You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Torsten Krah <kr...@gmail.com> on 2017/09/25 11:23:36 UTC
[users@httpd] httpd 2.4 - mod_lua question: LuaHookAuthChecker hook is not called
Hi,
i am using httpd 2.4.10 (trusty-backports) one and configured my default
virtual host like this:
<Location />
# translation works
#LuaHookTranslateName /etc/apache2/auth.lua silly_mapper
LuaHookAuthChecker /etc/apache2/auth.lua authcheck_hook
AllowOverride All
#Require foo valid-user
</Location>
The silly_mapper gets called.
But no matter what i try, i can't get the LuaHookAuthChecker working.
Loglevel is debug - but my script is not called (from observing and
according to the debug logs) - it's a 1:1 copy of the example from:
https://httpd.apache.org/docs/2.4/mod/mod_lua.html#luahookauthchecker
Looking at:
https://httpd.apache.org/docs/2.4/mod/mod_lua.html#writinghooks
it should be called in the "Check Authorization" phase.
Anyone an idea what's wrong or what i need to do or can try, to get this
working?
thanks and kind regards
Torsten
Re: [users@httpd] httpd 2.4 - mod_lua question: LuaHookAuthChecker
hook is not called
Posted by Torsten Krah <kr...@gmail.com>.
Am Dienstag, den 26.09.2017, 09:42 +0200 schrieb Torsten Krah:
> Hm ... so at least the docs should be changed?
FYI: Made a pull request https://github.com/apache/httpd/pull/38
Torsten
Re: [users@httpd] httpd 2.4 - mod_lua question: LuaHookAuthChecker
hook is not called
Posted by Torsten Krah <kr...@gmail.com>.
Am Dienstag, den 26.09.2017, 09:28 +0200 schrieb Torsten Krah:
> I thought and wanted to use what the docs are suggesting to use the
> LuaHookAuthChecker to customize user authentication.
> Implementation seems todo something else.
To answer myself, changing:
LuaHookAuthChecker /etc/apache2/auth.lua authcheck_hook
to
LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook
does solve that problem :D
Hm ... so at least the docs should be changed? But what about those
other new 2.4 hooks? Ideas?
kind regards
Torsten
Re: [users@httpd] httpd 2.4 - mod_lua question: LuaHookAuthChecker
hook is not called
Posted by Torsten Krah <kr...@gmail.com>.
Am Montag, den 25.09.2017, 10:29 -0400 schrieb Eric Covener:
> Sorry, a bit swamped today, but AFAICT that is not what an
> auth_checker is underlying httpd API, so I tentatively think that lua
> dev doc is incorrect.
>
> Please have a look at include/http_request.h and server/request.c
> where the hooks are called.
Hi Eric,
btw thanks for answering ;). Continuing this topic:
Reading include/http_request.h (line number 505+):
/**
* Register a hook function that will analyze the request
headers,
* authenticate the user, and set the user information in the request
record.
* @param pf A check_user_id hook function
* @param aszPre A NULL-terminated array of strings that name modules
whose
* hooks should precede this one
* @param aszSucc A NULL-terminated array of strings that name modules
whose
* hooks should succeed this one
* @param nOrder An integer determining order before honouring aszPre
and
* aszSucc (for example, HOOK_MIDDLE)
* @param type Internal request processing mode, either
* AP_AUTH_INTERNAL_PER_URI or AP_AUTH_INTERNAL_PER_CONF
*/
AP_DECLARE(void) ap_hook_check_authn(ap_HOOK_check_user_id_t
*pf,
const char * const
*aszPre,
const char * const
*aszSucc,
int nOrder, int type);
Imho this one reads like the hook which mod_lua should / can use to make
those examples correct, right?
But you're right - reading mod_lua.c:
LuaHookAuthChecker -> register_auth_checker_hook is used which does
that:
return register_named_file_function_hook("auth_checker", cmd, _cfg,
file, function,apr_hook_when);
which just uses auth_checker callback which reads:
/**
* This hook is used to check to see if the resource being requested
* is available for the authenticated user (r->user and
r->ap_auth_type).
* It runs after the access_checker and check_user_id hooks. Note that
* it will *only* be called if Apache determines that access control has
* been applied to this resource (through a 'Require' directive). This
* hook should be registered with ap_hook_check_authz().
*
* @param r the current request
* @return OK, DECLINED, or HTTP_...
* @ingroup hooks
* @see ap_hook_check_authz
*/
AP_DECLARE_HOOK(int,auth_checker,(request_rec *r))
So this is a little pita ;-).
I thought and wanted to use what the docs are suggesting to use the
LuaHookAuthChecker to customize user authentication.
Implementation seems todo something else.
BUT there is the "ap_hook_check_authn" hook which reads like the
function i want to register with mod_lua.
