You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by titetluc titetluc <ti...@gmail.com> on 2008/06/19 14:53:17 UTC

[MP2]: setting group for a request (require group ...)

Hello all,

I am writing a mod_perl authentication module (My::Auth).

This module sets the user using the Apache2::RequestRec::user method.

package My::Auth;
sub {
 ....
 $r->user('getting the user in my module internal structure');
 return OK;
}

In the Apache configuration file, I can use the configuration

<Location /test_user>
PerlAuthHandler  My::Auth
Require user user1
....
</Location>

I would like to use my module in another configuration where group is
checked

<Location /test_group>
PerlAuthHandler  My::Auth
Require group group1
....
</Location>

I can not find any mod_perl API method (Apache2::RequestRec::group ?) to set
the group. I only found Apache2::RequestRec::require method, but this method
only read the require configuration.

One way to solve the problem is the modify the My::Auth::handler method :

package My::Auth;
sub {
 ....
 $r->user('getting the user in my module internal structure');
 my $requires = $r->requires;

 # here the code to verify authorization

 return OK;
}

but I think this is a workaround:
 . My::Auth::handler is an AUTHENTICATION handler
 . the code to verify the AUTHORIZATION should have to be executed by the
httpd core.

How can I manage authorization in this case ?

Thanks

Re: [MP2]: setting group for a request (require group ...)

Posted by Geoffrey Young <ge...@modperlcookbook.org>.

> I would like to use my module in another configuration where group is
> checked
> 
> <Location /test_group>
> PerlAuthHandler  My::Auth
> Require group group1
> ....
> </Location>
> 
> I can not find any mod_perl API method (Apache2::RequestRec::group ?) to set
> the group. 

that's right.

you have control over the user via the httpd (and thus mod_perl) API, 
just as the user does via a dialogue box in their browser.  but 
mod_authz_owner maps that user to a group via standard unix gid methods.

I have no idea how this works on win32 ;)

> I only found Apache2::RequestRec::require method, but this method
> only read the require configuration.
> 
> One way to solve the problem is the modify the My::Auth::handler method :
> 
> package My::Auth;
> sub {
>  ....
>  $r->user('getting the user in my module internal structure');
>  my $requires = $r->requires;
> 
>  # here the code to verify authorization
> 
>  return OK;
> }
> 
> but I think this is a workaround:
>  . My::Auth::handler is an AUTHENTICATION handler

yes - is the user who they say they are.

>  . the code to verify the AUTHORIZATION should have to be executed by the
> httpd core.

exactly :)

your wanting to do something with group is an authz function, not an 
authen function.

> 
> How can I manage authorization in this case ?

the 'Require group foo' directive explicity means you want unix user -> 
unix group mapping done in the authz phase.  if you want something from 
this different write your own PerlAuthzHandler.  see recipe 3.16 here

   http://www.modperlcookbook.org/chapters/ch13.pdf

it's mod_perl 1.0 based, but the ideas are the same, and the techniques 
and API nearly identical.

HTH

--Geoff

Re: [MP2]: setting group for a request (require group ...)

Posted by Geoffrey Young <ge...@modperlcookbook.org>.

titetluc titetluc wrote:
> Geoffrey, André,
> Thank you for your answer.
> 
> Conclusion: I will have to:
>  . write my own PerlAuthzHandler

yes

>  . define a new directive to define my group

no - you can overload the Requires directive.  the example I pointed you 
to shows you how:

   http://www.modperlcookbook.org/code/ch13/Cookbook/AuthzRole.pm

if you return OK or AUTH_REQUIRED the configured httpd authz handler 
will not be run, leaving your PerlAuthzHandler in control of the authz 
phase.

HTH

--Geoff

Re: [MP2]: setting group for a request (require group ...)

Posted by titetluc titetluc <ti...@gmail.com>.

Geoffrey, André,
Thank you for your answer.

