mp2: architectural question re authentication handlers

[Carl Brewer <ca...@bl.echidna.id.au>]

Forgive me for asking yet another fundamentally basic question.

I'm cutting a web app over from PHP to mod_perl 2, and
am wondering how 'best' (for which there are many flavours ...)
to handle authentication.

At present I've knocked up a site that does auth via a
form and state tracking with Session.pm.  The form checks
usernames & passwords against a MySQL database, and the state is
maintained by Session.  This seems quite logical to me, coming from
essentially a CGI background, but the discussion of handlers
around here makes me believe there's a better way?

I see threads here discussing the use of handlers, which I
don't really understand how they fit into the picture,
they seem to my poor understanding to be a hardcoded
chunk in httpd.conf, for handling authentation/state.  Is
there anywhere a dumb beginers guide to how this
works?  Do they set environment variables or something
that a script can then look for that the script can be sure
is legit?  Or am I completely missing the point?  Do I
need to buy a book?  It seems really bad to go
hacking into httpd.conf, but maybe that's just my
old-school conservatism?

for now I'm continuing with my form based authentication,
but is there a 'better' way? And if so, what makes it better?

Carl

Re: mp2: architectural question re authentication handlers

[Carl Brewer <ca...@bl.echidna.id.au>]

Cees Hek wrote:

	[chomp]

Thanks Cees, that's exactly what I needed :)  My stuff is all completely
generated by scripts where I need access control, but I certainly
see the use for controlling static entity access.

Carl

Re: mp2: architectural question re authentication handlers

[Cees Hek <ce...@sitesuite.com.au>]

Quoting Carl Brewer <ca...@bl.echidna.id.au>:

> Forgive me for asking yet another fundamentally basic question.
> 
> I'm cutting a web app over from PHP to mod_perl 2, and
> am wondering how 'best' (for which there are many flavours ...)
> to handle authentication.
> 
> At present I've knocked up a site that does auth via a
> form and state tracking with Session.pm.  The form checks
> usernames & passwords against a MySQL database, and the state is
> maintained by Session.  This seems quite logical to me, coming from
> essentially a CGI background, but the discussion of handlers
> around here makes me believe there's a better way?

I would highly recommend the Eagle book if you are looking to move beyond CGI
when using mod_perl.  I know that you are looking at mod_perl2, and the Eagle
book does not cover mod_perl2, but it will give you great insight into how
mod_perl and Apache works.

And lucky for you, since you are interested in Authentication and Authorization,
that chapter happens to be available online.

http://modperl.com:9000/book/chapters/ch6.html

Also checkout the great documentation available at http://perl.apache.org/

If you want a good example of how to implement Authentication and Authorization
in mod_perl, then look on CPAN for the man Apache::Auth* modules.  I have used
Apache::AuthCookie in many projects and it has relatively good documentation. 
You will also find tonnes of info on Authentication if you search the mailing
list archives.

> I see threads here discussing the use of handlers, which I
> don't really understand how they fit into the picture,
> they seem to my poor understanding to be a hardcoded
> chunk in httpd.conf, for handling authentation/state.  Is
> there anywhere a dumb beginers guide to how this
> works?

The easiest way to explain it is to just look at Apache's Basic Authentication
support at first.  The one where the browser pops up a window and you type in
your username and password, and Apache authenticates the user for you before it
will allow the CGI script to be executed or the html file to be downloaded.  You
configure that in httpd.conf or in .htaccess files, telling Apache who has
access to specific files and directories.  This is just your standard access
control stuff.

Now imagine that you can use that same core functionality in Apache, but write
the routines yourself in perl.  And instead of the ugly login popup you can
instead create an HTML login page.  

> Do they set environment variables or something
> that a script can then look for that the script can be sure
> is legit?

Yes, they set the HTTP_USER variable to the users login when a user is
authenticated.  But your script doesn't need to even worry about that, because
Apache won't execute the script unless the user is authorized.  So if the script
is executing, then the user is authenticated...

> for now I'm continuing with my form based authentication,
> but is there a 'better' way? And if so, what makes it better?

The biggest benefit I find is that you can separate your authentication code
from the rest of the code.  With an Authentication handler, your CGI script or
content handler will never even be executed unless the user has been authenticated.

Also, how would you use a CGI based authentication scheme to limit access to a
static HTML file, or an image?  It can't be done cleanly.  But with
Authentication handlers, you can hook them to a <Location> or <Directory>
directive or even a <Files> directive in the httpd.conf file.  So you can
protect an entire directory with ease.

Cheers,

Cees