You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by "Edward J. Sabol" <ed...@gmail.com> on 2019/10/20 23:35:28 UTC
Re: AuthCookieDBI and Apache 2.4
On Feb 12, 2019, at 2:25 PM, Edward J. Sabol <ed...@gmail.com> wrote:
> Hello! I have a project that has successfully used Apache2::AuthCookieDBI
> with mod_perl on Apache 2.2 and Apache 2.0 before that for many years. For
> various reasons, we are looking at moving this project to a new system that
> uses Apache 2.4 exclusively, and the custodians of this new system are
> disinclined to use Apache 2.2 even in a dual lightweight/heavyweight server
> configuration.
>
> I know AuthCookie has been updated by the magnificient Michael Schout to
> support Apache 2.4, but AuthCookieDBI hasn't seen a release in many years.
> On Feb 21, 2019, at 3:52 PM, Edward J. Sabol <ed...@gmail.com> wrote:
> On Feb 21, 2019, at 5:22 AM, Vegard Vesterheim <ve...@uninett.no> wrote:
>> I registered a ticket against Apache2-AuthCookieDBI regarding this issue
>> a long time ago:
>>
>> https://rt.cpan.org/Public/Bug/Display.html?id=106663
>>
>> We do not use this any longer. But, given that the ticket is still open,
>> I wonder if this ticket could be closed, or at least commented upon.
>
> I don't think it should be closed until the issue is resolved. I've
> personally also filed an issue on the author's GitHub for this:
>
> https://github.com/matisse/Apache-AuthCookieDBI/issues/2
>
> The author did respond recently to that issue, but doesn't seem to be
> terribly interested in fixing it. If anyone wants to help collaborate on a
> pull request, however, maybe we can actually help resolve this.
Eight months later (really it only took one day of coding--most of the
time/effort was getting our dev system upgraded to use Apache 2.4.41 and
mod_perl 2.0.11), I've successfully ported Apache2::AuthCookieDBI's group
authorization to work with Apache 2.4.x. It works on my system, and I am
now looking at submitting a pull request on GitHub for this issue. I
submitted a couple of PRs to
https://github.com/matisse/Apache-AuthCookieDBI over the summer, and the
maintainer released a new version. So I'm hopeful we can get a new release
out with Apache 2.4.x support baked in.
Before (or after) submitting the PR, would anyone be interested in
reviewing my code for correctness?
I also had a several questions:
Currently, the group authz code is in a separate Apache2_4::AuthCookieDBI
module which inherits from Apache2::AuthCookieDBI. I was wondering if the
code could be moved to Apache2::AuthCookieDBI and the separate file could
be eliminated. Any suggestions or tips on doing that? The AUTHZ_*
Apache2::Const's needed for Apache 2.4.x authz are a problem, I think? Do
they exist on Apache versions less than 2.4.0?
Along those lines, what's the best way to determine the Apache version in
non-testsuite code? Should I use Apache::Test's have_min_apache_version()
regardless?
Apache2::AuthCookieDBI stashes the valid/authorized group in
$r->subprocess_env('AUTH_COOKIE_DBI_GROUP') so that higher-level interface
code can reference it. To eliminate multiple database queries for the same
request (at one point, I was seeing 4+ requests per request since the URL
was a directory and Apache was authz'ing the directory and then the
index.html in that directory), I was wondering if checking for the presence
of $r->subprocess_env('AUTH_COOKIE_DBI_GROUP') and using that instead of
querying the database again was secure? It all seems to work in my testing
and it drastically cuts down on repeated database queries, but I'm worried I
might be doing something insecure.
Thanks,
Ed
Re: AuthCookieDBI and Apache 2.4
Posted by "Edward J. Sabol" <ed...@gmail.com>.
On Oct 20, 2019, at 7:35 PM, Edward J. Sabol <ed...@gmail.com> wrote:
> I've successfully ported Apache2::AuthCookieDBI's group
> authorization to work with Apache 2.4.x. It works on my system, and I am
> now looking at submitting a pull request on GitHub for this issue.
In case anyone is interested:
https://github.com/matisse/Apache-AuthCookieDBI/pull/6
https://github.com/esabol/Apache-AuthCookieDBI/blob/apache-2.4.x-support/lib/Apache2_4/AuthCookieDBI.pm
I could still use answers to the following questions:
> [...] what's the best way to determine the Apache version in
> non-testsuite code? Should I use Apache::Test's have_min_apache_version()
> regardless?
>
> Apache2::AuthCookieDBI stashes the valid/authorized group in
> $r->subprocess_env('AUTH_COOKIE_DBI_GROUP') so that higher-level interface
> code can reference it. To eliminate multiple database queries for the same
> request (at one point, I was seeing 4+ requests per request since the URL
> was a directory and Apache was authz'ing the directory and then the
> index.html in that directory), I was wondering if checking for the presence
> of $r->subprocess_env('AUTH_COOKIE_DBI_GROUP') and using that instead of
> querying the database again was secure? It all seems to work in my testing
> and it drastically cuts down on repeated database queries, but I'm worried I
> might be doing something insecure.
Thanks,
Ed