You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Jonathan Vanasco <jv...@mastersofbranding.com> on 2005/02/11 19:46:20 UTC
Question: Integrating session user authentication/cgi interaction with static served items
This is a bad subject, so let me elaborate on what is going on:
I have a mod_perl webapp that handles content permissions for
'authenticated' and non-authenticated users.
'Authenticated' users are ones with a valid session-id from a login
subroutine. These are not Apache style dialog box authentication.
This works fine for cgi content, but I would like to 'protect' certain
directories of images/templates/etc from being accessed by people who
are not logged in.
After glancing around the mod_perl cookbook and practical mod_perl
books, I think i can simply call a mod_perl hook to set the user as
authenticated and (i imagine) use some sort of apache auth system.
Can anyone confirm this, and/or suggest some good approaches?
Also, shooting myself in the foot on this, In the future I would like
to split the server into 2 processes, and httpd and httpd_perl , so
mod_perl overheard is only used when necessary. I can't even imagine
any way to handle passing the user authentication from one server to
the other for that. Perhaps there is some method and its not too hard?
or maybe there's a known hack, like embedding a 1px transparent gif
with the right auth info so it can auth if needed?
help?!
Re: Question: Integrating session user authentication/cgi
interaction with static served items
Posted by Perrin Harkins <pe...@elem.com>.
On Fri, 2005-02-11 at 15:17 -0500, Jonathan Vanasco wrote:
> But I don't see why I can't run mod_auth_tkt as an apache1 server
> looking for validation for ht_docs, then recreate a compatible
> authticket generator using mod_perl (which i'd imagine is just an md5
> of a shared secret + configurable session vars)
Right, that's what we do. We compile mod_auth_tkt into the proxy
server.
> I could probably even use some other server that just handles static
> serving and can handle cookies.
Not with mod_auth_tkt, unless it can run apache modules.
> I thought about thttpd, and was looking at the performance chart here:
> http://www.acme.com/software/thttpd/serverperf.gif - which kinda makes
> apache look abysmal and zeus godlike.
That graph is 7 years old and many things have changed since then.
thttpd is good for spitting out graphics, as long as you don't need
auth, or SSL, or fancy logging, or URL manipulation, or any of the other
things that make apache useful. A stripped down apache server does just
fine for serving images on all but the most demanding sites, and it's
simpler than messing with multiple kinds of servers, so it's my first
choice for a proxy/image server.
- Perrin
Re: Question: Integrating session user authentication/cgi interaction with static served items
Posted by Jonathan Vanasco <jv...@mastersofbranding.com>.
On Feb 11, 2005, at 2:19 PM, Perrin Harkins wrote:
> We use mod_auth_tkt, but it only supports apache 1.x. I'd like to find
> something equivalent for 2.x.
>
> It is cookie-based and allows for different levels of auth. A pretty
> useful mod, especially since you can share auth with web apps written
> in
> PHP or Java.
I'm assuming that the mod_auth_tkt is this one:
http://www.openfusion.com.au/labs/mod_auth_tkt/
I think that I could use that, or something similar.
Right now, I'm running mod_perl as Apache2/MP2
But I don't see why I can't run mod_auth_tkt as an apache1 server
looking for validation for ht_docs, then recreate a compatible
authticket generator using mod_perl (which i'd imagine is just an md5
of a shared secret + configurable session vars)
I could probably even use some other server that just handles static
serving and can handle cookies.
I thought about thttpd, and was looking at the performance chart here:
http://www.acme.com/software/thttpd/serverperf.gif - which kinda makes
apache look abysmal and zeus godlike.
Re: Question: Integrating session user authentication/cgi
interaction with static served items
Posted by Perrin Harkins <pe...@elem.com>.
On Fri, 2005-02-11 at 13:46 -0500, Jonathan Vanasco wrote:
> After glancing around the mod_perl cookbook and practical mod_perl
> books, I think i can simply call a mod_perl hook to set the user as
> authenticated and (i imagine) use some sort of apache auth system.
You would need to use something like a cookie.
> Also, shooting myself in the foot on this, In the future I would like
> to split the server into 2 processes, and httpd and httpd_perl , so
> mod_perl overheard is only used when necessary. I can't even imagine
> any way to handle passing the user authentication from one server to
> the other for that. Perhaps there is some method and its not too hard?
We use mod_auth_tkt, but it only supports apache 1.x. I'd like to find
something equivalent for 2.x.
It is cookie-based and allows for different levels of auth. A pretty
useful mod, especially since you can share auth with web apps written in
PHP or Java.
- Perrin