Conclusion: I will have to:
 . write my own PerlAuthzHandler
 . define a new directive to define my group

Thanks again


2008/6/19 André Warnier <aw...@ice-sa.com>:

> Hi.
>
> I believe that the issue below is more in the way of thinking about this,
> than a real technical issue.
>
> You don't need to involve Apache in the group part.
> I don't think that Apache, per se, even has a field "group" in his internal
> Request structure.
> That is probably why you do not find any API to set or read it.
>
> Let my explain how I understand it :
>
> Authentication consists of finding out who the user is.
> To simplify, we could say that this consists of getting and verifying his
> user-id.
> But, at the same time, we could collect some additional attributes about
> him, like his email address, or a list of groups of which he is a member.
> The application /may/ want to authenticate users in order to (later) also
> authorise them or not to do something.  But not necessarily; it could also
> be only for the purpose of logging who accessed the page.
>
> Anyway, now your Authentication module has done it's job, it has
> authenticated the user and saved his user-id. It does not really care what
> this user-id will be used for, that is not it's job.
>
> The module returns OK, and Apache continues.
>
> ----- end of authentication ----
>
> .... some time passes
>
> ----- start of authorization ---
>
> This consists of verifying if this resource that is requested can be
> returned, depending on some criteria.
> Usually, it will depend on the userid, or some characteristic of the user.
>  But not necessarily : it could also depend on a secret key that is included
> in a cookie, for example (if the key is there, the resource is granted, and
> otherwise not).
> If this check is succesful, the authorization returns OK.  If it is not, it
> returns not-OK.
>
> ---- end of authorization ---
>
> Apache checks the return code.  If it is OK, Apache serves the page.  If it
> is not-OK, Apache returns a "forbidden" page.
>
> --- end of request ---
>
> Now, in your case, you want
> a) to authenticate the user
> b) later, to authorize access to a resource, in function of some
> characteristic of that user (is he member of one of the authorized groups)
>
> You have already done (a), with a PerlAuthenHandler, and you have stored
> the user-id in the request, so you can get at it later.
>
> If you add a PerlAuthzHandler for authorization, then what your handler has
> to do is :
>
> 1. find out which groups are authorized to access this resource.
> That could be by getting the contents of the "require" clause of the Apache
> configuration, or by getting the value of some "PerlSetVar" in the same
> section (e.g. PerlSetVar AuthorizedGroups "group1,group2")
> (in your module, you would get this value as
> $OKgroups = $r->dir_config("AuthorizedGroups");
>
> 2. find out if this userid (stored in the request) is a member of one of
> these groups.
> For that, you need some additional information about the user, not just his
> user-id.  This you could do using a "group" file, like Apache does in it's
> Basic authentication scheme (AuthGroupFile xxxx), and read it and parse it
> when you need to, and then compare the result to $OKgroups.
> But that would be inefficient.
>
> Since in (a) you are already accessing some information about the user (to
> verify his userid), I would at the same time collect information about which
> groups he belongs to, and save that somewhere in the Request object, for
> example with something like
> $r->pnotes('groups' => $groups);
>
> Then later, your module (b) can get it back, with
> $groups = $r->pnotes('groups');
> and compare this to the authorized groups.
>
> I hope this helps.
> André
>
>
>
> titetluc titetluc wrote:
>
>> Hello all,
>>
>> I am writing a mod_perl authentication module (My::Auth).
>>
>> This module sets the user using the Apache2::RequestRec::user method.
>>
>> package My::Auth;
>> sub {
>>  ....
>>  $r->user('getting the user in my module internal structure');
>>  return OK;
>> }
>>
>> In the Apache configuration file, I can use the configuration
>>
>> <Location /test_user>
>> PerlAuthHandler  My::Auth
>> Require user user1
>> ....
>> </Location>
>>
>> I would like to use my module in another configuration where group is
>> checked
>>
>> <Location /test_group>
>> PerlAuthHandler  My::Auth
>> Require group group1
>> ....
>> </Location>
>>
>> I can not find any mod_perl API method (Apache2::RequestRec::group ?) to
>> set
>> the group. I only found Apache2::RequestRec::require method, but this
>> method
>> only read the require configuration.
>>
>> One way to solve the problem is the modify the My::Auth::handler method :
>>
>> package My::Auth;
>> sub {
>>  ....
>>  $r->user('getting the user in my module internal structure');
>>  my $requires = $r->requires;
>>
>>  # here the code to verify authorization
>>
>>  return OK;
>> }
>>
>> but I think this is a workaround:
>>  . My::Auth::handler is an AUTHENTICATION handler
>>  . the code to verify the AUTHORIZATION should have to be executed by the
>> httpd core.
>>
>> How can I manage authorization in this case ?
>>
>> Thanks
>>
>>