perl-based authentication

[Mark Holt <ma...@madmardy.com>]

OK, let me be more specific.  Here is the problem I face:

Hosting of (potentially) millions of websites in a single framework.
Clients are not given their own VirtualHost tag in the config file
(there are too many), but instead their document root is derived from
their hostname.  Clients can fluctuate between free and paid users.  A
mod_perl filter script currently inserts a banner on each HTML page or
does nothing, for free and paid users, respectively.

Now we want to add Basic HTTP authentication to our paid service.  We
want to do this using .htaccess files, since this is the method
supported by Microsoft FrontPage and improved mod_frontpage on UNIX.
This is impossible to do for everyone, since we would take a serious
performance loss checking for .htaccess files in the entire directory
tree on every hit.  I have written some code that will interpret a
simple "require valid-user" statement, parse the indicated password
file, and grant or deny access.  I added this to the filter script and
it works fine, and is only executed when the website is a paid one.

The problem with this is I'm realizing how complex the .htaccess-based
authentication scheme is, and I don't feel like coding the rest of it
when it's already done.  I want a mod_perl solution to enable .htaccess
authentication in the case of a paid user.  There is no trivial (i.e.
standard apache) way to tell whether a user is paid, it takes a couple
of lines of perl code (let's say a file stat or DB lookup).

Now to my question:  Is it possible, using mod_perl, to activate
Apache's standard .htaccess-based authentication scheme on a per-hit
basis, based on the results of perl code to determine whether the user
is a paying one?  Will this solution avoid checking for the existence of
.htaccess files on every hit that is not a paid one?  If so, how is this
to be done?  (Please give code or at least pseudocode where possible.)
For those who have read this far, I appreciate your time and I thank you
for all of your contributions in advance.

Mark Holt

Re: perl-based authentication

[will trillich <wi...@serensoft.com>]

On Thu, May 10, 2001 at 11:50:31PM -0600, Mark Holt wrote:
> parsing the .htaccess files is what I'm trying to avoid.  I want the standard apache
> module to do that.  I just want to control *when*.

have you considered breaking up the apache instances, maybe?
might be a bad idea, but i thot i'd suggest it...

if paid-vs-free hosts are reasnably well-known at server
startup, and there's not lots of changeover from one group to
another, maybe you can break the server up into two instances?
one for paid (looking at the .htaccess files) and another for
freebies (ignore .htaccess files)...

-- 
my other .signature is really witty.

will@serensoft.com
http://sourceforge.net/projects/newbiedoc -- we need your brain!
http://www.dontUthink.com/ -- your brain needs us!

Re: perl-based authentication

[Mark Holt <ma...@madmardy.com>]

parsing the .htaccess files is what I'm trying to avoid.  I want the standard apache
module to do that.  I just want to control *when*.

Clayton Cottingham aka drfrog wrote:

> hello
>
> is this not something like what Apache::AuthCookie
> or some other Auth scheme does?
>  or am i just missing the boat?
>
> you could use something
> like AuthCookie in a dummy situation
> get $r->uri
> grab the .htaccess from that location and parse?

Re: perl-based authentication

[Clayton Cottingham aka drfrog <dr...@smartt.com>]

hello

is this not something like what Apache::AuthCookie 
or some other Auth scheme does?
 or am i just missing the boat?

you could use something 
like AuthCookie in a dummy situation
get $r->uri
grab the .htaccess from that location and parse?


Time Co-Ordinate Thu, 10 May 2001 23:16:29 -0600, The Organism labeled Mark
Holt said:

