You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by will trillich <wi...@pinncomp.net> on 2000/08/18 18:36:02 UTC
PerlAuthenHandler -- doesn't get there...?
i canna get the PerlAuthenHandler to do ANYTHING. first
line of code after $r = shift is $r->warn() but nothing
shows up in the log. aaugh!
i copied the sample code from 'illustrated security scenarios'
at http://perl.apache.org/guide/security.html nearly verbatim,
(cut & paste + munge) changed '(*PASSED*)' to a simple test
(moot, at this point) and inserted a few $r->warn("") for tracing
and debugging purposes.
access_handler() works fine. all its $r->warn output shows up
in the logfile as it should.
BUT i never see any incursion into the authen_handler() AT ALL!
[my main site is serensoft.com; the virtual site is dontUthink.com
and the url i'm trying to test is dontUthink.com/auth ... it lets
me in, every time, without asking for any userid:password.]
httpd.conf:
PerlModule Serensoft::Auth
<Location /auth>
PerlAccessHandler Serensoft::Auth::access_handler
PerlSetVar Intranet "this => that"
PerlAuthenHandler Serensoft::Auth::authen_handler
AuthName "dontUthink subscriber"
AuthType Basic
Require valid-user
</Location>
Serensoft/Auth.pm:
Package Serensoft::Auth;
use strict;
use Apache::Constants qw(:common);
[snip]
sub authen_handler {
my $r = shift;
$r->warn('authen_handler'); # <== NEVER gets here!!!
# get user's authentication credentials
my ($res, $sent_pw) = $r->get_basic_auth_pw;
return $res if $res != OK;
my $user = $r->connection->user;
# authenticate through DBI
my $reason = authen_dbi ($r, $user, $sent_pw); # $level? eh?
if ($reason) {
$r->note_basic_auth_failure;
$r->log_reason ($reason, $r->uri);
return AUTH_REQUIRED;
}
return OK;
}
i even tried adding
$r->set_handlers(PerlAuthenHandler => [\&authen_handler]);
right at the end of access_handler() (before returning OK)
but alas, to no avail.
what obvious dial have i forgotten to frob?
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Their is five errers in this sentance.
Re: PerlModule in .htaccess (for auth) faults (possible patch for
perl_config.c)
Posted by Doug MacEachern <do...@covalent.net>.
On 22 Aug 2000, Andrew Gideon wrote:
...
> My .htaccess file contains:
>
> PerlModule Apache::TAGXSessionAuth
> PerlAuthenHandler Apache::TAGXSessionAuth->authen
> PerlAuthzHandler Apache::TAGXSessionAuth->authz
>
> After attaching to a child process and getting the segv,
> the stack looks like:
>
> (gdb) where
> #0 0x107810 in ap_push_array ()
thanks for digging into this andrew.
i think the problem is related to the perl_merge_server_config routine:
#if 0
/* We don't merge these because they're inlined */
mrg->PerlModule = append_arrays(p, add->PerlModule, base->PerlModule);
mrg->PerlRequire = append_arrays(p, add->PerlRequire, base->PerlRequire);
#endif
this means that VirtualHost configs have NULL for both arrays. this is
fine at startup time, since mod_perl only uses the base_server config.
a simple fix is to not push if either is NULL:
Index: src/modules/perl/perl_config.c
===================================================================
RCS file: /home/cvs/modperl/src/modules/perl/perl_config.c,v
retrieving revision 1.103
diff -u -u -r1.103 perl_config.c
--- src/modules/perl/perl_config.c 2000/09/26 20:05:22 1.103
+++ src/modules/perl/perl_config.c 2000/09/26 20:59:48
@@ -587,8 +587,11 @@
return NULL;
}
}
- *(char **)push_array(cls->PerlModule) = pstrdup(parms->pool, arg);
+ if (cld->PerlModule) {
+ *(char **)push_array(cls->PerlModule) = pstrdup(parms->pool, arg);
+ }
+
#ifdef PERL_SECTIONS
if(CAN_SELF_BOOT_SECTIONS)
perl_section_self_boot(parms, dummy, arg);
@@ -618,7 +621,9 @@
}
}
- *(char **)push_array(cls->PerlRequire) = pstrdup(parms->pool, arg);
+ if (cls->PerlRequire) {
+ *(char **)push_array(cls->PerlRequire) = pstrdup(parms->pool, arg);
+ }
#ifdef PERL_SECTIONS
if(CAN_SELF_BOOT_SECTIONS)
PerlModule in .htaccess (for auth) faults (possible patch for perl_config.c)
Posted by Andrew Gideon <ag...@gideon.org>.
