* Handle a login attempt. * * If the login session is either missing or form authnz is unsuccessful, a * 401 Not Authorized will be returned to the browser. The webmaster * is expected to insert a login form into the 401 Not Authorized * error screen. * * If the webmaster wishes, they can point the form submission at this * handler, which will redirect the user to the correct page on succe
| 1110 | * |
| 1111 | */ |
| 1112 | static int authenticate_form_login_handler(request_rec * r) |
| 1113 | { |
| 1114 | auth_form_config_rec *conf; |
| 1115 | const char *err; |
| 1116 | |
| 1117 | const char *sent_user = NULL, *sent_pw = NULL, *sent_loc = NULL; |
| 1118 | int rv; |
| 1119 | |
| 1120 | if (strcmp(r->handler, FORM_LOGIN_HANDLER)) { |
| 1121 | return DECLINED; |
| 1122 | } |
| 1123 | |
| 1124 | if (r->method_number != M_POST) { |
| 1125 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01811) |
| 1126 | "the " FORM_LOGIN_HANDLER " only supports the POST method for %s", |
| 1127 | r->uri); |
| 1128 | return HTTP_METHOD_NOT_ALLOWED; |
| 1129 | } |
| 1130 | |
| 1131 | conf = ap_get_module_config(r->per_dir_config, &auth_form_module); |
| 1132 | |
| 1133 | rv = get_form_auth(r, conf->username, conf->password, conf->location, |
| 1134 | NULL, NULL, NULL, |
| 1135 | &sent_user, &sent_pw, &sent_loc, |
| 1136 | NULL, NULL, NULL, conf); |
| 1137 | if (OK == rv) { |
| 1138 | rv = check_authn(r, sent_user, sent_pw); |
| 1139 | if (OK == rv) { |
| 1140 | set_session_auth(r, sent_user, sent_pw, conf->site); |
| 1141 | if (sent_loc) { |
| 1142 | apr_table_set(r->headers_out, "Location", sent_loc); |
| 1143 | return HTTP_MOVED_TEMPORARILY; |
| 1144 | } |
| 1145 | if (conf->loginsuccess) { |
| 1146 | const char *loginsuccess = ap_expr_str_exec(r, |
| 1147 | conf->loginsuccess, &err); |
| 1148 | if (!err) { |
| 1149 | apr_table_set(r->headers_out, "Location", loginsuccess); |
| 1150 | return HTTP_MOVED_TEMPORARILY; |
| 1151 | } |
| 1152 | else { |
| 1153 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02341) |
| 1154 | "Can't evaluate login success expression: %s", err); |
| 1155 | return HTTP_INTERNAL_SERVER_ERROR; |
| 1156 | } |
| 1157 | } |
| 1158 | return HTTP_OK; |
| 1159 | } |
| 1160 | } |
| 1161 | |
| 1162 | /* did we prefer to be redirected to the login page on failure instead? */ |
| 1163 | if (HTTP_UNAUTHORIZED == rv && conf->loginrequired) { |
| 1164 | const char *loginrequired = ap_expr_str_exec(r, |
| 1165 | conf->loginrequired, &err); |
| 1166 | if (!err) { |
| 1167 | apr_table_set(r->headers_out, "Location", loginrequired); |
| 1168 | return HTTP_MOVED_TEMPORARILY; |
| 1169 | } |
nothing calls this directly
no test coverage detected