You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Steffers <st...@chronozon.dyndns.org> on 2000/06/08 01:24:29 UTC
Apache, Mod_Perl and Custom Access/Authentication
hello,
first let me apologise for jst jumping straight into asking
questions on the mailing list, but this is really puzzling me. First
some background.
I have been using perl for the past 3 years. I think (note
+think+) that I understand perl quite well, so when the job came up
at work here to tie the programs into Apache using mod_perl I
figured it wouldnt be that hard. (Apache 1.3.12 and latest mod_perl)
I am still trying to get out of my 'cgi' ways (exit and $| and
such forth), so the code attached my look a tad strange. apologies
again for that.
The problem is, that I want to first have the access working
so that if someone doesnt have a cookie with 'sessionID' set in it,
then we know that they are a 'new user'. In this case, no other checks
are needed (we require valid-user).
IF the sessionid is valid, then we move onto authentication
which in this case is simply firing off the username and password to
PostgreSQL. The way that PostgreSQL is setup, it uses encrypted
passwords for connection, so simply getting a valid connection is
'good enough' to prove the user (in my eyes for the moment).
So once they have connected up succesfully, I cache the
DBI connection (by using Apache::DBI) and then creating a sessionID
cookie for the user.
This then means that the user will only have to 're-authenticate'
when the cookie times out. I dont know if i need to use the 'ping function'
to keep PostgreSQL alive, but thats a 'todo' for sure.
So what am I doing wrong ? There is probably a hundred things
here, and I +have+ read the faqs and even the oreilly book, i dont see
anything glaring, but then this is why its a learning process. (oh and
for what its worth the database and apache are working fine. its my code
that has the 'features' (okay okay, bugs ;))
Feel free to critisce my code/offer guidance/nudge improvments
or jst hit me with a large pointed stick ;)
many thanks
Stefs.
.htaccess
-------
PerlAccessHandler Apache::ResAcc
PerlAuthenHandler Apache::ResAuth
require valid-user
ResAcc.pm
--------
package Apache::ResAcc;
use strict;
use Apache::Constants qw(:common);
use Safe();
my $Safe=Safe->new;
use vars qw(@EXPORT $USE_THREAD $USE_SFIO $PERL_DIR);
use Exporter ();
use Config;
use FileHandle ();
*import = \&Exporter::import;
@EXPORT = qw(handler);
use subs @EXPORT;
# This module will check for the presence of a sessionid and if found will
# allow access, otherwise it will print out the login screen with two inputs
# one for username and the other for password
sub handler
{ my $r = shift;
my $login = "<HTML>\n<HEAD></HEAD>\n<BODY>\n<BODY>#Imagine a password
form here</BODY>\n</HTML>\n";
my $header_ID=$r->header_in('sessionID');
if ($header_ID ne "")
{ # check the value in the database
# return declined if bad
# else return ok
return OK;
}
else
{ $r->custom_response(FORBIDDEN, $login);
return FORBIDDEN;
}
}
1;
ResAuth.pm
--------
package Apache::ResAuth;
use strict;
use Apache::Constants qw(:common);
use Apache::Registry;
use CGI qw(:standard);
use DBI;
use vars qw(@EXPORT $USE_THREAD $USE_SFIO $PERL_DIR);
use Exporter ();
use Config;
use FileHandle ();
*import = \&Exporter::import;
@EXPORT = qw(handler);
use subs @EXPORT;
sub handler {
my $r = shift;
# get user's authentication credentials
my ($username,$password) = map { param($_) } qw(user pass);
my $reason = authenticate($r, $username, $password);
if($reason) {
$r->note_basic_auth_failure;
$r->log_reason($reason, $r->filename);
return AUTH_REQUIRED;
}
my $query=CGI::new();
my $my_cookie=$query->cookie(-name=>'sessionID',
-value=>'1',
-path=>'/',
-expires=>'+30m');
$r->header_out->add("Set-cookie"=>$my_cookie);
return OK;
}
sub authenticate {
my($r, $username, $password) = @_;
$username && $password or return 'empty user names and passwords
disallowed';
my $db_dsn=$r->dir_config('ResAuth') || 'dbi:Pg:host=legion
dbname=mms_post';
my $databh = DBI->connect($db_dsn,$username,$password) || return
"couldn't open database";
# if we get here, all is well
return "";
}
1;
Re: Apache, Mod_Perl and Custom Access/Authentication
Posted by Drew Taylor <dt...@vialogix.com>.
