You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Marius Gavrilescu <ma...@ieval.ro> on 2013/11/16 23:35:06 UTC
Optional authentication / dynamic Require
I have a directory with subdirectories which are either:
- public, which means everybody (even unauthenticated users) should be
able to view them.
- private, which means only authenticated users who are also admins
should be able to view them.
What I've tried is:
<Directory /path/to/parent/directory/*/>
AuthName MyApp
PerlSetVar AuthenPassphraseRootdir /path/to/wherever
PerlSetVar AuthzCapsRootdir /path/to/wherever
PerlAuthenHandler Apache2::Authen::Passphrase
PerlAuthzHandler Apache2::AuthzCaps
PerlAuthzHandler MyApp::private
Require admin-if-private
</Directory>
where MyApp::private looks like (simplified):
sub resource_is_private { ... }
sub is_admin { ... }
sub private{
my $r = shift;
for my $requirement (map { $_->{requirement} } @{$r->requires}) {
my ($command, @args) = split ' ', $requirement;
given ($command){
when('admin-if-private'){
return OK if !resource_is_private || ($r->user && is_admin $r->user)
}
}
}
DECLINED
}
However, apache2 asks for authentication for access to any subdirectory
(because of the Require directive), and denies access if the user
does not provide valid credentials.
One idea I had is to drop the require, and write a PerlInitHandler that
checks if the subdirectory is private and if yes it tells apache2 to
request authentication (but I don't know how to do this).
Another is to add a dummy PerlAuthenHandler that returns OK if the
subdirectory is public, and DECLINED otherwise. But it would have to run
before the other authentication handler, and I don't know how to order
handlers (Do the handlers run in the order of the Perl*Handler
directives? If yes, is this documented somewhere or may it change in a
future release?).
--
Marius Gavrilescu