In article <39...@pinncomp.net>,
will@pinncomp.net (will trillich) writes:
> from http://perl.apache.org/current/htdocs/manual/mod/mod_perl.html
> PerlModule directive
>
> Description: List of Perl modules
>
> Syntax: PerlModule Arg1 x n (ITERATE)
> PerlSyntax: push @PerlModule, $arg1
> Context: Allowed in *.conf anywhere and in .htaccess
> Override: Any other than None
> Status: Extension
> Module: mod_perl
>
> yet when i put 'PerlModule Serensoft::Auth' into
> the .htaccess file i consistently got
> [notice] child pid 30127 exit signal Segmentation fault (11)
>
> moving it back into the /etc/apache/httpd.conf file,
> all is sparkly again.
I'm seeing the same thing (or something quite similar) here:
Solaris 2.7/Sparc
Apache 1.3.12 (Stronghold)
mod_perl/1.24
egcs-1.1.1
My .htaccess file contains:
PerlModule Apache::TAGXSessionAuth
PerlAuthenHandler Apache::TAGXSessionAuth->authen
PerlAuthzHandler Apache::TAGXSessionAuth->authz
After attaching to a child process and getting the segv,
the stack looks like:
(gdb) where
#0 0x107810 in ap_push_array ()
#1 0x66a68 in perl_cmd_module ()
#2 0x10f840 in invoke_cmd ()
#3 0x10ff74 in ap_handle_command ()
#4 0x110054 in ap_srm_command_loop ()
#5 0x110aa8 in ap_parse_htaccess ()
#6 0x128ea0 in directory_walk ()
#7 0x12a784 in process_request_internal ()
#8 0x12ad3c in ap_process_request ()
#9 0x11e918 in child_main ()
#10 0x11ec90 in make_child ()
#11 0x11eda8 in startup_children ()
#12 0x11f694 in standalone_main ()
#13 0x120288 in main ()
If PerlModule is placed into the httpd.conf file,
all works well.
In further debugging, one thing I noted was that,
at the point ap_push_array() in perl_cmd_module()
is called, the cls structure looks like:
$3 = {PerlPassEnv = 0x522710, PerlRequire = 0x0, PerlModule = 0x0, PerlTaintCheck = 0, PerlWarn = 0, FreshRestart = 0, PerlInitHandler = 0x0,
PerlPostReadRequestHandler = 0x0, PerlTransHandler = 0x0, PerlChildInitHandler = 0x0, PerlChildExitHandler = 0x0, PerlRestartHandler = 0x0,
PerlOpmask = 0x0, vars = 0x522730}
I'm pretty sure that PerlModule=0 is wrong. When I place a
PerlModule directive into httpd.conf, it is not null (which
is why it works then).
I've a version 1.21 mod_perl also running, and this problem
doesn't occur there. I noticed that it only pushes the module
onto the PerlModule vector if perl is not already running. That
makes sense, as the vector is used in perl_startup() to determine
what to perl_require_module(). However, if perl was running,
the perl_require_module() is already done!
So I tried a return immediately after perl_require_module()'s
successful return in perl_cmd_module(). That appears to have
solved the problem.
But I'm very unfamiliar with this code, so I don't know that
this is the proper fix. Anyone else?
- Andrew
Re: PerlAuthenHandler -- doesn't get there...? SOLVED
Posted by Stas Bekman <st...@stason.org>.
> SO -- Stas, here's a coupla extra tweaks i think you should
> make so that cut/paste newbies (unlike me, of course) will
> have an easier time with this particular example on the next
> iteration:
It's corrected in the guide's cvs version! Thanks Will!
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:stas@stason.org http://apachetoday.com http://jazzvalley.com
http://singlesheaven.com http://perlmonth.com perl.org apache.org
Re: PerlAuthenHandler -- doesn't get there...? SOLVED
Posted by will trillich <wi...@pinncomp.net>.
Stas Bekman replied:
> Argh, I wish I could always test every addition I have in the guide, some
> code goes untested as it was posted to the mod_perl or contributed by
> someone else. Then people come and use it, if something is wrong they send
> me a patch I fix it. I guess this is a similar scenario -- I admit that
> this code wasn't tested by me. If you find the problem and solve it,
> please send me the patch, so everybody could benefit from it.
>
> As for hints you want to read the Eagle book, I try hard not to duplicate
> information in the book, but sometimes I do. The book covers extensively
> the Authentication handler writing. You should start from the Basic one
> that works for you and then move on and add the extra, more complicated
> logic inside.
