You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Chris Hughes <ch...@fysh.org> on 2004/09/20 18:31:17 UTC
Apache-AuthenNTLM-2.07 and ModPerl 1.99_16
Fails as Apache-AuthenNTLM attempts to use Apache::Connection::remote_host
to alter the remote hostname so it can check to see if is the same
connection when it is next called:
>From AuthenNTLM.pm:
539 # we cannot attach our object to the connection record. Since in
540 # Apache 1.3 there is only one connection at a time per process
541 # we can cache our object and check if the connection has changed.
542 # The check is done by slightly changing the remote_host member, which
543 # persists as long as the connection does
544 # This has to be reworked to work with Apache 2.0
545 if (ref ($cache) ne $class || $$conn != $cache -> {connectionid} || $conn -> remote_host ne $cache->{remote_host})
546 {
547 $conn -> remote_host ($conn -> remote_host . ' ') ;
548 $self = {connectionid => $$conn, remote_host => $conn -> remote_host} ;
This breaks in 1.99_16, but AuthenNTLM suggests it has ModPerl 2 support
written in, so is this something that has changed recently?
I'm also not exactly sure why there are three checks (ie. that there is a
cache object, that the cache object connection id is the same as the
current, and then that the (altered) remote host name is the same in
both). I would have thought it would be enought to compare the
connectionid, but this seems to stay the same between connections..?
Any ideas?
ta,
Chris
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Apache-AuthenNTLM-2.07 and ModPerl 1.99_16
Posted by Chris Hughes <ch...@fysh.org>.
On Mon, 20 Sep 2004, Chris Hughes wrote:
> I'm also not exactly sure why there are three checks (ie. that there is a
> cache object, that the cache object connection id is the same as the
> current, and then that the (altered) remote host name is the same in
> both). I would have thought it would be enought to compare the
> connectionid, but this seems to stay the same between connections..?
Apols to following up to myself, but I seem to have deleted Fred's email.
That patch didn't work (for me) as notes() expects an APR::Table object.
I've appended a patch that changes the way this works a little. It seems
that all this trouble is just so that the AuthenNTLM module can tell if a
request comes from the same connection as the previous one (so it can
complete the NTLM 'hand-shake' or just Apache::OK if it has already been
successfully authenticated.
So the below patch just pops a value into connection->notes() and checks
if it is there. Would be interested in any comments.
My question is why isn't the connection->id() used for this purpose? It
loks like this value isn't unique between connections, so what does it do?
http://perl.apache.org/docs/2.0/api/Apache/Connection.html#C_id_
ta,
Chris
545,558c545,548
< my $table = $conn->notes();
< if (ref ($cache) ne $class || $$conn != $cache->{connectionid} ||
< (!MP2 && $conn->remote_host ne $cache->{remote_host}) ||
< (MP2 && $table->get('status') ne "AUTHSTARTED"))
< {
< if (!MP2) {
< $conn->remote_host ($conn->remote_host . ' ');
< $self = {connectionid => $$conn, remote_host => $conn -> remote_host} ;
< } elsif (MP2) {
< my $table = $conn->notes();
< $table->add('status','AUTHSTARTED');
< $conn->notes($table);
< $self = {connectionid => $$conn } ;
< }
---
> if (ref ($cache) ne $class || $$conn != $cache -> {connectionid} || $conn -> remote_host ne $cache->{remote_host})
> {
> $conn -> remote_host ($conn -> remote_host . ' ') ;
> $self = {connectionid => $$conn, remote_host => $conn -> remote_host} ;
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Apache-AuthenNTLM-2.07 and ModPerl 1.99_16
Posted by Chris Hughes <ch...@fysh.org>.
On Sun, 26 Sep 2004, Shannon Eric Peevey wrote:
> Now that I am looking at the code, why would we need to at a space to
> the end of $conn -> remote_host()?
