You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Jim Helm <jj...@att.net> on 2002/05/13 01:23:53 UTC

[RFC] Apache::AuthTicketPlus

I've subclassed Apache::AuthTicket with a 'Require group xxxx'
authorization handler, since neither AuthTicket nor AuthCookie included
it (though AuthCookie does have the hooks for it which I took advantage
of).
 
I also added a 'Require not yyyy xxxx' hander.  I wanted to be able to
exclude one or two authenticated users (like guest) from certain areas
while still being able to 'Require valid-user'.  Much easier than having
to remember to add every authenticated use to a group when I only want
to exclude one or two users.  If AuthCookie ever changes from requiring
all check to pass to just a single check, this will break. (See
Apache::AuthCookie authorize() section for comments on ALL vs. ANY.)
 
Example:
Require not group xxxx
Require not user xxxx
 
Also, I had to implement my own 'user' authorization method since
Apache::AuthCookie embeds it directly into the main authorization
method.  My method only gets called by the 'not' method when applicable.
I could have just put the code directly in the not method, but then
anyone subclassing my module would have the same problem...
 
Feel free to do whatever you want with the code... Comment/criticism
welcome - especially on the init method.  I'll post to CPAN if anyone
thinks it's worth it.  I'd gladly accept integrating this directly into
AuthTicket if the maintainer wishes (Michael Schout?).  I'm not crazy
about the name, but it has to be called something - suggestions welcome.
 
Thanks,
 
Jim
 
---snip---
package Apache::AuthTicketPlus;
 
use strict;
 
use vars qw($VERSION @ISA %DEFAULTS);
 
use Apache::Constants qw(FORBIDDEN OK);
use Apache::AuthTicket qw();
 
@ISA = qw(Apache::AuthTicket);
 
$VERSION = '0.01';
 
$DEFAULTS{TicketGroupTable} = 'groups:grpname:usrname';
 

sub init {
 
    my ($self, $r) = @_;
    $self->SUPER::init($r);
 
    map {
        $self->{$_} = $self->_get_config_item($r, $_);
    } keys %DEFAULTS;
 
}
 

sub not {
 
    my ($self, $r, $args) = @_;
    $self = $self->new($r) unless ref $self;
 
    my ($requirement, $sub_args) = split(/\s+/, $args, 2);
 
    my $rv = $self->$requirement($r, $sub_args);
 
    return ($rv == OK) ? FORBIDDEN : OK;
 
}
 

sub user {
 
    my ($self, $r, $args) = @_;
    $self = $self->new($r) unless ref $self;
 
    my $user = $r->connection->user;
    my $req_user = (split /\s+/,$args)[0];
 
    return ($user eq $req_user) ? OK : FORBIDDEN;
 
}
 

sub group {
 
    my ($self, $r, $args) = @_;
    $self = $self->new($r) unless ref $self;
 
    my $group = (split /\s+/, $args)[0];
    my $user = $r->connection->user;
 
    my $dbh = $self->dbh;
    my ($_table,$_group,$_user) = split(/:/, $self->{TicketGroupTable});
    my $query = qq{
        SELECT COUNT(*) FROM $_table
        WHERE $_group = ? AND $_user = ?
    };
 
    my $rows = 0;
 
    eval {
        my $sth =  $dbh->prepare($query);
        $sth->execute($group,$user);
        $sth->bind_columns(\$rows);
        $sth->fetch;
    };
    if ($@) {
        $dbh->rollback;
        die $@;
    }
 
    return $rows ? OK : FORBIDDEN ;
}
 
1;

Re: [RFC] Apache::AuthTicketPlus

Posted by Michael Schout <ms...@gkg.net>.

Jim Helm wrote:

> Feel free to do whatever you want with the code... Comment/criticism 
> welcome - especially on the init method.  I'll post to CPAN if anyone 
> thinks it's worth it.  I'd gladly accept integrating this directly into 
> AuthTicket if the maintainer wishes (Michael Schout?).  I'm not crazy 

Yes, I think this is useful enough to fold this into AuthTicket.  I'll 
take a closer look at it this weekend.

Mike