You are viewing a plain text version of this content. The canonical link for it is here.
Posted to embperl@perl.apache.org by Dirk Jagdmann <do...@cubic.org> on 2005/09/13 21:33:28 UTC
username and password with basic auth
Hello developers,
I'm currently developing a software which is receiving requests via http
where username and password are transmitted via HTTP (basic)
authentication (as base64 encoded string in the HTTP request header).
The other parameters are transmitted as a GET request, thus encoded into
the URL of the request.
If have (yet) not found any way to retrieve the password in my perl
code. The username is set in the REQUEST_USER environment variable, but
I did not find out, wherer I can access the password. Is this possible?
Or would it be possible if I code a custom Auth Handler (as shown in the
mod_perl manual) and then store the password somewhere where I can
access it from my (Emb)perl code?
--
---> doj / cubic
----> http://cubic.org/~doj
-----> http://llg.cubic.org
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
RE: username and password with basic auth
Posted by Gerald Richter <ri...@ecos.de>.
Hi,
> On Wed, Sep 14, 2005 at 05:41:35AM +0200, Gerald Richter wrote:
> > > Of course, Basic Authentication is evil, and should only
> be used for
> > > toy projects (since it doesn't scale) over HTTPS.
> >
> > I see that, since password is transmitted in clear text, it is a
> > security problem in http, but where is the problem with https?
>
> The problem is that the password is still transmitted in the
> clear on every request. If I can somehow sniff packets on
> your host I get lots of opportunities to steal your
> credentials; if I can get a hostile embperl page or cgi
> within the same Auth Realm on your webserver I can do the
> same. Authentication should be once only per-session and/or
> it shouldn't use cleartext passwords.
>
Ok, I agree
> The scalability thing is also significant, since is every
> request for every resource (which often means css, images,
> etc., not just html pages) is authorised. And typically the
> authorisation is non-trival (e.g. a linear scan through an
> htpasswd file, proportional to the number of users you have),
> rather than something fast like a ticket checksum.
>
This depends on your userbase and the way you store passwords.
Thanks for the feedback
Gerald
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: username and password with basic auth
Posted by Gavin Carr <ga...@openfusion.com.au>.
On Wed, Sep 14, 2005 at 05:41:35AM +0200, Gerald Richter wrote:
> > Of course, Basic Authentication is evil, and should only be
> > used for toy projects (since it doesn't scale) over HTTPS.
>
> I see that, since password is transmitted in clear text, it is a security
> problem in http, but where is the problem with https?
The problem is that the password is still transmitted in the
clear on every request. If I can somehow sniff packets on your
host I get lots of opportunities to steal your credentials;
if I can get a hostile embperl page or cgi within the same
Auth Realm on your webserver I can do the same. Authentication
should be once only per-session and/or it shouldn't use cleartext
passwords.
The scalability thing is also significant, since is every request
for every resource (which often means css, images, etc., not just
html pages) is authorised. And typically the authorisation is
non-trival (e.g. a linear scan through an htpasswd file,
proportional to the number of users you have), rather than
something fast like a ticket checksum.
Cheers,
Gavin
--
Open Fusion P/L - Open Source Business Solutions [ Linux - Perl - Apache ]
ph: +612 9875 5032 fax: +612 9875 4317
web: http://www.openfusion.com.au mob: +61 403 171712
- Fashion is a variable, but style is a constant - Programming Perl
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: username and password with basic auth
Posted by do...@roasted.cubic.org.
Hello all,
thank you for your suggestions to my problem. I have solved it this way:
use Apache ();
my $r=Apache->request();
my $auth=$r->header_in("Authorization");
$auth =~ s/Basic//;
my ($user, $pass)=split(/:/, decode_base64($auth));
Apache is configured *without* any Authentication handlers. The deeper
reason for this solution lies in the fact, that I am refactoring some
existing application which became too slow with an increasing number
of clients, because the user authentification and other data
processing was made in two steps between webserver and database. I
have now modified the database schema and queries in such a way, that
all work is done with a single "select" into the database, which calls
some stored procedures in the SQL server which do all user auth
etc. Therefore I did not need Apache to do any authentification
anymore.
--
---> doj / cubic
----> http://www.cubic.org
-----> http://llg.cubic.org
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
RE: username and password with basic auth
Posted by Gerald Richter <ri...@ecos.de>.
>
> I haven't tried it, but you should just be able to get the
> Authorization http header (via the apache request) and base64
> decode it, giving you a 'username:password' string.
>
That will work,
($ret, $pw) = $req_rec -> get_basic_auth_pw ;
Will do it for you (see perldoc Apache).
> Of course, Basic Authentication is evil, and should only be
> used for toy projects (since it doesn't scale) over HTTPS.
>
I see that, since password is transmitted in clear text, it is a security
problem in http, but where is the problem with https?
Gerald
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: username and password with basic auth
Posted by Gavin Carr <ga...@openfusion.com.au>.
On Tue, Sep 13, 2005 at 09:33:28PM +0200, Dirk Jagdmann wrote:
> I'm currently developing a software which is receiving requests via http
> where username and password are transmitted via HTTP (basic)
> authentication (as base64 encoded string in the HTTP request header).
> The other parameters are transmitted as a GET request, thus encoded into
> the URL of the request.
>
> If have (yet) not found any way to retrieve the password in my perl
> code. The username is set in the REQUEST_USER environment variable, but
> I did not find out, wherer I can access the password. Is this possible?
I haven't tried it, but you should just be able to get the Authorization
http header (via the apache request) and base64 decode it, giving you a
'username:password' string.
Of course, Basic Authentication is evil, and should only be used for toy
projects (since it doesn't scale) over HTTPS.
> Or would it be possible if I code a custom Auth Handler (as shown in the
> mod_perl manual) and then store the password somewhere where I can
> access it from my (Emb)perl code?
<plug>
Yep. There are lots of ways to do this - my mod_auth_tkt module:
http://www.openfusion.com.au/labs/mod_auth_tkt/
is one, providing a drop-in replacement for Basic Authentication,
apache single-signon, yada yada. You'd typically just store the
encrypted password in the auth ticket data section, which shows
up in the REMOTE_USER_DATA environment variable.
</plug>
Cheers,
Gavin
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org
Re: username and password with basic auth
Posted by Angus Lees <gu...@inodes.org>.
At Tue, 13 Sep 2005 21:33:28 +0200, Dirk Jagdmann wrote:
> Or would it be possible if I code a custom Auth Handler (as shown in the
> mod_perl manual) and then store the password somewhere where I can
> access it from my (Emb)perl code?
Best would be to write a custom auth handler and do whatever
authentication it is you want there (and not in your embperl code).
Otherwise you'll need to stash the password somewhere during
Authentication for retrieval later on in the content stage - I'd
suggest using the apache request's "notes" ($req_rec->notes)
--
- Gus
---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org