28 May
2011
28 May
'11
4:54 p.m.
Juha Heinanen wrote:
Martin Hoffmann writes:
Right. I can live with that. But just to illustrate my point, here is
how my authentication part looks:
if (!proxy_authorize("$fd", "subcriber") {
proxy_challenge("$fd", "9");
drop;
}
I don't really see any reason why I would want the switch and cases when
proxy_challenge() magically does what I want.
My plan was to eventually start a branch of my
own in git. Haven't
gotten round to it yet.
why is that? i now have,
if (!radius_proxy_authorize("$var(uri_domain)",
"$var(uri_user)")) {
switch ($rc) {
...
case -4:
xlog("L_INFO", "$rm <$ru> by <$var(uri)> has stale
nonce\n");
www_challenge("$td", "1");
exit;
the only thing i would need to change is www_challenge flag parameter
value from "1" to "9". i would do it so that if www or proxy_authorize
function returns -4
(stale nonce) then i would call www or proxy_challenge with stale flag
on. it would then cause stale=true to be added to the header.
That would be an option, too, but IMHO it makes the whole authorization bit
in the config unnecessarily messy. so i propose adding this:
+ 8 - build challenge header with stale=true
it would be a simple, fully backwards compatible new feature.
Okay. That would be a completely different albeit much simpler patch
than mine.
Regards,
Martin