Setting require in Authentication handler?

[Todd Chapman <to...@chaka.net>]

Can dir_config be used to set 'require' in an authentication handler?

I would then return DECLINED do that Apache's Basic auth handler would do
the heavy lifting of checking the password.

Thanks!

-Todd

Re: Setting require in Authentication handler?

[Peter Bi <mo...@att.net>]

A remark: in many cases, the authentication against the password file can be
replaced by verifying valid FTP/Telnet login to "localhost", not only
because the password (shadow) file is usually not avialble for Apache
account but also secure. In the ticketing system, the FTP/Telnet
authentication runs only at the first time of login and the follow-up access
can goes without re-FTP and so is pretty fast. Check this :
http://modperl.home.att.net


Peter Bi

----- Original Message -----
From: "Geoffrey Young" <ge...@modperlcookbook.org>
To: "Todd Chapman" <to...@chaka.net>
Cc: <mo...@perl.apache.org>
Sent: Monday, May 20, 2002 6:50 AM
Subject: Re: Setting require in Authentication handler?


>
>
> Todd Chapman wrote:
>
> > That makes sense. I can't use mod_auth because I can't set Require.
>
>
> well, if you're saying that you don't have the ability to set the Require
directive at all
> (as in you don't have access to edit httpd.conf), then you can't run any
authentication
> handler - mod_auth, mod_perl, or otherwise.  Apache core requires the
Require directive to
> be set to something before it will even try to run the authen/authz phases
of the request.
>
> so, you may be out of luck and need to resort to the CGI tricks of yore
where everything
> is clumped in the content-generation phase (and of which I'm not that
familiar).
>
> > I'm
> > using Basic authentication and text based password files. Unfortunately,
I
> > can't find an Apache::Auth* module that handles basic authentication
> > against text files. Did I miss it somewhere?
>
>
> I'm not sure, but it may not exist for the reason I stated eariler about
mod_perl not
> duplicating default Apache behavior.  IIRC, there is one that
authenticates against
> /etc/passwd, so maybe you can use that as an example of flat file based
processing.
>
> in general, though, the steps are pretty much the same no matter which
authentication
> method you choose.  see
>
>    http://www.modperlcookbook.org/code/ch13/Cookbook/Authenticate.pm
>
> for an example - all you need to do is replace the authenticate_user()
subroutine with
> calls that validate the user based on your own criteria.
>
> HTH
>
> --Geoff
>
>
>
>
>

Re: Setting require in Authentication handler?

[Todd Chapman <to...@chaka.net>]

On Mon, 20 May 2002, Geoffrey Young wrote:

> 
> 
> Todd Chapman wrote:
> 
> > That makes sense. I can't use mod_auth because I can't set Require. 
> 
> 
> well, if you're saying that you don't have the ability to set the Require directive at all 
> (as in you don't have access to edit httpd.conf), then you can't run any authentication 
> handler - mod_auth, mod_perl, or otherwise.  Apache core requires the Require directive to 
> be set to something before it will even try to run the authen/authz phases of the request.
> 
> so, you may be out of luck and need to resort to the CGI tricks of yore where everything 
> is clumped in the content-generation phase (and of which I'm not that familiar).

I can set Require, but I will have to ignore it's value since the realm, 
password file, and require are decided based on the URI.

> 
> > I'm
> > using Basic authentication and text based password files. Unfortunately, I
> > can't find an Apache::Auth* module that handles basic authentication
> > against text files. Did I miss it somewhere?
> 
> 
> I'm not sure, but it may not exist for the reason I stated eariler about mod_perl not 
> duplicating default Apache behavior.  IIRC, there is one that authenticates against 
> /etc/passwd, so maybe you can use that as an example of flat file based processing.
> 
> in general, though, the steps are pretty much the same no matter which authentication 
> method you choose.  see
> 
>    http://www.modperlcookbook.org/code/ch13/Cookbook/Authenticate.pm
> 
> for an example - all you need to do is replace the authenticate_user() subroutine with 
> calls that validate the user based on your own criteria.
> 

Thanks. Sounds like we need an Apache::AuthBasicFile since mod_auth
doesn't allow Require to be set dynamically.

-Todd

> HTH
> 
> --Geoff
> 
> 
> 
> 

Re: Setting require in Authentication handler?

[Geoffrey Young <ge...@modperlcookbook.org>]

Todd Chapman wrote:

> That makes sense. I can't use mod_auth because I can't set Require. 


well, if you're saying that you don't have the ability to set the Require directive at all 
(as in you don't have access to edit httpd.conf), then you can't run any authentication 
handler - mod_auth, mod_perl, or otherwise.  Apache core requires the Require directive to 
be set to something before it will even try to run the authen/authz phases of the request.

so, you may be out of luck and need to resort to the CGI tricks of yore where everything 
is clumped in the content-generation phase (and of which I'm not that familiar).

> I'm
> using Basic authentication and text based password files. Unfortunately, I
> can't find an Apache::Auth* module that handles basic authentication
> against text files. Did I miss it somewhere?


I'm not sure, but it may not exist for the reason I stated eariler about mod_perl not 
duplicating default Apache behavior.  IIRC, there is one that authenticates against 
/etc/passwd, so maybe you can use that as an example of flat file based processing.

in general, though, the steps are pretty much the same no matter which authentication 
method you choose.  see

   http://www.modperlcookbook.org/code/ch13/Cookbook/Authenticate.pm

for an example - all you need to do is replace the authenticate_user() subroutine with 
calls that validate the user based on your own criteria.

