Apache 2.2 and Authorization Providers under mod_perl

[Skylos <sk...@gmail.com>]

Trying to migrate an application to mod_perl under apache 2.2 but my custom
auth handlers are blowing up on failure to understand '$r->requires'
method.  The best I can make of it is that apache 2.2 revamped the auth
system requiring the definition of providers (like 'group' allowing the
'Require group xxxx' directive in the config file.

It seems then that I need to define my own authentication provider...
perl-group?  mycustomauth-group, so i can say

Require mycustomauthgroup admin

Thus get the proper ->requires information during the authorization phase
for checking?

David

PS: I apologize for not being able to derive this answer from my search and
browsing of the mailing list archives if the answer is in there.  I found
some that seemed exactly related to this issue under topic mp 2.0.3 make
test fails against httpd trunk: Has authorisation changed since httpd 2.2 ? but
was unable to find anything about actually defining these authorization
providers...

-- 
Dog approved this message.

Re: Apache 2.2 and Authorization Providers under mod_perl

[Skylos <sk...@gmail.com>]

Thanks for your reply André.  As it happens the application's security
policy for authorization is defined in terms of the group assertions.
Dropping that would stop the functionality that protects the various users
from accessing functionality they should not be able to.

David
 On Apr 1, 2014 6:23 AM, "André Warnier" <aw...@ice-sa.com> wrote:

> Skylos wrote:
>
>> Trying to migrate an application to mod_perl under apache 2.2 but my
>> custom
>> auth handlers are blowing up on failure to understand '$r->requires'
>> method.  The best I can make of it is that apache 2.2 revamped the auth
>> system requiring the definition of providers (like 'group' allowing the
>> 'Require group xxxx' directive in the config file.
>>
>> It seems then that I need to define my own authentication provider...
>> perl-group?  mycustomauth-group, so i can say
>>
>> Require mycustomauthgroup admin
>>
>> Thus get the proper ->requires information during the authorization phase
>> for checking?
>>
>> David
>>
>> PS: I apologize for not being able to derive this answer from my search
>> and
>> browsing of the mailing list archives if the answer is in there.  I found
>> some that seemed exactly related to this issue under topic mp 2.0.3 make
>> test fails against httpd trunk: Has authorisation changed since httpd 2.2
>> ? but
>> was unable to find anything about actually defining these authorization
>> providers...
>>
>>
> Hi.
> This is not really an answer to your question, but I felt it might help
> anyway, only to allow you to sleep better..
> I also wrote my own authentication framework for Apache/mod_perl (using
> Apache2::AuthCookie as base, many thanks to the author and maintainers),
> and I do not recall having had to do any major surgery to it between 2.0
> and 2.2 (2.4 may be another matter though).
> In any case, I am sure that the "group" aspect is not needed, because I
> don't do that at all and my stuff still works fine.
>
> So, while I'm not the ultimate expert, I would think that whatever you may
> have to do is probably less major than what you are hinting at above.
> HTH.
>
> P.S. check the code for Apache2::AuthCookie for many tips (sub
> authorize{}).
> I am using its get_statisfy() and satisfy_is_valid() subs.
> And I only use "require user xxx" or "require valid user" in the Apache
> config.
>

Re: Apache 2.2 and Authorization Providers under mod_perl

[André Warnier <aw...@ice-sa.com>]

Skylos wrote:
> Trying to migrate an application to mod_perl under apache 2.2 but my custom
> auth handlers are blowing up on failure to understand '$r->requires'
> method.  The best I can make of it is that apache 2.2 revamped the auth
> system requiring the definition of providers (like 'group' allowing the
> 'Require group xxxx' directive in the config file.
> 
> It seems then that I need to define my own authentication provider...
> perl-group?  mycustomauth-group, so i can say
> 
> Require mycustomauthgroup admin
> 
> Thus get the proper ->requires information during the authorization phase
> for checking?
> 
> David
> 
> PS: I apologize for not being able to derive this answer from my search and
> browsing of the mailing list archives if the answer is in there.  I found
> some that seemed exactly related to this issue under topic mp 2.0.3 make
> test fails against httpd trunk: Has authorisation changed since httpd 2.2 ? but
> was unable to find anything about actually defining these authorization
> providers...
> 

Hi.
This is not really an answer to your question, but I felt it might help anyway, only to 
allow you to sleep better..
I also wrote my own authentication framework for Apache/mod_perl (using 
Apache2::AuthCookie as base, many thanks to the author and maintainers), and I do not 
recall having had to do any major surgery to it between 2.0 and 2.2 (2.4 may be another 
matter though).
In any case, I am sure that the "group" aspect is not needed, because I don't do that at 
all and my stuff still works fine.

So, while I'm not the ultimate expert, I would think that whatever you may have to do is 
probably less major than what you are hinting at above.
HTH.

P.S. check the code for Apache2::AuthCookie for many tips (sub authorize{}).
I am using its get_statisfy() and satisfy_is_valid() subs.
And I only use "require user xxx" or "require valid user" in the Apache config.