You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by "André Warnier (tomcat)" <aw...@ice-sa.com> on 2019/02/21 09:41:14 UTC
Re: [a bit OT] AuthCookieDBI and Apache 2.4
On 21.02.2019 00:01, Paul B. Henson wrote:
> On Wed, Feb 20, 2019 at 05:56:48PM -0500, Edward J. Sabol wrote:
>
>> Any pointers to a working AuthzProvider written in Perl (like for the
>> "species" one) in your examples? It's not perfectly clear to me how to
>> go about that.
>
> I wrote one for CAS auth a while back:
>
> https://github.com/pbhenson/Apache2-AuthCASpbh/blob/master/lib/Apache2/AuthCASpbh/Authz.pm
>
Nice example.
What I found a bit "jarring" when I ported my own auth/authz modules (*) to Apache 2.4, is
this : with Apache 2.4,
1) the "authz" function is now called *first* (before any authentication module has been
called - even non-perl add-on ones),
and
2) it *can* be called 2 or more times during the same request cycle
and
3) the "authz" function, in Apache 2.4, is much more "at the mercy" of whatever
Authentication module is being called, and what it does precisely (e.g. /if/ and /when/ it
sets $r->user)
and
4) the precise formulation (and imbrication) of the <Require> sections and directives is
very important
and
5) there seems to be no real mod_perl-level (or even Apache-httpd-level) documentation
available, which explains the above in a general context, rather than for any specific
perl module.
A good explanation is provided by Michael Schout in
https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod, and this
should be "required reading" for anyone playing with AAA under Apache 2.4; but it is still
somewhat oriented to the specific (and otherwise excellent, I never tire of repeating
that) Apache2::AuthCookie module.
It would be good to integrate some version of this directly in the on-line mod_perl
documentation, but it is a bit obscure how to go about that.
(*) sorry, not really in a shape or style where I would be willing to share them
universally; but on a one-to-one base, I would not mind if anyone is interested.
Re: [a bit OT] AuthCookieDBI and Apache 2.4
Posted by "Paul B. Henson" <he...@acm.org>.
On 2/21/2019 9:46 AM, Michael Schout wrote:
>
> Another common thing I've seen people do is return an invalid
> Apache2::Const value from an Authz provider. You must return one of a
Yup, been there done that :).
> I pieced this together, if my memory is correct, from apache mailing
> list posts, as well as reading the source code of apache itself. I'm
> not sure I found any definitive guide on the changes when I did this,
> and it involved a good deal of research at the time.
Thanks much for putting that together, I found it an invaluable (and
unique) resource in figuring out how that black box worked 8-/.
Re: [a bit OT] AuthCookieDBI and Apache 2.4
Posted by Michael Schout <ms...@gkg.net>.
On 2/21/19 3:41 AM, André Warnier (tomcat) wrote:
> 1) the "authz" function is now called *first* (before any authentication
> module has been called - even non-perl add-on ones),
> and
> 2) it *can* be called 2 or more times during the same request cycle
> and
Yes, and this allows you to do "Anonymous" authorization. If you don't
want to do that, you simply do
return Apache2::Const::AUTHZ_DENIED_NO_USER unless defined $r->user
at the top of your Authz provider. The second time the handler is
called, $r->user will be set so that you can authorize "authenticated"
users.
But this is indeed one of the major things that confuses people when
moving to 2.4.
Another common thing I've seen people do is return an invalid
Apache2::Const value from an Authz provider. You must return one of a
very specific list of values from the provider (See the
README.apache-2.4 in AuthCookie which discusses this).
> 5) there seems to be no real mod_perl-level (or even Apache-httpd-level)
> documentation available, which explains the above in a general context,
> rather than for any specific perl module.
> A good explanation is provided by Michael Schout in
> https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod,
I pieced this together, if my memory is correct, from apache mailing
list posts, as well as reading the source code of apache itself. I'm
not sure I found any definitive guide on the changes when I did this,
and it involved a good deal of research at the time.
I had hoped to see all of this codified into some kind of general
mod_perl migration guide for Apache 2.4, similar to what happened when
we all had to migrate from Apache 1.3 to Apache 2. Something similar to
what is on perl.apache.org [1]. But I am unsure if that site is even
maintained any longer.
Anyway, another example of an authz provider is in AuthCookie [2], where
I re-implemented apache's core authz provider, before realizing it was
not needed.
1: https://perl.apache.org/docs/2.0/user/porting/compat.html
2:
https://github.com/mschout/apache-authcookie/blob/master/lib/Apache2_4/AuthCookie.pm#L18
Regards,
Michael Schout