You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Fatih Gey <ma...@gey-netsolutions.de> on 2003/07/21 01:05:58 UTC
[QUESTION] Can't read out verified username (auth)
Hi,
i was writing my own AuthHandler with modperl v2 (v1.99_09).
Getting the Username/Password-Pair from an html-form (submit via post) and finally
checking it against an mysql-table works fine so far.
When the authentification have taken place.. the username should be reminded
in any way, so the user haven't to enter their password-info on every request... and this is
what doesn't work in my code:
--- /usr/lib/perl5/site_perl/5.8.0/MyIntranet/AuthHandler
package Myintranet::AuthHandler;
use Apache::Const qw(OK FORBIDDEN AUTH_REQUIRED SERVER_ERROR);
use Apache::RequestRec;
use Apache::Connection;
use Apache::compat;
use Mysql;
use strict;
sub handler {
my $obj = shift;
return OK if ($obj->user);
my %params = $obj->content();
[..]
$obj->user($params{'user'});
return OK;
}
--- EOF
After having entered user/pass via html-form, this authentification does his job well, but on the following request
(on same browser) $obj->user doesnt seem to return any value.. so this handler tries to compare http post data (
which arent present this time) with userdata in mysql-table.. resulting in an Auth_Required error.
Any logical misstake doing this way of "reauthorizing" .. or anything missing ?
Available documentation - modperl cookbook included - does it that way ...
Thanks for help/any hints!
F. Gey
Re: [QUESTION] Can't read out verified username (auth)
Posted by Thomas Klausner <do...@zsi.at>.
Hi!
On Mon, Jul 21, 2003 at 12:36:55 +0200, Fatih Gey wrote:
> I supposed the browser to resend always an unique "bowser session id", which
> is used by apache to save certain values, like $ENV{'REMOTE_USER'}
> (similiar to a session-cookie with uid and serverbased $vars) ..
> Isn't this the way Basic Authentication scheme works ? ..
I do not know how much Auth stuff changed in Apache 2.0/mod_perl 2, but you
seem to mix up checking user credentials in the response phase (as done in
CGI or PHP) with writing you own Auth Handlers that replace the standard
Apache ones.
If you get the user credentials via a web form, you are usually NOT using
BASIC Auth but your own scheme (or something like Apache::AuthCookie). Thus,
$r->connection->user is not set.
Take a look at:
* Chapter 6 of the Eagel book, available online at:
http://modperl.com:9000/book/chapters/ch6.html
* Chapter 13.7 of the mod_perl Cookbook
* Apache::AuthCookie
At least that's how it works with mod_perl 1.x ...
--
#!/usr/bin/perl http://domm.zsi.at
for(ref bless{},just'another'perl'hacker){s-:+-$"-g&&print$_.$/}
Re: [QUESTION] Can't read out verified username (auth)
Posted by Martin Wickman <ma...@wickman.com>.
On Wed, Jul 23, 2003 at 02:37:30PM +0200, Fatih Gey wrote:
> From: "Martin Wickman" <ma...@wickman.com>
[...]
> > Nope. When the browser gets a 401 response from the server, it
> > will (most likely) pop up a dialog asking the user for name and
> > password. These credentials gets mangled into an Authorization
> > header which gets sent with the next request once the user klicks
> > OK in the dialog. Now, you can perform your authen-code as you
> > like. Cookies and forms' got nothing to do with it, really. Read
> > more here: http://www.faqs.org/rfcs/rfc2617.html
> >
>
> Oh OK.., now i get it: In Basic Auth-Scheme, the Useragent -after
> getting the required user and pass info from Client- resends his
> Authorization-String in every Requestheader submitted to the
> Server.
Correct.
> So the webserver have not to recognize an already authorized user,
> as long as he's possible to authorize the user on every request.
Correct. But you still have to do the authorization for each
request. The nice thing is that one can delegate the authorization to
the webserver, så that the application just have to check if
REMOTE_USER is set or not.
> So there's no way, to use an http-form instead of browser's ugly
> authorization-box and perfrom the Basic Authorization (without
> Cookies or taking an sessionkey with the url)?
Correct, there is no official way.
Except... there is one possibility. Most browser understands the url
'http://userid:password@www.example.com/protected/', and will parse
that url and submit the credentials as if they were collected in the
standard popup as usual. So, in fact, you _can_ do your authorization
using a normal html form and then, upon valid credentials, create a
such an url for the user to click/redirect. Messy, but it works.
My personal opinion is that the "ugly" popup may indeed be plain and
boring, but it is the only standard and resonably secure way of doing
authentication. Btw, always use https or you will leak passwords all
over the network.
Re: [QUESTION] Can't read out verified username (auth)
Posted by Fatih Gey <ma...@gey-netsolutions.de>.
----- Original Message -----
From: "Martin Wickman" <ma...@wickman.com>
To: <mo...@perl.apache.org>
Sent: Monday, July 21, 2003 4:41 PM
Subject: Re: [QUESTION] Can't read out verified username (auth)
> On Mon, Jul 21, 2003 at 12:36:55PM +0200, Fatih Gey wrote:
> > > On Mon, Jul 21, 2003 at 01:05:58AM +0200, Fatih Gey wrote:
> > > >
> > > > i was writing my own AuthHandler with modperl v2 (v1.99_09).
> > >
> > > [...]
