You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Kean Johnston <ke...@gmail.com> on 2014/01/17 05:02:20 UTC

Question about mod_authnz_fcgi.c

This module registers itself as an authentication provider with 
ap_register_auth_provider(). However, it *also* registers as a hook with 
ap_hook_check_authn(). The two cases are similar, but subtly different (the 
latter sets r->user, the former does not). My question is, why would you 
need both? What functionality is gained by the hook? Also, I see code that 
prevents authz from running if its a combined authn/authz, but nothing to 
prevent the FastCGI backend being called twice for authn. Both 
fcgi_check_authn() and fcgi_check_password() call the FastCGI application 
with the same role. I don't understand enough about the authn pipeline to 
know if this is prevented in some other way. Any clarification greatly 
welcomed.

Kean

Re: Question about mod_authnz_fcgi.c

Posted by Jeff Trawick <tr...@gmail.com>.
On Thu, Jan 16, 2014 at 11:02 PM, Kean Johnston <ke...@gmail.com>wrote:

> This module registers itself as an authentication provider with
> ap_register_auth_provider(). However, it *also* registers as a hook with
> ap_hook_check_authn(). The two cases are similar, but subtly different (the
> latter sets r->user, the former does not). My question is, why would you
> need both? What functionality is gained by the hook?


Provider is nice and simple and fits nicely with most bundled authn
implementations.

The lower-level API is required to provide some additional features:

1. allowing the FastCGI app to control the response body on failure
2. allowing the user id to be determined by different mechanisms
3. (possibly something else I forgot)

FastCGI authorizers running under Zeus had these capabilities, and they
were implemented here to support migration of an authorizer from Zeus.
 (The first item listed is a feature of the FastCGI spec that had not been
implemented before for Apache httpd AFAICT.)



> Also, I see code that prevents authz from running if its a combined
> authn/authz, but nothing to prevent the FastCGI backend being called twice
> for authn. Both fcgi_check_authn() and fcgi_check_password() call the
> FastCGI application with the same role. I don't understand enough about the
> authn pipeline to know if this is prevented in some other way. Any
> clarification greatly welcomed.


mod_authnz_fcgi runs before mod_auth_basic; the authoritative flag controls
whether or not it can allow basic "providers" (potentially including a
FastCGI-based provider) to try to authenticate.


>
>
> Kean
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/