HTH

--Geoff

Re: Setting require in Authentication handler?

[Todd Chapman <to...@chaka.net>]

That makes sense. I can't use mod_auth because I can't set Require. I'm
using Basic authentication and text based password files. Unfortunately, I
can't find an Apache::Auth* module that handles basic authentication
against text files. Did I miss it somewhere?

Thanks.

-Todd

On Mon, 20 May 2002, Geoffrey Young wrote:

> 
> 
> > Does the cookbook have a code sample of checking the password for
> > basic authentication?
> 
> 
> well, not via .htpasswd files, no.  in general, it doesn't make much sense to use mod_perl 
> to duplicate the same things that Apache already does for you, since the Apache code is 
> faster, has had more eyeballs looking at it for longer, etc.  in that sense you wouldn't 
> want to write your own routine to just check a flat file.  where mod_perl really shines 
> wrt authentication is with all the other things Perl does well, such as using DBI to 
> authenticate against a database, or working with other schemes like SMB or Radius - see 
> the 25+ Apache::Auth* modules on CPAN for just about anything you could think of.
> 
> however, we do describe how to use the mod_perl API to interact with Apache the same way 
> mod_auth does using $r->get_basic_auth_pw() and $r->not_basic_auth_failure() in a few 
> different ways.  you will also find those two methods in the eagle book if you have it.
> 
> make sense?
> 
> --Geoff
> 
> 
> 

Re: Setting require in Authentication handler?

[Geoffrey Young <ge...@modperlcookbook.org>]

Todd Chapman wrote:

> I need to decide who has access based on the URI. I guess this means I
> can't use Apache's Basic auth module, since I can't dynamically set
> require. 


as I was saying, go ahead and set the Require directive on the <Location> (or whatever) 
that you want to protect.  if a URI comes in that you want to allow _without_ checking the 
password just call

$r->set_handlers(PerlAuthenHandler => [\&OK]);

which will essentially short-circuit Apache's default authentication mechanism before 
mod_auth gets the chance to step in.  you could do this from a PerlAccessHandler or (I 
suppose) a PerlTransHandler.  you could probably even just return OK from a 
PerlAuthenHandler if $r->uri =~ m/some_ok_uri/ and skip the previous code (though if you 
use something other than Require valid-user you'll have to skip the Authorization phase as 
well using a similar measure).

basically, mod_perl gives you a hook into authentication that lets you do whatever you 
want - returning OK says that you have validated the user using your own criteria, and 
mod_auth need not run.  returning DECLINED (as you mentioned earlier) allows mod_auth to run.

> Does the cookbook have a code sample of checking the password for
> basic authentication?


well, not via .htpasswd files, no.  in general, it doesn't make much sense to use mod_perl 
to duplicate the same things that Apache already does for you, since the Apache code is 
faster, has had more eyeballs looking at it for longer, etc.  in that sense you wouldn't 
want to write your own routine to just check a flat file.  where mod_perl really shines 
wrt authentication is with all the other things Perl does well, such as using DBI to 
authenticate against a database, or working with other schemes like SMB or Radius - see 
the 25+ Apache::Auth* modules on CPAN for just about anything you could think of.

however, we do describe how to use the mod_perl API to interact with Apache the same way 
mod_auth does using $r->get_basic_auth_pw() and $r->not_basic_auth_failure() in a few 
different ways.  you will also find those two methods in the eagle book if you have it.

make sense?

--Geoff

Re: Setting require in Authentication handler?

[Todd Chapman <to...@chaka.net>]

I need to decide who has access based on the URI. I guess this means I
can't use Apache's Basic auth module, since I can't dynamically set
require. Does the cookbook have a code sample of checking the password for
basic authentication?

-Todd

On Mon, 20 May 2002, Geoffrey Young wrote:

> 
> 
> Todd Chapman wrote:
> 
> > Can dir_config be used to set 'require' in an authentication handler?
> 
> 
> no.  dir_config() provides access to a mod_perl specific table of variables, not generic 
> Apache configuration directives.
> 
> there is no API for setting the Require directive - it needs to be in your httpd.conf.
> 
> 
> > I would then return DECLINED do that Apache's Basic auth handler would do
> > the heavy lifting of checking the password.
> 
> if you're looking to do conditional authentication what you really need to do is a bit 
> backward - turn on all authentication hooks using the Require directive then use your 
> handler to return OK when you don't want Apache to check the password.  See recipe 13.5 in 
> the cookbook for more information.
> 
> the "Satisfy any" Apache directive may be able to help as well if you're using host-based 
> criteria to determine whether you want to require a login.
> 
> HTH
> 
> --Geoff
> 

Re: Setting require in Authentication handler?

[Geoffrey Young <ge...@modperlcookbook.org>]

Todd Chapman wrote:

> Can dir_config be used to set 'require' in an authentication handler?


no.  dir_config() provides access to a mod_perl specific table of variables, not generic 
Apache configuration directives.

there is no API for setting the Require directive - it needs to be in your httpd.conf.


> I would then return DECLINED do that Apache's Basic auth handler would do
> the heavy lifting of checking the password.

if you're looking to do conditional authentication what you really need to do is a bit 
backward - turn on all authentication hooks using the Require directive then use your 
handler to return OK when you don't want Apache to check the password.  See recipe 13.5 in 
the cookbook for more information.

the "Satisfy any" Apache directive may be able to help as well if you're using host-based 
criteria to determine whether you want to require a login.

HTH

--Geoff