>
> I'm looking forward for the patch :) Thanks a lot!
hmm! "hey, i'm lost in the sears tower. can anybody tell me
how to turn the lights on?" "whoops. maybe if you build your
own skyscraper you can get back with us on that..." :)
so here's what i've stumbled into, in the dark--
i'm using apache 1.3.9 on debian/gnu linux 2.2:
ONE--
from http://perl.apache.org/current/htdocs/manual/mod/mod_perl.html
PerlModule directive
Description: List of Perl modules
Syntax: PerlModule Arg1 x n (ITERATE)
PerlSyntax: push @PerlModule, $arg1
Context: Allowed in *.conf anywhere and in .htaccess
Override: Any other than None
Status: Extension
Module: mod_perl
yet when i put 'PerlModule Serensoft::Auth' into
the .htaccess file i consistently got
[notice] child pid 30127 exit signal Segmentation fault (11)
moving it back into the /etc/apache/httpd.conf file,
all is sparkly again.
TWO--
if i modify the .htaccess file or the Auth.pm file, it's
USUALLY silently ignored until i do
'apachectl graceful'
although sometimes .htaccess updates are activated.
i presume that even having five or ten child apaches running
around loose, it's the one that's dealing with the request that
checks for updates to required modules & settings files...
should i hafta 'graceful' just to update Auth.pm or .htaccess?
THREE--
according to /usr/doc/apache/manual/mod/core.html, the
AuthName and AuthType are allowed in .htaccess and
directory sections only, NOT location sections; this
could be a documentation oversight, i reckon.
FOUR--
i'm now reasonably certain (90% or so) that the missing
ingredients were basically indicated by Eric Cholet when he said
> maybe you need "Order deny, allow" to trigger authentication
seems that i also needed the companion
deny from all
as well (he probably thought i knew enough to presume that,
but alas, i only now begin to see...).
=======
SO -- Stas, here's a coupla extra tweaks i think you should
make so that cut/paste newbies (unlike me, of course) will
have an easier time with this particular example on the next
iteration:
My/Auth.pm--
[snip]
sub authen_handler {
[snip]
my $reason = authen_dbi ($r, $user, $sent_pw, $level);
#############
# '$level' looks like an artifact from the
# original code that isn't part of this example.
#############
[snip]
sub authen_dbi{
my ($r, $user, $sent_pw, $level) = @_;
#############
# $level, again. omit.
#############
# validate username/passwd
return 0 if (*PASSED*)
#############
# i'd leave this as is; if you change it to a real perl
# expression such as /PASSED/ some newbies will sail right
# on by, wondering why they'll never authenticate properly
# (i'd be one of them).
#############
return "Failed for X reason";
}
1;
#############
# add the 'require'-friendly 'non-zero final statement'
#############
httpd.conf or .htaccess (PerlModule hasta be in httpd.conf,
from my experience)--
PerlAccessHandler My::Auth::access_handler
PerlSetVar Intranet "10.10.10.1 => userA, 10.10.10.2 => userB"
PerlAuthenHandler My::Auth::authen_handler
AuthName realm
AuthType Basic
Require valid-user
order deny,allow
deny from all
#############
# add 'order/deny', and we're done (as far as i can tell)
#############
and there you have it. i think.
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Their is five errers in this sentance.
Re: PerlAuthenHandler -- doesn't get there...?
Posted by Stas Bekman <st...@stason.org>.
On Fri, 18 Aug 2000, will trillich wrote:
> thanks for your posts, guys!
>
> Eric Cholet replied:
> > > i copied the sample code from 'illustrated security scenarios'
> > > at http://perl.apache.org/guide/security.html nearly verbatim,
> > > (cut & paste + munge) changed '(*PASSED*)' to a simple test
> > > (moot, at this point) and inserted a few $r->warn("") for tracing
> > > and debugging purposes.
> > >
> > > access_handler() works fine. all its $r->warn output shows up
> > > in the logfile as it should.
> > >
> > > BUT i never see any incursion into the authen_handler() AT ALL!
> >
> > maybe you need "Order deny, allow" to trigger authentication
>
> Steve van der Burg replied:
> > After looking at my own configuration for
> > Apache::AuthCookie, and snooping in the Apache source a
> > bit, I think that your "AuthType Basic" needs to be
> > changed to "AuthType Serensoft::Auth".
>
> tried both... alas, still no entry into authen_handler.
> it's never executed at all.
>
> (Steve--docs for most of the standard auth modules [see your
> local http://localhost/doc/apache/manual/mod/] which seem
> to indicate 'AuthType Basic' not 'AuthType Mod::Path'...?)
>
> if Stas can get it to work using the framework on the guide page,
> what've i got missing? (can anybody confirm that it can/does
> run as expected?)
