|
|
/*++
Copyright (c) 1995 Microsoft Corporation
Module Name:
httpfilt.h
Abstract:
This module contains the Microsoft HTTP filter extension info
Revision History:
--*/
#ifndef _HTTPFILT_H_
#define _HTTPFILT_H_
#ifdef __cplusplus
extern "C" {#endif
//
// Current version of the filter spec is 4.0
//
#define HTTP_FILTER_REVISION MAKELONG( 0, 4)
#define SF_MAX_USERNAME (256+1)
#define SF_MAX_PASSWORD (256+1)
#define SF_MAX_AUTH_TYPE (32+1)
#define SF_MAX_FILTER_DESC_LEN (256+1)
typedefVOID (WINAPI * PFN_SF_NOTIFY) ( DWORD dwNotifyType, LPVOID pInstance );
//
// These values can be used with the pfnSFCallback function supplied in
// the filter context structure
//
enum SF_REQ_TYPE{ //
// Sends a complete HTTP server response header including
// the status, server version, message time and MIME version.
//
// Server extensions should append other information at the end,
// such as Content-type, Content-length etc followed by an extra
// '\r\n'.
//
// pData - Zero terminated string pointing to optional
// status string (i.e., "401 Access Denied") or NULL for
// the default response of "200 OK".
//
// ul1 - Zero terminated string pointing to optional data to be
// appended and set with the header. If NULL, the header will
// be terminated with an empty line.
//
SF_REQ_SEND_RESPONSE_HEADER,
//
// If the server denies the HTTP request, add the specified headers
// to the server error response.
//
// This allows an authentication filter to advertise its services
// w/o filtering every request. Generally the headers will be
// WWW-Authenticate headers with custom authentication schemes but
// no restriction is placed on what headers may be specified.
//
// pData - Zero terminated string pointing to one or more header lines
// with terminating '\r\n'.
//
SF_REQ_ADD_HEADERS_ON_DENIAL,
//
// Only used by raw data filters that return SF_STATUS_READ_NEXT
//
// ul1 - size in bytes for the next read
//
SF_REQ_SET_NEXT_READ_SIZE,
//
// Used to indicate this request is a proxy request
//
// ul1 - The proxy flags to set
// 0x00000001 - This is a HTTP proxy request
//
//
SF_REQ_SET_PROXY_INFO,
//
// Returns the connection ID contained in the ConnID field of an
// ISAPI Application's Extension Control Block. This value can be used
// as a key to cooridinate shared data between Filters and Applications.
//
// pData - Pointer to DWORD that receives the connection ID.
//
SF_REQ_GET_CONNID,
//
// Used to set a SSPI security context + impersonation token
// derived from a client certificate.
//
// pData - certificate info ( PHTTP_FILTER_CERTIFICATE_INFO )
// ul1 - CtxtHandle*
// ul2 - impersonation handle
//
SF_REQ_SET_CERTIFICATE_INFO,
//
// Used to get an IIS property
// as defined in SF_PROPERTY_IIS
//
// ul1 - Property ID
//
SF_REQ_GET_PROPERTY,
//
// Used to normalize an URL
//
// pData - URL to normalize
//
SF_REQ_NORMALIZE_URL,
//
// Indicates end of renegotiation
//
// pData - LPBOOL : TRUE if renegotiation succeeded
//
SF_REQ_DONE_RENEGOTIATE,
//
// Set notify call-back
//
// ul1 - notification type ( SF_NOTIFY_TYPE )
// pData - ptr to notify function ( PFN_SF_NOTIFY )
//
SF_REQ_SET_NOTIFY,
//
// Disable Notifications
//
// ul1 - notifications to disable
//
SF_REQ_DISABLE_NOTIFICATIONS, };
enum SF_PROPERTY_IIS{ SF_PROPERTY_CLIENT_CERT_ENABLED, // return BOOL in pData as LPBOOL
SF_PROPERTY_MD5_ENABLED, // return BOOL in pData as LPBOOL
SF_PROPERTY_DIR_MAP_CERT, // return BOOL in pData as LPBOOL
SF_PROPERTY_GET_CERT11_MAPPER, // These 4 functions returns ptr
SF_PROPERTY_GET_RULE_MAPPER, // to RefBlob containing mapper
SF_PROPERTY_GET_MD5_MAPPER, SF_PROPERTY_GET_ITA_MAPPER, SF_PROPERTY_GET_INSTANCE_ID, SF_PROPERTY_MD_IF, SF_PROPERTY_SSL_CTXT, SF_PROPERTY_INSTANCE_NUM_ID,} ;
enum SF_NOTIFY_TYPE{ SF_NOTIFY_MAPPER_MD5_CHANGED, SF_NOTIFY_MAPPER_ITA_CHANGED, SF_NOTIFY_MAPPER_CERT11_CHANGED, SF_NOTIFY_MAPPER_CERTW_CHANGED, SF_NOTIFY_MAPPER_SSLKEYS_CHANGED, SF_NOTIFY_MAPPER_CERT11_TOUCHED,} ;
//
// These values are returned by the filter entry point when a new request is
// received indicating their interest in this particular request
//
enum SF_STATUS_TYPE{ //
// The filter has handled the HTTP request. The server should disconnect
// the session.
