You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jesse Norell <je...@kci.net> on 2018/10/02 00:10:37 UTC

Re: [users@httpd] use cookie value as auth username

I'm still interested in any ideas to try to set REMOTE_USER from a
cookie value.


AuthBasicFake sounds like it would work, but when I use it authz_dbd
still complains:

   AH00027: No authentication done but request not allowed without
   authentication for /whatever/file.txt. Authentication not
   configured?

   Does that sound like a bug/deficiency in AuthBasicFake?  Ie. it appears
   it didn't 'fake' authentication enough for an authorization module to
   think that it had been configured.


   mod_auth_env looks like it would work, but isn't packaged for debian so
   doesn't work well for my needs (creating a tutorial for users to follow
   after they've installed apache & modules from debian packages).

   This patch looks like just the ticket, but isn't included upstream so
   of course the same source/packaging issue as with mod_auth_env:  
   https://github.com/jkbzh/apache2_mod_authz_dbd

If I can't find any other way I might have to just use mod_auth_env
(assuming it will work) and provide instructions for how to build and
install the .deb file, but I'd sure rather use stock modules.

Thanks!
Jesse


On Tue, 2018-09-25 at 14:54 -0600, Jesse Norell wrote:
> Hello,
> 
>   I'm trying to use an authz_dbd query to authorize based on the
> value
> of a cookie (ie. if PHPSESSID cookie is set, a db query can test if
> it
> should be authorized).  It seems the only parameter AUTHzDBDQuery
> will
> supply to the sql query is the username in place of %s; this could
> work
> if I could set what REMOTE_USER should be prior to the query running,
> but I haven't found a way to do so.  Eg. here the username for the
> query is from the auth provider (anon), the SetEnv doesn't the query:
> 
> <Directory "/whatever/">
>   AuthName "Name"
>   AuthType Basic
>   AuthBasicProvider anon
> 
>   Anonymous_NoUserID on
>   Anonymous_MustGiveEmail off
>   Anonymous anonymous "*"
> 
>   SetEnvIf Cookie "PHPSESSID=([^ ]+)" REMOTE_USER=$1
> 
>   Require dbd-group foo
> 
>   # this will work, for any username entered in the browser:
>   #AuthzDBDQuery "SELECT 'foo' FROM sys_session"
> 
>   # this does not work to obtain %s from PHPSESSID:
>   AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = %s"
> 
> </Directory>
> 
>   I'm pretty sure I must convince apache to set a new REMOTE_USER (or
> httpd_username?) internal variable, not an environment variable, but
> I
> don't see how.  If I don't specify any AuthType, or set it to None,
> the
> AuthzDBDQuery never runs and the error.log says it requires
> authentication but authentication is not set up.  Any ideas are
> appreciated - thanks!
> 
>   I'm running 2.4.25-3+deb9u5 from debian stretch.
> 
> Thanks,
> Jesse Norell 
> 
-- 
Jesse Norell
Kentec Communications, Inc.
970-522-8107  -  www.kci.net


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] use cookie value as auth username

Posted by Jesse Norell <je...@kci.net.INVALID>.
For the archives, should someone comes across this, the solution I
found was to use mod_auth_env, which worked to set REMOTE_USER from a
cookie value so AuthzDBDQuery could use that in the query.  From my
previous contrived example, it would look like:

<IfModule mod_setenvif.c>
  SetEnvIf Cookie "PHPSESSID=([^ ;]+)" phpsessid=$1
</IfModule>

<Directory "/whatever/">
  <IfModule mod_auth_env.c>
    AuthType Env
    AuthEnvUser phpsessid
  <
/IfModule>

  <RequireAll>
    Require env phpsessid
    Require dbd-group foo
  </RequireAll>

  # this now works, to set %s from PHPSESSID cookie:
  AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = %s"

</Directory>



On Mon, 2018-10-01 at 18:10 -0600, Jesse Norell wrote:
> I'm still interested in any ideas to try to set REMOTE_USER from a
> cookie value.
> 
> 
> AuthBasicFake sounds like it would work, but when I use it authz_dbd
> still complains:
> 
>    AH00027: No authentication done but request not allowed without
>    authentication for /whatever/file.txt. Authentication not
>    configured?
> 
> Does that sound like a bug/deficiency in AuthBasicFake?  Ie. it
> appears it didn't 'fake' authentication enough for an authorization
> module to think that it had been configured.
> 
> 
> mod_auth_env looks like it would work, but isn't packaged for debian
> so doesn't work well for my needs (creating a tutorial for users to
> follow after they've installed apache & modules from debian
> packages).
> 
> This patch looks like just the ticket, but isn't included upstream so
> of course the same source/packaging issue as with mod_auth_env:  
>   https://github.com/jkbzh/apache2_mod_authz_dbd
> 
> If I can't find any other way I might have to just use mod_auth_env
> (assuming it will work) and provide instructions for how to build and
> install the .deb file, but I'd sure rather use stock modules.
> 
> Thanks!
> Jesse
> 
> 
> On Tue, 2018-09-25 at 14:54 -0600, Jesse Norell wrote:
> > Hello,
> > 
> >   I'm trying to use an authz_dbd query to authorize based on the
> > value
> > of a cookie (ie. if PHPSESSID cookie is set, a db query can test if
> > it
> > should be authorized).  It seems the only parameter AUTHzDBDQuery
> > will
> > supply to the sql query is the username in place of %s; this could
> > work
> > if I could set what REMOTE_USER should be prior to the query
> > running,
> > but I haven't found a way to do so.  Eg. here the username for the
> > query is from the auth provider (anon), the SetEnv doesn't the
> > query:
> > 
> > <Directory "/whatever/">
> >   AuthName "Name"
> >   AuthType Basic
> >   AuthBasicProvider anon
> > 
> >   Anonymous_NoUserID on
> >   Anonymous_MustGiveEmail off
> >   Anonymous anonymous "*"
> > 
> >   SetEnvIf Cookie "PHPSESSID=([^ ]+)" REMOTE_USER=$1
> > 
> >   Require dbd-group foo
> > 
> >   # this will work, for any username entered in the browser:
> >   #AuthzDBDQuery "SELECT 'foo' FROM sys_session"
> > 
> >   # this does not work to obtain %s from PHPSESSID:
> >   AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id =
> > %s"
> > 
> > </Directory>
> > 
> >   I'm pretty sure I must convince apache to set a new REMOTE_USER
> > (or
> > httpd_username?) internal variable, not an environment variable,
> > but
> > I
> > don't see how.  If I don't specify any AuthType, or set it to None,
> > the
> > AuthzDBDQuery never runs and the error.log says it requires
> > authentication but authentication is not set up.  Any ideas are
> > appreciated - thanks!
> > 
> >   I'm running 2.4.25-3+deb9u5 from debian stretch.
> > 
> > Thanks,
> > Jesse Norell 
> > 

-- 
Jesse Norell
Kentec Communications, Inc.
970-522-8107  -  www.kci.net


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org