>
> $conn -> remote_host ($conn -> remote_host . ' ') ;
It does this so it can tell if the authentication sequence has already
started on a new connection (where it does $conn->remote_host ne
$cache->{remote_host}). It seems a pretty hacky way of doing it, mind.
Note the comments by this code:
# we cannot attach our object to the connection record. Since in
# Apache 1.3 there is only one connection at a time per process
# we can cache our object and check if the connection has changed.
# The check is done by slightly changing the remote_host member, which
# persists as long as the connection does
# This has to be reworked to work with Apache 2.0
ta,
Chris
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Apache-AuthenNTLM-2.07 and ModPerl 1.99_16
Posted by Shannon Eric Peevey <sp...@erikin.com>.
>
> Actually, when I think more about this, it's a bad idea to have those
> values to be changed by any module. What if you have a keepalive
> connection, and some other, unrelated request comes in following the
> request that set some connection records values? Could that be a
> problem? I haven't looked at what this module does, so I can't tell,
> whether it's safe or not.
>
>> Here's a patch for AuthenNTLM.pm which uses $conn->notes, instead of
>> modifying $conn->remote_host, to compare the connections. I don't
>> have a
>> working NTLM setup but maybe give this a go and see how it works.
>
>
> That sounds like a much safer solution. Just because you could modify
> the connection record before, it doesn't mean that it's the right
> thing to do.
>
> I've turned quite a few fields to read-only exactly because of this,
> as there should be a good reason for having those writable, and once
> there is one we will open those up.
>
>
Now that I am looking at the code, why would we need to at a space to
the end of $conn -> remote_host()?
$conn -> remote_host ($conn -> remote_host . ' ') ;
speeves
cws
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Apache-AuthenNTLM-2.07 and ModPerl 1.99_16
Posted by Stas Bekman <st...@stason.org>.
Fred Moyer wrote:
>>I really have no idea about Apache-AuthenNTLM but to make it working
>>again you could apply the patch below and rebuilt your mod-perl.
>
>
>>As far
>>as I can tell from the last mail from Stas it's going to be
>>read/writeable in future if one volunteers to write tests :-).
>
>
> I originally suggested that change as a result of reviewing the map
> structures after running into this same problem on a different method of a
> read only accessor breaking an existing module. So I am due some flak
> here for suggesting other methods be read-only, as it has broken something
> else. Maybe I can volunteer to write tests for those methods as a way of
> making amends.
Actually, when I think more about this, it's a bad idea to have those
values to be changed by any module. What if you have a keepalive
connection, and some other, unrelated request comes in following the
request that set some connection records values? Could that be a problem?
I haven't looked at what this module does, so I can't tell, whether it's
safe or not.
> Here's a patch for AuthenNTLM.pm which uses $conn->notes, instead of
> modifying $conn->remote_host, to compare the connections. I don't have a
> working NTLM setup but maybe give this a go and see how it works.
That sounds like a much safer solution. Just because you could modify the
connection record before, it doesn't mean that it's the right thing to do.
I've turned quite a few fields to read-only exactly because of this, as
there should be a good reason for having those writable, and once there is
one we will open those up.
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Apache-AuthenNTLM-2.07 and ModPerl 1.99_16
Posted by Fred Moyer <fr...@taperfriendlymusic.org>.
> I really have no idea about Apache-AuthenNTLM but to make it working
> again you could apply the patch below and rebuilt your mod-perl.
> As far
> as I can tell from the last mail from Stas it's going to be
> read/writeable in future if one volunteers to write tests :-).
I originally suggested that change as a result of reviewing the map
structures after running into this same problem on a different method of a
read only accessor breaking an existing module. So I am due some flak
here for suggesting other methods be read-only, as it has broken something
else. Maybe I can volunteer to write tests for those methods as a way of
making amends.
Here's a patch for AuthenNTLM.pm which uses $conn->notes, instead of
modifying $conn->remote_host, to compare the connections. I don't have a
working NTLM setup but maybe give this a go and see how it works.