//
SF_STATUS_REQ_FINISHED = 0x8000000,
//
// Same as SF_STATUS_FINISHED except the server should keep the TCP
// session open if the option was negotiated
//
SF_STATUS_REQ_FINISHED_KEEP_CONN,
//
// The next filter in the notification chain should be called
//
SF_STATUS_REQ_NEXT_NOTIFICATION,
//
// This filter handled the notification. No other handles should be
// called for this particular notification type
//
SF_STATUS_REQ_HANDLED_NOTIFICATION,
//
// An error occurred. The server should use GetLastError() and indicate
// the error to the client
//
SF_STATUS_REQ_ERROR,
//
// The filter is an opaque stream filter and we're negotiating the
// session parameters. Only valid for raw read notification.
//
SF_STATUS_REQ_READ_NEXT};
//
// pvNotification points to this structure for all request notification types
//
typedef struct _HTTP_FILTER_CONTEXT{ DWORD cbSize;
//
// This is the structure revision level.
//
DWORD Revision;
//
// Private context information for the server.
//
PVOID ServerContext; DWORD ulReserved;
//
// TRUE if this request is coming over a secure port
//
BOOL fIsSecurePort;
//
// A context that can be used by the filter
//
PVOID pFilterContext;
//
// Server callbacks
//
BOOL (WINAPI * GetServerVariable) ( struct _HTTP_FILTER_CONTEXT * pfc, LPSTR lpszVariableName, LPVOID lpvBuffer, LPDWORD lpdwSize );
BOOL (WINAPI * AddResponseHeaders) ( struct _HTTP_FILTER_CONTEXT * pfc, LPSTR lpszHeaders, DWORD dwReserved );
BOOL (WINAPI * WriteClient) ( struct _HTTP_FILTER_CONTEXT * pfc, LPVOID Buffer, LPDWORD lpdwBytes, DWORD dwReserved );
VOID * (WINAPI * AllocMem) ( struct _HTTP_FILTER_CONTEXT * pfc, DWORD cbSize, DWORD dwReserved );
BOOL (WINAPI * ServerSupportFunction) ( struct _HTTP_FILTER_CONTEXT * pfc, enum SF_REQ_TYPE sfReq, PVOID pData, DWORD ul1, DWORD ul2 );
} HTTP_FILTER_CONTEXT, *PHTTP_FILTER_CONTEXT;
//
// This structure is the notification info for the read and send raw data
// notification types
//
typedef struct _HTTP_FILTER_RAW_DATA{ //
// This is a pointer to the data for the filter to process.
//
PVOID pvInData; DWORD cbInData; // Number of valid data bytes
DWORD cbInBuffer; // Total size of buffer
DWORD dwReserved;
} HTTP_FILTER_RAW_DATA, *PHTTP_FILTER_RAW_DATA;
//
// This structure is the notification info for when the server is about to
// process the client headers
//
typedef struct _HTTP_FILTER_PREPROC_HEADERS{ //
// For SF_NOTIFY_PREPROC_HEADERS, retrieves the specified header value.
// Header names should include the trailing ':'. The special values
// 'method', 'url' and 'version' can be used to retrieve the individual
// portions of the request line
//
BOOL (WINAPI * GetHeader) ( struct _HTTP_FILTER_CONTEXT * pfc, LPSTR lpszName, LPVOID lpvBuffer, LPDWORD lpdwSize );
//
// Replaces this header value to the specified value. To delete a header,
// specified a value of '\0'.