> > >
> > > > After having entered user/pass via html-form, this authentification
> > > > does his job well, but on the following request (on same browser)
> > > > $obj->user doesnt seem to return any value.. so this handler tries
> > > > to compare http post data ( which arent present this time) with
> > > > userdata in mysql-table.. resulting in an Auth_Required error.
> > >
> > > Well, how do you suppose that the browser should know how and what
> > > credentials to send?
> > >
> > > Unless you (a) create a session-cookie, (b) encode a session-kei into
> > > each url or (c) use the simple but proper Basic Authentication scheme,
> > > there is no way to accomplish this. And from what I gather you are not
> > > doing any of that?
> > >
> >
> > I supposed the browser to resend always an unique "bowser session
> > id", which is used by apache to save certain values, like
> > $ENV{'REMOTE_USER'} (similiar to a session-cookie with uid and
> > serverbased $vars) .. Isn't this the way Basic Authentication
> > scheme works ? ..
>
> Nope. When the browser gets a 401 response from the server, it will
> (most likely) pop up a dialog asking the user for name and
> password. These credentials gets mangled into an Authorization header
> which gets sent with the next request once the user klicks OK in the
> dialog. Now, you can perform your authen-code as you like.
>
> Cookies and forms' got nothing to do with it, really.
>
> Read more here: http://www.faqs.org/rfcs/rfc2617.html
>
>
>
Oh OK.., now i get it: In Basic Auth-Scheme, the Useragent -after getting the
required user and pass info from Client- resends his Authorization-String in every Requestheader
submitted to the Server. So the webserver have not to recognize an already authorized user,
as long as he's possible to authorize the user on every request.
So there's no way, to use an http-form instead of browser's ugly authorization-box and perfrom the
Basic Authorization (without Cookies or taking an sessionkey with the url)?
Re: [QUESTION] Can't read out verified username (auth)
Posted by Martin Wickman <ma...@wickman.com>.
On Mon, Jul 21, 2003 at 12:36:55PM +0200, Fatih Gey wrote:
> > On Mon, Jul 21, 2003 at 01:05:58AM +0200, Fatih Gey wrote:
> > >
> > > i was writing my own AuthHandler with modperl v2 (v1.99_09).
> >
> > [...]
> >
> > > After having entered user/pass via html-form, this authentification
> > > does his job well, but on the following request (on same browser)
> > > $obj->user doesnt seem to return any value.. so this handler tries
> > > to compare http post data ( which arent present this time) with
> > > userdata in mysql-table.. resulting in an Auth_Required error.
> >
> > Well, how do you suppose that the browser should know how and what
> > credentials to send?
> >
> > Unless you (a) create a session-cookie, (b) encode a session-kei into
> > each url or (c) use the simple but proper Basic Authentication scheme,
> > there is no way to accomplish this. And from what I gather you are not
> > doing any of that?
> >
>
> I supposed the browser to resend always an unique "bowser session
> id", which is used by apache to save certain values, like
> $ENV{'REMOTE_USER'} (similiar to a session-cookie with uid and
> serverbased $vars) .. Isn't this the way Basic Authentication
> scheme works ? ..
Nope. When the browser gets a 401 response from the server, it will
(most likely) pop up a dialog asking the user for name and
password. These credentials gets mangled into an Authorization header
which gets sent with the next request once the user klicks OK in the
dialog. Now, you can perform your authen-code as you like.
Cookies and forms' got nothing to do with it, really.
Read more here: http://www.faqs.org/rfcs/rfc2617.html
Re: [QUESTION] Can't read out verified username (auth)
Posted by Fatih Gey <ma...@gey-netsolutions.de>.
> On Mon, Jul 21, 2003 at 01:05:58AM +0200, Fatih Gey wrote:
> >
> > i was writing my own AuthHandler with modperl v2 (v1.99_09).
>
> [...]
>
> > After having entered user/pass via html-form, this authentification
> > does his job well, but on the following request (on same browser)
> > $obj->user doesnt seem to return any value.. so this handler tries
> > to compare http post data ( which arent present this time) with
> > userdata in mysql-table.. resulting in an Auth_Required error.
>
> Well, how do you suppose that the browser should know how and what
> credentials to send?
>
> Unless you (a) create a session-cookie, (b) encode a session-kei into
> each url or (c) use the simple but proper Basic Authentication scheme,
> there is no way to accomplish this. And from what I gather you are not
> doing any of that?
>
I supposed the browser to resend always an unique "bowser session id", which
is used by apache to save certain values, like $ENV{'REMOTE_USER'}
(similiar to a session-cookie with uid and serverbased $vars) ..
Isn't this the way Basic Authentication scheme works ? ..
Re: [QUESTION] Can't read out verified username (auth)
Posted by Martin Wickman <ma...@wickman.com>.
On Mon, Jul 21, 2003 at 01:05:58AM +0200, Fatih Gey wrote:
>
> i was writing my own AuthHandler with modperl v2 (v1.99_09).
[...]
> After having entered user/pass via html-form, this authentification
> does his job well, but on the following request (on same browser)
> $obj->user doesnt seem to return any value.. so this handler tries
> to compare http post data ( which arent present this time) with
> userdata in mysql-table.. resulting in an Auth_Required error.
Well, how do you suppose that the browser should know how and what
credentials to send?
Unless you (a) create a session-cookie, (b) encode a session-kei into
each url or (c) use the simple but proper Basic Authentication scheme,
there is no way to accomplish this. And from what I gather you are not
doing any of that?