--- AuthenNTLM.pm 2004-09-20 12:44:03.028383768 -0400
+++ AuthenNTLM.pm 2004-09-20 12:58:02.975692368 -0400
@@ -542,14 +542,23 @@
# The check is done by slightly changing the remote_host member, which
# persists as long as the connection does
# This has to be reworked to work with Apache 2.0
- if (ref ($cache) ne $class || $$conn != $cache -> {connectionid} ||
$conn ->
remote_host ne $cache->{remote_host})
- {
- $conn -> remote_host ($conn -> remote_host . ' ') ;
- $self = {connectionid => $$conn, remote_host => $conn ->
remote_host} ;
- bless $self, $class ;
- $cache = $self ;
- print STDERR "[$$] AuthenNTLM: Setup new object\n" if ($debug) ;
+ if (ref ($cache) ne $class || $$conn != $cache->{connectionid} ||
+ (!MP2 && $conn->remote_host ne $cache->{remote_host}) ||
+ (MP2 && $conn->notes ne $cache->{notes}))
+ {
+ if (!MP2) {
+ $conn->remote_host ($conn -> remote_host . ' ') ;
+ $self = {connectionid => $$conn,
+ remote_host => $conn -> remote_host} ;
}
+ elsif (MP2) {
+ $conn->notes($$self);
+ $self = {connectionid => $$conn, notes => $conn->notes};
+ }
+ bless $self, $class ;
+ $cache = $self ;
+ print STDERR "[$$] AuthenNTLM: Setup new object\n" if ($debug) ;
+ }
else
{
$self = $cache ;
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: Apache-AuthenNTLM-2.07 and ModPerl 1.99_16
Posted by Tom Schindl <to...@gmx.at>.
Chris Hughes wrote:
> Fails as Apache-AuthenNTLM attempts to use Apache::Connection::remote_host
> to alter the remote hostname so it can check to see if is the same
> connection when it is next called:
>
>>>From AuthenNTLM.pm:
> 539 # we cannot attach our object to the connection record. Since in
> 540 # Apache 1.3 there is only one connection at a time per process
> 541 # we can cache our object and check if the connection has changed.
> 542 # The check is done by slightly changing the remote_host member, which
> 543 # persists as long as the connection does
> 544 # This has to be reworked to work with Apache 2.0
> 545 if (ref ($cache) ne $class || $$conn != $cache -> {connectionid} || $conn -> remote_host ne $cache->{remote_host})
> 546 {
> 547 $conn -> remote_host ($conn -> remote_host . ' ') ;
> 548 $self = {connectionid => $$conn, remote_host => $conn -> remote_host} ;
>
See
http://gossamer-threads.com/lists/engine?list=modperl&do=search_results&search_forum=forum_4&search_string=%22Report+on+mp2+accessors+in+apache_structures.map%22&search_type=AND
This method is defined read-only. But it's suggested to make it
read/writeable again (see last message from stas).
The change has been introduced here:
http://cvs.apache.org/viewcvs.cgi/modperl-2.0/xs/maps/apache_structures.map?r1=text&tr1=1.41&r2=text&tr2=1.42&diff_format=h
And is also menntionned into the changelog
http://perl.apache.org/dist/mod_perl-2.0-current/Changes of 1.99_15.
I really have no idea about Apache-AuthenNTLM but to make it working
again you could apply the patch below and rebuilt your mod-perl. As far
as I can tell from the last mail from Stas it's going to be
read/writeable in future if one volunteers to write tests :-).
Tom
> This breaks in 1.99_16, but AuthenNTLM suggests it has ModPerl 2 support
> written in, so is this something that has changed recently?
>
> I'm also not exactly sure why there are three checks (ie. that there is a
> cache object, that the cache object connection id is the same as the
> current, and then that the (altered) remote host name is the same in
> both). I would have thought it would be enought to compare the
> connectionid, but this seems to stay the same between connections..?
>
> Any ideas?
>
> ta,
>
> Chris
>
>
Reclaim Your Inbox!
http://www.mozilla.org/products/thunderbird