//
BOOL (WINAPI * SetHeader) ( struct _HTTP_FILTER_CONTEXT * pfc, LPSTR lpszName, LPSTR lpszValue );
//
// Adds the specified header and value
//
BOOL (WINAPI * AddHeader) ( struct _HTTP_FILTER_CONTEXT * pfc, LPSTR lpszName, LPSTR lpszValue );
DWORD HttpStatus; // New in 4.0, status for SEND_RESPONSE
DWORD SubStatus; // New in 4.0, status for SEND_RESPONSE
} HTTP_FILTER_PREPROC_HEADERS, *PHTTP_FILTER_PREPROC_HEADERS;
typedef HTTP_FILTER_PREPROC_HEADERS HTTP_FILTER_SEND_RESPONSE;typedef HTTP_FILTER_PREPROC_HEADERS *PHTTP_FILTER_SEND_RESPONSE;
//
// Authentication information for this request.
//
typedef struct _HTTP_FILTER_AUTHENT{ //
// Pointer to username and password, empty strings for the anonymous user
//
// Client's can overwrite these buffers which are guaranteed to be at
// least SF_MAX_USERNAME and SF_MAX_PASSWORD bytes large.
//
CHAR * pszUser; DWORD cbUserBuff;
CHAR * pszPassword; DWORD cbPasswordBuff;
} HTTP_FILTER_AUTHENT, *PHTTP_FILTER_AUTHENT;
//
// Authentication information for this request.
//
typedef struct _HTTP_FILTER_AUTHENTEX{ //
// Pointer to username and password, empty strings for the anonymous user
//
// Client can overwrite hAccessToken
//
CHAR * pszUser; DWORD cbUserBuff;
CHAR * pszLogonUser; DWORD cbLogonUserBuff;
CHAR * pszPassword; CHAR * pszRealm;
CHAR * pszAuthType; DWORD cbAuthTypeBuff;
HANDLE hAccessTokenPrimary; HANDLE hAccessTokenImpersonation;
} HTTP_FILTER_AUTHENTEX, *PHTTP_FILTER_AUTHENTEX;
//
// Indicates the server is going to use the specific physical mapping for
// the specified URL. Filters can modify the physical path in place.
//
typedef struct _HTTP_FILTER_URL_MAP{ const CHAR * pszURL;
CHAR * pszPhysicalPath; DWORD cbPathBuff;
} HTTP_FILTER_URL_MAP, *PHTTP_FILTER_URL_MAP;
//
// Indicates the server is going to delete the specified impersonation token
// Only called if the token was created by the filter
//
typedef struct _HTTP_FILTER_REQUEST_CLOSE_SECURITY_CONTEXT{ PVOID pCtxt;
} HTTP_FILTER_REQUEST_CLOSE_SECURITY_CONTEXT, *PHTTP_FILTER_REQUEST_CLOSE_SECURITY_CONTEXT;
//
// Bitfield indicating the requested resource has been denied by the server due
// to a logon failure, an ACL on a resource, an ISAPI Filter or an
// ISAPI Application/CGI Application.
//
// SF_DENIED_BY_CONFIG can appear with SF_DENIED_LOGON if the server
// configuration did not allow the user to logon.
//
#define SF_DENIED_LOGON 0x00000001
#define SF_DENIED_RESOURCE 0x00000002
#define SF_DENIED_FILTER 0x00000004
#define SF_DENIED_APPLICATION 0x00000008
#define SF_DENIED_BY_CONFIG 0x00010000
typedef struct _HTTP_FILTER_ACCESS_DENIED{ const CHAR * pszURL; // Requesting URL
const CHAR * pszPhysicalPath; // Physical path of resource
DWORD dwReason; // Bitfield of SF_DENIED flags
} HTTP_FILTER_ACCESS_DENIED, *PHTTP_FILTER_ACCESS_DENIED;
//
// The server request a SSL certificate renegotiation.
