You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by tyju tiui <jc...@yahoo.com> on 2008/06/14 04:56:14 UTC
setting a server variable
Hi,
I'm new to mod_perl and I'm having some difficulty understanding a few things.
I'd like to write an Apache module which authenticates a request based on the URL.
I only want the module to deny invalid requests and allow valid requests to be processed as normal.
A more specific example would be like:
Request URL: http://myhost.com/REALLY-SECURE-TOKEN/file2download
Module logic: if REALLY-SECURE-TOKEN is valid, allow the request to continue - else, stop request with an error
External application logic: if request got here without error then
find the file2download and write it to the output stream - else, show
custom error
I think the best way to do this is something like:
1) Write a module which evaluates the URL and places a variable in the request's scope
2)
Use mod_rewrite to evaluate the newly set variable and pass execution
to the proper place with any error code that might have been placed in
the variable
I've been reading books, howto's, and on-line documentation for the past two days and I still have no idea where to begin.
Any advice would be greatly appreciated.
Thanks,
Ty
Re: setting a server variable
Posted by André Warnier <aw...@ice-sa.com>.
tyju tiui wrote:
> Hi,
>
> I'm new to mod_perl and I'm having some difficulty understanding a few things.
> I'd like to write an Apache module which authenticates a request based on the URL.
> I only want the module to deny invalid requests and allow valid requests to be processed as normal.
>
> A more specific example would be like:
>
> Request URL: http://myhost.com/REALLY-SECURE-TOKEN/file2download
> Module logic: if REALLY-SECURE-TOKEN is valid, allow the request to continue - else, stop request with an error
>
> External application logic: if request got here without error then
> find the file2download and write it to the output stream - else, show
> custom error
>
>
> I think the best way to do this is something like:
>
> 1) Write a module which evaluates the URL and places a variable in the request's scope
> 2)
> Use mod_rewrite to evaluate the newly set variable and pass execution
> to the proper place with any error code that might have been placed in
> the variable
>
With mod_perl, it might not be so complicated.
What you probably want is a PerlAccessHandler module.
This will check if the request URL is ok (valid token).
If it is, it returns Apache2::Const::OK, and Apache will continue
processing the request (e.g., sending the file).
If the token is not ok, it returns Apache2::Const::FORBIDDEN, and Apache
will (automatically) return an error page telling the user he is not
allowed to do that.
Look there for an explanation and an example :
http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlAccessHandler
In your case, forget the Apache2::Connection and the IP-linked stuff,
and replace it with your code to check the URL.
In the Apache configuration, you would have something like this :
<Location />
.. general rules for allowing things like html pages, gifs etc..
</Location>
<Location /downloads>
# where your files are
SetHandler mod_perl
PerlAccessHandler MyModule
...
</Location>
And that's basically it.
Now, if this is your first mod_perl Apache add-on module, you'll have to
figure out some more stuff, but it's fun.
André
Re: setting a server variable
Posted by Frank Wiles <fr...@wiles.org>.
On Fri, 13 Jun 2008 19:56:14 -0700 (PDT)
tyju tiui <jc...@yahoo.com> wrote:
>
> Hi,
>
> I'm new to mod_perl and I'm having some difficulty understanding a
> few things. I'd like to write an Apache module which authenticates a
> request based on the URL. I only want the module to deny invalid
> requests and allow valid requests to be processed as normal.
>
> A more specific example would be like:
>
> Request URL: http://myhost.com/REALLY-SECURE-TOKEN/file2download
> Module logic: if REALLY-SECURE-TOKEN is valid, allow the request
> to continue - else, stop request with an error
> External application logic: if request got here without error then
> find the file2download and write it to the output stream - else, show
> custom error
>
>
> I think the best way to do this is something like:
>
> 1) Write a module which evaluates the URL and places a variable in
> the request's scope
> 2)
> Use mod_rewrite to evaluate the newly set variable and pass execution
> to the proper place with any error code that might have been placed in
> the variable
>
> I've been reading books, howto's, and on-line documentation for the
> past two days and I still have no idea where to begin. Any advice
> would be greatly appreciated.
My advice would be to change your URLs to be:
http://myhost.com/securefiles/REALLY-SECURE-TOKEN/filename
Then write a handler that does something along these lines:
use Apache2::RequestRec;
use Apache2::RequestUtil;
use Apache2::RequestIO;
sub handler {
my $r = shift;
# Get the parts of the URI we are interested in
my $uri = $r->uri;
my $root = $r->location;
$uri =~ s!^$root!!; # Strip off http://myhose.com/securefiles
$uri =~ s!//!/!og; # Remove any double slashes
$uri =~ s!^/!!o; # Remove the first slash
# Now that we're left with just REALLY-SECURE-KEY/filename,
# split it up
my ( $secure_key, $filename ) = split( '/', $uri );
# Verify the secure key
if( verify( $secure_key ) ) {
$r->sendfile( $filename );
return( Apache2::Const::OK );
}
else {
return( Apache2::Const::FORBIDDEN );
}
}
}
It would be configured as:
<Location /securefiles>
SetHandler modperl
PerlResponseHandler YourHandlerNameHere
</Location>
You could also do this as an AuthHandler as was previously
mentioned, but for something this simple I don't see much
point in breaking it up unless you're going to use these
secure keys for many different things.
-------------------------------------------------------
Frank Wiles, Revolution Systems, LLC.
Personal : frank@wiles.org http://www.wiles.org
Work : frank@revsys.com http://www.revsys.com