Steffers wrote:
>
> hello,
> first let me apologise for jst jumping straight into asking
> questions on the mailing list, but this is really puzzling me. First
> some background.
>
> I have been using perl for the past 3 years. I think (note
> +think+) that I understand perl quite well, so when the job came up
> at work here to tie the programs into Apache using mod_perl I
> figured it wouldnt be that hard. (Apache 1.3.12 and latest mod_perl)
>
> I am still trying to get out of my 'cgi' ways (exit and $| and
> such forth), so the code attached my look a tad strange. apologies
> again for that.
>
> The problem is, that I want to first have the access working
> so that if someone doesnt have a cookie with 'sessionID' set in it,
> then we know that they are a 'new user'. In this case, no other checks
> are needed (we require valid-user).
>
> IF the sessionid is valid, then we move onto authentication
> which in this case is simply firing off the username and password to
> PostgreSQL. The way that PostgreSQL is setup, it uses encrypted
> passwords for connection, so simply getting a valid connection is
> 'good enough' to prove the user (in my eyes for the moment).
>
> So once they have connected up succesfully, I cache the
> DBI connection (by using Apache::DBI) and then creating a sessionID
> cookie for the user.
>
> This then means that the user will only have to 're-authenticate'
> when the cookie times out. I dont know if i need to use the 'ping function'
> to keep PostgreSQL alive, but thats a 'todo' for sure.
>
> So what am I doing wrong ? There is probably a hundred things
> here, and I +have+ read the faqs and even the oreilly book, i dont see
> anything glaring, but then this is why its a learning process. (oh and
> for what its worth the database and apache are working fine. its my code
> that has the 'features' (okay okay, bugs ;))
>
> Feel free to critisce my code/offer guidance/nudge improvments
> or jst hit me with a large pointed stick ;)
> many thanks
> Stefs.
>
> .htaccess
> -------
> PerlAccessHandler Apache::ResAcc
> PerlAuthenHandler Apache::ResAuth
> require valid-user
>
> ResAcc.pm
> --------
> package Apache::ResAcc;
> use strict;
> use Apache::Constants qw(:common);
> use Safe();
>
> my $Safe=Safe->new;
>
> use vars qw(@EXPORT $USE_THREAD $USE_SFIO $PERL_DIR);
> use Exporter ();
> use Config;
> use FileHandle ();
> *import = \&Exporter::import;
>
> @EXPORT = qw(handler);
>
> use subs @EXPORT;
>
> # This module will check for the presence of a sessionid and if found will
> # allow access, otherwise it will print out the login screen with two inputs
> # one for username and the other for password
> sub handler
> { my $r = shift;
> my $login = "<HTML>\n<HEAD></HEAD>\n<BODY>\n<BODY>#Imagine a password
> form here</BODY>\n</HTML>\n";
>
> my $header_ID=$r->header_in('sessionID');
If you're trying to get at the cookie, this is not the way. Either use
Apache::Cookie or CGI.pm to get the cookie contents.
> my $query=CGI::new();
> my $my_cookie=$query->cookie(-name=>'sessionID',
> -value=>'1',
> -path=>'/',
> -expires=>'+30m');
> $r->header_out->add("Set-cookie"=>$my_cookie);
> return OK;
> }
This code is good. But it doesn't jive with what you have above. Try
making the first handler() actually get the cookie. Or am I missing
something?
--
Drew Taylor
Vialogix Communications, Inc.
501 N. College Street
Charlotte, NC 28202
704 370 0550
http://www.vialogix.com/