// If filter accepts, it must set fAccepted to TRUE
//
typedef struct _HTTP_FILTER_REQUEST_CERT{ BOOL fAccepted; // [out] request accepted
BOOL fMapCert; // [in] TRUE if cert to be mapped to
// NT account
DWORD dwReserved;
} HTTP_FILTER_REQUEST_CERT, *PHTTP_FILTER_REQUEST_CERT;
//
// The log information about to be written to the server log file. The
// string pointers can be replaced but the memory must remain valid until
// the next notification
//
typedef struct _HTTP_FILTER_LOG{ const CHAR * pszClientHostName; const CHAR * pszClientUserName; const CHAR * pszServerName; const CHAR * pszOperation; const CHAR * pszTarget; const CHAR * pszParameters;
DWORD dwHttpStatus; DWORD dwWin32Status;
DWORD dwBytesSent; // IIS 3.0 and later
DWORD dwBytesRecvd; // IIS 3.0 and later
DWORD msTimeForProcessing; // IIS 3.0 and later
} HTTP_FILTER_LOG, *PHTTP_FILTER_LOG;
//
// Notification Flags
//
// SF_NOTIFY_SECURE_PORT
// SF_NOTIFY_NONSECURE_PORT
//
// Indicates whether the application wants to be notified for transactions
// that are happenning on the server port(s) that support data encryption
// (such as PCT and SSL), on only the non-secure port(s) or both.
//
// SF_NOTIFY_READ_RAW_DATA
//
// Applications are notified after the server reads a block of memory
// from the client but before the server does any processing on the
// block. The data block may contain HTTP headers and entity data.
//
//
//
#define SF_NOTIFY_SECURE_PORT 0x00000001
#define SF_NOTIFY_NONSECURE_PORT 0x00000002
#define SF_NOTIFY_READ_RAW_DATA 0x00008000
#define SF_NOTIFY_PREPROC_HEADERS 0x00004000
#define SF_NOTIFY_AUTHENTICATION 0x00002000
#define SF_NOTIFY_URL_MAP 0x00001000
#define SF_NOTIFY_ACCESS_DENIED 0x00000800
#define SF_NOTIFY_SEND_RESPONSE 0x00000040
#define SF_NOTIFY_SEND_RAW_DATA 0x00000400
#define SF_NOTIFY_LOG 0x00000200
#define SF_NOTIFY_END_OF_REQUEST 0x00000080
#define SF_NOTIFY_END_OF_NET_SESSION 0x00000100
#define SF_NOTIFY_AUTHENTICATIONEX 0x20000000
#define SF_NOTIFY_REQUEST_SECURITY_CONTEXT_CLOSE \
0x10000000#define SF_NOTIFY_RENEGOTIATE_CERT 0x08000000
//
// Filter ordering flags
//
// Filters will tend to be notified by their specified
// ordering. For ties, notification order is determined by load order.
//
// SF_NOTIFY_ORDER_HIGH - Authentication or data transformation filters
// SF_NOTIFY_ORDER_MEDIUM
// SF_NOTIFY_ORDER_LOW - Logging filters that want the results of any other
// filters might specify this order.
//
#define SF_NOTIFY_ORDER_HIGH 0x00080000
#define SF_NOTIFY_ORDER_MEDIUM 0x00040000
#define SF_NOTIFY_ORDER_LOW 0x00020000
#define SF_NOTIFY_ORDER_DEFAULT SF_NOTIFY_ORDER_LOW
#define SF_NOTIFY_ORDER_MASK (SF_NOTIFY_ORDER_HIGH | \
SF_NOTIFY_ORDER_MEDIUM | \ SF_NOTIFY_ORDER_LOW)
//
// Filter version information, passed to GetFilterVersion
//
typedef struct _HTTP_FILTER_VERSION{ //
// Version of the spec the server is using
//
DWORD dwServerFilterVersion;
//
// Fields specified by the client
//
DWORD dwFilterVersion; CHAR lpszFilterDesc[SF_MAX_FILTER_DESC_LEN]; DWORD dwFlags;
} HTTP_FILTER_VERSION, *PHTTP_FILTER_VERSION;
typedef struct _HTTP_FILTER_CERTIFICATE_INFO{ PBYTE pbCert; DWORD cbCert;
} HTTP_FILTER_CERTIFICATE_INFO, *PHTTP_FILTER_CERTIFICATE_INFO;
//
// A filter DLL's entry point looks like this. The return code should be
// an SF_STATUS_TYPE
//
// NotificationType - Type of notification
// pvNotification - Pointer to notification specific data
//
DWORDWINAPIHttpFilterProc( HTTP_FILTER_CONTEXT * pfc, DWORD NotificationType, VOID * pvNotification );
BOOLWINAPIGetFilterVersion( HTTP_FILTER_VERSION * pVer );
BOOLWINAPITerminateFilter( DWORD dwFlags );
#ifdef __cplusplus
}#endif
#endif //_HTTPFILT_H_
|
