You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Kim Goldov <kg...@gmail.com> on 2010/09/24 02:33:35 UTC

PerlFixupHandler doesn't run after authz phase returns HTTP_UNAUTHORIZED

I've written a module, "auth_any" that allows a user to be
authenticated by any mechanism including OpenID (Google), Basic auth,
LDAP, or Shibboleth (Protect Network). My PerlAuthenticationHandler
checks for a cookie, and if not found, redirects to a page containing
a list of links for each auth mechanism. These links go back to
mod_perl which adds the appropriate configuration directives for that
authentication mechanism. If authentication succeeds, the response
phase sets the cookie and writes it into our database. The browser is
then redirected back to the originally requested URL. The
authentication handler finds the cookie this time and returns "OK".

I've written a corresponding PerlAuthorizationHandler, however we
would like to be able to replace it with authorization through one of
the standard providers mentioned above (authorization provider
determined at server initialization time). The problem is that if the
user is not authorized, the module returns either a 401 with a
"WWW-Authenticate:" header field (LDAP or basic), or a 302 with a
"Location:" header field (Shibboleth) and displays a second window
requesting credentials. I thought that I might be able to remove these
header fields in a PerlFixupHandler and issue my own 302 or 200 return
code. However, it seems that the fixup phase does not run after an
authorization hook or handler returns HTTP_UNAUTHORIZED or REDIRECT.
Is there a way around this, or is there another handler phase that I
can use to manipulate the return code and HTTP header?

Kim

Re: PerlFixupHandler doesn't run after authz phase returns HTTP_UNAUTHORIZED

Posted by Torsten Förtsch <to...@gmx.net>.

On Friday, September 24, 2010 02:33:35 Kim Goldov wrote:
> However, it seems that the fixup phase does not run after an
> authorization hook or handler returns HTTP_UNAUTHORIZED or REDIRECT.

Any handler returning an error aborts the transaction.

> Is there a way around this, or is there another handler phase that I
> can use to manipulate the return code and HTTP header?

ErrorDocument, $r->custom_response

Torsten Förtsch

-- 
Need professional modperl support? Hire me! (http://foertsch.name)

Like fantasy? http://kabatinte.net