Unfortunately it seems (via grep) that lua does not implement that hook.
Question: Who is in charge here? Are the docs correct and that is what
was planned to be implemented? In that case those other function should
be used (ap_hook_check_authn).
Or is there a need to support both usecases?
Can we extend mod_lua to support both or change the current code to use
the ap_hook_check_authn function?
kind regards
Torsten
Re: [users@httpd] httpd 2.4 - mod_lua question: LuaHookAuthChecker
hook is not called
Posted by Eric Covener <co...@gmail.com>.
Sorry, a bit swamped today, but AFAICT that is not what an
auth_checker is underlying httpd API, so I tentatively think that lua
dev doc is incorrect.
Please have a look at include/http_request.h and server/request.c
where the hooks are called.
On Mon, Sep 25, 2017 at 9:47 AM, Torsten Krah <kr...@gmail.com> wrote:
> Am Montag, den 25.09.2017, 09:30 -0400 schrieb Eric Covener:
>> auth_checker is authorization that depends on authentication. You have
>> no authentication configured.
>>
>> The access_checker related ones are user-agnositc and run
>> before/without authentication.
>
> Reading:
>
> http://httpd.apache.org/docs/trunk/developer/lua.html#basic_auth
>
> there is the first example in Example 3:
>
> --[[
> A simple authentication hook that checks a table containing
> usernames and
> passwords of two accounts.
> ]]--
>
> and there is the second example which states:
>
> --[[
> An advanced authentication checker with a database backend,
> caching account entries for 1 minute
> ]]--
>
> So i was under the impression, that this auth_checker is responsible for
> authentication - in fact e.g. example 1 does authentication and tells
> the request processing which user is there and if it is a authenticated
> one (correct password).
>
> Imho:
>
> http://httpd.apache.org/docs/trunk/developer/lua.html#authz
>
> This one seems to be the one which does the authorization, e.g. checks
> if the authenticated user from Example 3 does have the correct group
> membership.
>
> If this is wrong like you're suggesting, how is this supposed to work?
> Opinions about that?
>
> kind regards
>
> Torsten
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] httpd 2.4 - mod_lua question: LuaHookAuthChecker
hook is not called
Posted by Torsten Krah <kr...@gmail.com>.
Am Montag, den 25.09.2017, 09:30 -0400 schrieb Eric Covener:
> auth_checker is authorization that depends on authentication. You have
> no authentication configured.
>
> The access_checker related ones are user-agnositc and run
> before/without authentication.
Reading:
http://httpd.apache.org/docs/trunk/developer/lua.html#basic_auth
there is the first example in Example 3:
--[[
A simple authentication hook that checks a table containing
usernames and
passwords of two accounts.
]]--
and there is the second example which states:
--[[
An advanced authentication checker with a database backend,
caching account entries for 1 minute
]]--
So i was under the impression, that this auth_checker is responsible for
authentication - in fact e.g. example 1 does authentication and tells
the request processing which user is there and if it is a authenticated
one (correct password).
Imho:
http://httpd.apache.org/docs/trunk/developer/lua.html#authz
This one seems to be the one which does the authorization, e.g. checks
if the authenticated user from Example 3 does have the correct group
membership.
If this is wrong like you're suggesting, how is this supposed to work?
Opinions about that?
kind regards
Torsten
Re: [users@httpd] httpd 2.4 - mod_lua question: LuaHookAuthChecker
hook is not called
Posted by Eric Covener <co...@gmail.com>.
On Mon, Sep 25, 2017 at 7:23 AM, Torsten Krah <kr...@gmail.com> wrote:
> Hi,
>
> i am using httpd 2.4.10 (trusty-backports) one and configured my default
> virtual host like this:
>
> <Location />
> # translation works
> #LuaHookTranslateName /etc/apache2/auth.lua silly_mapper
> LuaHookAuthChecker /etc/apache2/auth.lua authcheck_hook
> AllowOverride All
> #Require foo valid-user
> </Location>
>
> The silly_mapper gets called.
>
> But no matter what i try, i can't get the LuaHookAuthChecker working.
> Loglevel is debug - but my script is not called (from observing and
> according to the debug logs) - it's a 1:1 copy of the example from:
>
> https://httpd.apache.org/docs/2.4/mod/mod_lua.html#luahookauthchecker
>
> Looking at:
>
> https://httpd.apache.org/docs/2.4/mod/mod_lua.html#writinghooks
>
> it should be called in the "Check Authorization" phase.
>
> Anyone an idea what's wrong or what i need to do or can try, to get this
> working?
>
auth_checker is authorization that depends on authentication. You have
no authentication configured.
The access_checker related ones are user-agnositc and run
before/without authentication.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org