You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Rob Bloodgood <ro...@empire2.com> on 2001/04/03 22:35:49 UTC

Apache::AuthCookieDBI forgets its config

So I finally decided to plunge into AuthCookie*, and settled on
AuthCookieDBI cuz it's pretty complete, and meets my environment, and I
don't have to subclass it to even try it.

DAMN what a *****!

Oh, mostly it's an EXCELLENT module.

Mostly.

For starters, as verbose as the docs are, they aren't as clear as one would
hope.  HOWEVER I finally got it to where everything LOOKS right, but I still
have no go.

As I delved into the problem, I found the following:

The module has a BEGIN {} block that reads the server config for parameters
of the form
PerlSetVar MyRealmSecretKeyFile "/etc/httpd/conf/secretkeyfile.txt"

into the module global hash %SECRET_KEYS

and the docs recommend it be
-rw------- root root

so that it's only readable on server startup.

HOWEVER, whenever the module is actually invoked, %SECRET_KEYS is empty!

Here's the BEGIN{} block:
BEGIN {
	my @keyfile_vars = grep {
		$_ =~ /DBI_SecretKeyFile$/
	} keys %{ Apache->server->dir_config() };
	foreach my $keyfile_var ( @keyfile_vars ) {
		my $keyfile = Apache->server->dir_config( $keyfile_var );
		my $auth_name = $keyfile_var;
		$auth_name =~ s/DBI_SecretKeyFile$//;
		unless ( open( KEY, "<$keyfile" ) ) {
		    Apache::log_error( "Could not open keyfile for $auth_name in file
$keyfile" );
		} else {
			$SECRET_KEYS{ $auth_name } = <KEY>;
			close KEY;
		}
	}
}

My temporary solution was to patch the handlers to understand a new
PerlSetVar:

	# Get the secret key.
	my $secret_key = $SECRET_KEYS{ $auth_name };
	unless ( defined $secret_key ) {
+	    if (not defined ($SECRET_KEYS{ $auth_name } =
+			_dir_config_var($r, 'DBI_SecretKeyFile'))) {
		$r->log_reason( "Apache::AuthCookieDBI: didn't the secret key from for
auth realm $auth_name", $r->uri );
		return undef;
+	    } else {
+		$secret_key = $SECRET_KEYS{ $auth_name };
	    }
	}

But this seems crufty.
What I'd prefer to do is fix the init section so that it works.  I can't
find anything in the mod_perl docs or the Guide that helps.

Suggestions??

TIA

L8r,
Rob

#!/usr/bin/perl -w
use Disclaimer qw/:standard/;

Re: Apache::AuthCookieDBI forgets its config

Posted by Vegard Vesterheim <Ve...@runit.no>.

"Rob Bloodgood" <ro...@empire2.com> writes:

> So I finally decided to plunge into AuthCookie*, and settled on
> AuthCookieDBI cuz it's pretty complete, and meets my environment, and I
> don't have to subclass it to even try it.
> 
> DAMN what a *****!
> 
> Oh, mostly it's an EXCELLENT module.
> 
> Mostly.
> 
> For starters, as verbose as the docs are, they aren't as clear as one would
> hope.  HOWEVER I finally got it to where everything LOOKS right, but I still
> have no go.
> 
> As I delved into the problem, I found the following:
> 
> The module has a BEGIN {} block that reads the server config for parameters
> of the form
> PerlSetVar MyRealmSecretKeyFile "/etc/httpd/conf/secretkeyfile.txt"
> 
> into the module global hash %SECRET_KEYS
> 
> and the docs recommend it be
> -rw------- root root
> 
> so that it's only readable on server startup.
> 
> HOWEVER, whenever the module is actually invoked, %SECRET_KEYS is empty!
> 

I discovered the same thing. I think the problem is that the BEGIN
block as written, only considers parameters defined in the *main
server*. So if you have any PerlSetVar in a Virtual Server, it will
not be found.

A kludgy workaround is to move the PerlSetVar out of any Virtual
Server sections. A better option is to reimplement the mechanism for
populating the SECRET_KEYS hash, so that Virtual Servers are handled
properly.

-- 
Vegard Vesterheim		: Phone: +47 73593002
Runit AS			: Fax:   +47 73591700
N-7465 Trondheim, NORWAY	: Email: Vegard.Vesterheim@runit.no

RE: Apache::AuthCookieDBI forgets its config [SOLVED]

Posted by Rob Bloodgood <ro...@empire2.com>.

> OK, more examination reveals that:
> At the time this BEGIN block is running, this call:
>       my @keyfile_vars = grep {
>  		$_ =~ /DBI_SecretKeyFile$/
>  	} keys %{ Apache->server->dir_config() };
>
> is returning EMPTY.
>
> Meaning it's evaling too early to see the dir_config???????  Or what?

- PerlModule Apache::AuthCookieDBI
> PerlSetVar AdminPath /admin
> PerlSetVar AdminLoginScript /scripts/adminlogin.pl
>
> # These must be set
> PerlSetVar AdminDBI_DSN "dbi:Oracle:STATS"
> PerlSetVar AdminDBI_SecretKeyFile /etc/httpd/conf/admin.secret.key
+ PerlModule Apache::AuthCookieDBI

My ealier message reveals the solution: move the line
PerlModule Apache::AuthCookieDBI
to *AFTER* the line(s)
PerlSetVar BlahBlahDBI_SecretKeyFile /path/to/keyfile

It now works perfectly!

Thx for putting up w/ me bouncing my problem-solving off the list...
hopefully somebody will save the day & a half I just spent on this.

L8r,
Rob

#/usr/bin/perl -w
use Disclaimer qw/:standard/;

RE: Apache::AuthCookieDBI forgets its config [UPDATE]

Posted by Rob Bloodgood <ro...@empire2.com>.

> HOWEVER, whenever the module is actually invoked, %SECRET_KEYS is empty!
> 
> Here's the BEGIN{} block:
> BEGIN {
> 	my @keyfile_vars = grep {
> 		$_ =~ /DBI_SecretKeyFile$/
> 	} keys %{ Apache->server->dir_config() };
> 	foreach my $keyfile_var ( @keyfile_vars ) {
> 		my $keyfile = Apache->server->dir_config( $keyfile_var );
> 		my $auth_name = $keyfile_var;
> 		$auth_name =~ s/DBI_SecretKeyFile$//;
> 		unless ( open( KEY, "<$keyfile" ) ) {
> 		    Apache::log_error( "Could not open keyfile for 
> $auth_name in file
> $keyfile" );
> 		} else {
> 			$SECRET_KEYS{ $auth_name } = <KEY>;
> 			close KEY;
> 		}
> 	}
> }

OK, more examination reveals that:
At the time this BEGIN block is running, this call: 
      my @keyfile_vars = grep {
 		$_ =~ /DBI_SecretKeyFile$/
 	} keys %{ Apache->server->dir_config() };

is returning EMPTY.

Meaning it's evaling too early to see the dir_config???????  Or what?

PerlModule Apache::AuthCookieDBI
PerlSetVar AdminPath /admin
PerlSetVar AdminLoginScript /scripts/adminlogin.pl
#PerlSetVar AdminLoginScript /error/adminlogin.html

# Optional, to share tickets between servers.
#PerlSetVar AdminDomain .domain.com


# These must be set
PerlSetVar AdminDBI_DSN "dbi:Oracle:STATS"
PerlSetVar AdminDBI_SecretKeyFile /etc/httpd/conf/admin.secret.key

# etc.



Ideas?

L8r,
Rob

#!/usr/bin/perl -w
use Disclaimer qw/:standard/;