Apache 2.4 post_read hook isn't run on subrequests, breaks module

Description

The 2.4 module support relies on the post_read hook to initialize the module request_config structure and the ShibTargetApache shim object, which is then reused across all the various hooks.

When a request for a directory URL is sent, the server internally generates a subrequest to the default index.html page, and the request_config is no longer present, but the post_read hook never runs.

Testing suggests that check_user still runs, so we need to:

  • fix the 2.4 "base" authz hook to handle the uninitialized case less fatally

  • make sure the check_user hook can create the objects needed itself without relying on the post_read hook

Environment

None

Activity

Scott Cantor 
December 10, 2012 at 7:13 PM

Closing with release.

Scott Cantor 
October 17, 2012 at 4:17 PM

http://svn.shibboleth.net/view/cpp-sp?rev=3791&view=rev

Fix more session locking code to prevent cross-function lock hold.

Scott Cantor 
October 15, 2012 at 3:10 PM

http://svn.shibboleth.net/view/cpp-sp?rev=3786&view=rev

Simpler solution, just stop caching the locked session with the request wrapper. It rarely if ever gets accessed more than once per wrapper instance, so the caching adds little benefit, and not caching the lock prevents any re-entrant locking of the session that would be caused by the web server.

The handler logic never runs with the session locked now, so there's no chance of a regression there.

Scott Cantor 
October 10, 2012 at 3:55 PM

The use of a heap-based ShibTargetApache object for each request is creating a deadlock. With the original code, each instance of that object would lookup and lock the Session object but then be disposed of and free the lock every time a hook function exits.

Now the object stays alive and holds the session lock during the subrequest's execution, so the recursive attempt to lock the session in the subrequest's copy of ShibTargetApache's getSession method deadlocks.

I'm not sure if I can roll back to the original per-hook copy of ShibTargetApache or not, but it's possibly the only fix.

Scott Cantor 
October 9, 2012 at 8:49 PM

Still seeing issues in certain cases (see list thread on /secure URL access).

Fixed

Details

Assignee

Reporter

Original estimate

Fix versions

Affects versions

Created September 19, 2012 at 1:36 AM
Updated December 10, 2012 at 7:13 PM
Resolved October 15, 2012 at 3:10 PM