Argh, I wish I could always test every addition I have in the guide, some
code goes untested as it was posted to the mod_perl or contributed by
someone else. Then people come and use it, if something is wrong they send
me a patch I fix it. I guess this is a similar scenario -- I admit that
this code wasn't tested by me. If you find the problem and solve it,
please send me the patch, so everybody could benefit from it.
As for hints you want to read the Eagle book, I try hard not to duplicate
information in the book, but sometimes I do. The book covers extensively
the Authentication handler writing. You should start from the Basic one
that works for you and then move on and add the extra, more complicated
logic inside.
I'm looking forward for the patch :) Thanks a lot!
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:stas@stason.org http://apachetoday.com http://jazzvalley.com
http://singlesheaven.com http://perlmonth.com perl.org apache.org
Re: PerlAuthenHandler -- doesn't get there...?
Posted by will trillich <wi...@pinncomp.net>.
thanks for your posts, guys!
Eric Cholet replied:
> > i copied the sample code from 'illustrated security scenarios'
> > at http://perl.apache.org/guide/security.html nearly verbatim,
> > (cut & paste + munge) changed '(*PASSED*)' to a simple test
> > (moot, at this point) and inserted a few $r->warn("") for tracing
> > and debugging purposes.
> >
> > access_handler() works fine. all its $r->warn output shows up
> > in the logfile as it should.
> >
> > BUT i never see any incursion into the authen_handler() AT ALL!
>
> maybe you need "Order deny, allow" to trigger authentication
Steve van der Burg replied:
> After looking at my own configuration for
> Apache::AuthCookie, and snooping in the Apache source a
> bit, I think that your "AuthType Basic" needs to be
> changed to "AuthType Serensoft::Auth".
tried both... alas, still no entry into authen_handler.
it's never executed at all.
(Steve--docs for most of the standard auth modules [see your
local http://localhost/doc/apache/manual/mod/] which seem
to indicate 'AuthType Basic' not 'AuthType Mod::Path'...?)
if Stas can get it to work using the framework on the guide page,
what've i got missing? (can anybody confirm that it can/does
run as expected?)
what modules are required for this simple authenticator to work?
there's gotta be something i'm missing. Doesn't look like
'AuthUserFile' or the like, would come into play, does it?
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Their is five errers in this sentance.
Re: PerlAuthenHandler -- doesn't get there...?
Posted by Eric Cholet <ch...@logilune.com>.
> i canna get the PerlAuthenHandler to do ANYTHING. first
> line of code after $r = shift is $r->warn() but nothing
> shows up in the log. aaugh!
>
> i copied the sample code from 'illustrated security scenarios'
> at http://perl.apache.org/guide/security.html nearly verbatim,
> (cut & paste + munge) changed '(*PASSED*)' to a simple test
> (moot, at this point) and inserted a few $r->warn("") for tracing
> and debugging purposes.
>
> access_handler() works fine. all its $r->warn output shows up
> in the logfile as it should.
>
> BUT i never see any incursion into the authen_handler() AT ALL!
maybe you need "Order deny, allow" to trigger authentication
> [my main site is serensoft.com; the virtual site is dontUthink.com
> and the url i'm trying to test is dontUthink.com/auth ... it lets
> me in, every time, without asking for any userid:password.]
>
> httpd.conf:
> PerlModule Serensoft::Auth
>
> <Location /auth>
> PerlAccessHandler Serensoft::Auth::access_handler
> PerlSetVar Intranet "this => that"
> PerlAuthenHandler Serensoft::Auth::authen_handler
> AuthName "dontUthink subscriber"
> AuthType Basic
> Require valid-user
> </Location>
>
> Serensoft/Auth.pm:
> Package Serensoft::Auth;
> use strict;
> use Apache::Constants qw(:common);
>
> [snip]
>
> sub authen_handler {
> my $r = shift;
> $r->warn('authen_handler'); # <== NEVER gets here!!!
>
> # get user's authentication credentials
> my ($res, $sent_pw) = $r->get_basic_auth_pw;
> return $res if $res != OK;
> my $user = $r->connection->user;
>
> # authenticate through DBI
> my $reason = authen_dbi ($r, $user, $sent_pw); # $level? eh?
>
> if ($reason) {
> $r->note_basic_auth_failure;
> $r->log_reason ($reason, $r->uri);
> return AUTH_REQUIRED;
> }
> return OK;
> }
>
> i even tried adding
> $r->set_handlers(PerlAuthenHandler => [\&authen_handler]);
> right at the end of access_handler() (before returning OK)
> but alas, to no avail.
>
> what obvious dial have i forgotten to frob?
>
> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
> Their is five errers in this sentance.
>