=foo Require ldap-attrib