Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4

[Michael Schout <ms...@gkg.net>]

On 12/6/18 9:25 AM, Andrew Green wrote:

> As far as I can tell, I have to pre-declare the new Authz provider in my
> server config:
> 
> PerlAddAuthzProvider myapp MyApp::Authz

Yes this is correct, authz providers must be declared globally under 2.4

I realize this thread is old by now, but for the record, there is a bit
of documentation about how things changed/work under 2.4 in my
Apache2::AuthCookie dist [1].  The way authentication and authorization
works under 2.4 is quite different.

> b. Wrapping the return value like this:
> 
> sub authz_granted {
> 
>    my $self = shift;
> 
>    # So this compiles under old Apache
>    no strict 'subs';
> 
>    if ($self->is_old_apache) {
>       return Apache2::Const::OK;
>    } else {
>       return Apache2::Const::AUTHZ_GRANTED;
>    }
> 
> }

Note that under 2.4, your authz handler gets called twice per request.
The first time, no user will be set, and this is so you can handle
authorization of anonymous requests.  You should return
AUTHZ_DENIED_NO_USER for these requests (unless of course you want to
authorize anonymous requests, in which case you can return AUTHZ_GRANTED
etc).  So something like:

  unless (defined $r->user) {
    return Apache2::Const::AUTHZ_DENIED_NO_USER;
  }

If $r->user *is* set, then you are expected to return one of:

AUTHZ_DENIED
AUTHZ_GRANTED
AUTHZ_GENERAL_ERROR
AUTHZ_NEUTRAL

Also of note, if all you are doing is "Require valid-user", or "Require
user foo" for example, Apache provides an authz provider that already
handles that (see mod_authz_user.c).  So you only need to do this if you
are writing custom authz requirements.

1:
https://metacpan.org/pod/release/MSCHOUT/Apache-AuthCookie-3.27/README.apache-2.4.pod

Regards,
Michael Schout