> >
>  >
>  > Not really, the current Apache doesn't let you decide on the fly whether
>  > to challenge the client with basic auth or not unless you use .htaccess.
>  
>  If I wrote my own PerlAuthHandler, could it then choose whether to pass through
>  to the standard AuthHandler?
>  
>  > .htaccess is not used only for auth!!! it's used for adding per-directory
>  > extra configuration (usually to override the defaults).
>  
>  Yes I was envisioning something along these lines in the config file:
>  <Perl>
>  #code to determine paid status
>  if ($paid) { $AllowOverride = "AuthConfig" }
>  </Perl>
>  Or something like that.  Not being a mod_perl guru I don't know the syntax, but
>  I wondered if a construct like this would work on a per-hit basis, or if not, if
>  someone knew a better one.
>  
>  > So your second question has nothing to do with the first one :)
>  
>  You're right. one dealing with feasibility of checking for .htaccess files based
>  on perl code, and one with scalability--not checking for .htaccess files when
>  not necessary.
>  
>  >
>  > You can specify the Auth data in your httpd.conf and avoid creating
>  > .htaccess, saving processing time, but making it harder to maintain
>  > (requires server restart for each modification, whereas .htaccess allows
>  > to do 'hot' modifications without restarting the server.
>  
>  That is not feasible, because if we can't even afford to put a VirtualHost tag
>  in for every user, how much less could we afford auth data and server restarts?
>  But you may be on the right track.  Can we use perl code in the global config
>  file to control auth?  I just want a way to activate the standard auth handler
>  per-hit.  It has to be possible in mod_perl.  Someone out there has to be wizard
>  enough to know how.  Hopefully that person will be reading this soon.
>  
>  Thanks,
>  Mark
>  
>  
>  

Re: perl-based authentication

[Mark Holt <ma...@madmardy.com>]

>
>
> Not really, the current Apache doesn't let you decide on the fly whether
> to challenge the client with basic auth or not unless you use .htaccess.

If I wrote my own PerlAuthHandler, could it then choose whether to pass through
to the standard AuthHandler?

> .htaccess is not used only for auth!!! it's used for adding per-directory
> extra configuration (usually to override the defaults).

Yes I was envisioning something along these lines in the config file:
<Perl>
#code to determine paid status
if ($paid) { $AllowOverride = "AuthConfig" }
</Perl>
Or something like that.  Not being a mod_perl guru I don't know the syntax, but
I wondered if a construct like this would work on a per-hit basis, or if not, if
someone knew a better one.

> So your second question has nothing to do with the first one :)

You're right. one dealing with feasibility of checking for .htaccess files based
on perl code, and one with scalability--not checking for .htaccess files when
not necessary.

>
> You can specify the Auth data in your httpd.conf and avoid creating
> .htaccess, saving processing time, but making it harder to maintain
> (requires server restart for each modification, whereas .htaccess allows
> to do 'hot' modifications without restarting the server.

That is not feasible, because if we can't even afford to put a VirtualHost tag
in for every user, how much less could we afford auth data and server restarts?
But you may be on the right track.  Can we use perl code in the global config
file to control auth?  I just want a way to activate the standard auth handler
per-hit.  It has to be possible in mod_perl.  Someone out there has to be wizard
enough to know how.  Hopefully that person will be reading this soon.

Thanks,
Mark

Re: perl-based authentication

[Stas Bekman <st...@stason.org>]

On Thu, 10 May 2001, Mark Holt wrote:

[snipped the situation explanation]

> Now to my question:  Is it possible, using mod_perl, to activate
> Apache's standard .htaccess-based authentication scheme on a per-hit
> basis, based on the results of perl code to determine whether the user
> is a paying one?

Not really, the current Apache doesn't let you decide on the fly whether
to challenge the client with basic auth or not unless you use .htaccess.
You can hook different handlers to process the submitted log/password, but
not to decide whether to ask for log/passwd (for the first time).

But you can write your auth with HTML coded login-form screen. Make sure
to enforce running it over https, to make it more secure. Look at
http://www.modperl.com/book/chapters/ch6.html#Cookie_Based_Access_Control
for an example. Once you do it on your own you can do whatever you want.

> Will this solution avoid checking for the existence of
> .htaccess files on every hit that is not a paid one?  If so, how is this
> to be done?  (Please give code or at least pseudocode where possible.)
> For those who have read this far, I appreciate your time and I thank you
> for all of your contributions in advance.

.htaccess is not used only for auth!!! it's used for adding per-directory
extra configuration (usually to override the defaults). So if you don't
have AllowOverride None it'll be *always* looked up, see also:
http://perl.apache.org/guide/performance.html#Reducing_the_Number_of_stat_Ca

So your second question has nothing to do with the first one :)

You can specify the Auth data in your httpd.conf and avoid creating
.htaccess, saving processing time, but making it harder to maintain
(requires server restart for each modification, whereas .htaccess allows
to do 'hot' modifications without restarting the server.

_____________________________________________________________________
Stas Bekman              JAm_pH     --   Just Another mod_perl Hacker
http://stason.org/       mod_perl Guide  http://perl.apache.org/guide
mailto:stas@stason.org   http://apachetoday.com http://eXtropia.com/
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/