You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jesse Norell <je...@kci.net> on 2018/10/02 00:10:37 UTC
Re: [users@httpd] use cookie value as auth username
I'm still interested in any ideas to try to set REMOTE_USER from a
cookie value.
AuthBasicFake sounds like it would work, but when I use it authz_dbd
still complains:
AH00027: No authentication done but request not allowed without
authentication for /whatever/file.txt. Authentication not
configured?
Does that sound like a bug/deficiency in AuthBasicFake? Ie. it appears
it didn't 'fake' authentication enough for an authorization module to
think that it had been configured.
mod_auth_env looks like it would work, but isn't packaged for debian so
doesn't work well for my needs (creating a tutorial for users to follow
after they've installed apache & modules from debian packages).
This patch looks like just the ticket, but isn't included upstream so
of course the same source/packaging issue as with mod_auth_env:
https://github.com/jkbzh/apache2_mod_authz_dbd
If I can't find any other way I might have to just use mod_auth_env
(assuming it will work) and provide instructions for how to build and
install the .deb file, but I'd sure rather use stock modules.
Thanks!
Jesse
On Tue, 2018-09-25 at 14:54 -0600, Jesse Norell wrote:
> Hello,
>
> I'm trying to use an authz_dbd query to authorize based on the
> value
> of a cookie (ie. if PHPSESSID cookie is set, a db query can test if
> it
> should be authorized). It seems the only parameter AUTHzDBDQuery
> will
> supply to the sql query is the username in place of %s; this could
> work
> if I could set what REMOTE_USER should be prior to the query running,
> but I haven't found a way to do so. Eg. here the username for the
> query is from the auth provider (anon), the SetEnv doesn't the query:
>
> <Directory "/whatever/">
> AuthName "Name"
> AuthType Basic
> AuthBasicProvider anon
>
> Anonymous_NoUserID on
> Anonymous_MustGiveEmail off
> Anonymous anonymous "*"
>
> SetEnvIf Cookie "PHPSESSID=([^ ]+)" REMOTE_USER=$1
>
> Require dbd-group foo
>
> # this will work, for any username entered in the browser:
> #AuthzDBDQuery "SELECT 'foo' FROM sys_session"
>
> # this does not work to obtain %s from PHPSESSID:
> AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = %s"
>
> </Directory>
>
> I'm pretty sure I must convince apache to set a new REMOTE_USER (or
> httpd_username?) internal variable, not an environment variable, but
> I
> don't see how. If I don't specify any AuthType, or set it to None,
> the
> AuthzDBDQuery never runs and the error.log says it requires
> authentication but authentication is not set up. Any ideas are
> appreciated - thanks!
>
> I'm running 2.4.25-3+deb9u5 from debian stretch.
>
> Thanks,
> Jesse Norell
>
--
Jesse Norell
Kentec Communications, Inc.
970-522-8107 - www.kci.net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] use cookie value as auth username
Posted by Jesse Norell <je...@kci.net.INVALID>.
For the archives, should someone comes across this, the solution I
found was to use mod_auth_env, which worked to set REMOTE_USER from a
cookie value so AuthzDBDQuery could use that in the query. From my
previous contrived example, it would look like:
<IfModule mod_setenvif.c>
SetEnvIf Cookie "PHPSESSID=([^ ;]+)" phpsessid=$1
</IfModule>
<Directory "/whatever/">
<IfModule mod_auth_env.c>
AuthType Env
AuthEnvUser phpsessid
<
/IfModule>
<RequireAll>
Require env phpsessid
Require dbd-group foo
</RequireAll>
# this now works, to set %s from PHPSESSID cookie:
AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = %s"
</Directory>
On Mon, 2018-10-01 at 18:10 -0600, Jesse Norell wrote:
> I'm still interested in any ideas to try to set REMOTE_USER from a
> cookie value.
>
>
> AuthBasicFake sounds like it would work, but when I use it authz_dbd
> still complains:
>
> AH00027: No authentication done but request not allowed without
> authentication for /whatever/file.txt. Authentication not
> configured?
>
> Does that sound like a bug/deficiency in AuthBasicFake? Ie. it
> appears it didn't 'fake' authentication enough for an authorization
> module to think that it had been configured.
>
>
> mod_auth_env looks like it would work, but isn't packaged for debian
> so doesn't work well for my needs (creating a tutorial for users to
> follow after they've installed apache & modules from debian
> packages).
>
> This patch looks like just the ticket, but isn't included upstream so
> of course the same source/packaging issue as with mod_auth_env:
> https://github.com/jkbzh/apache2_mod_authz_dbd
>
> If I can't find any other way I might have to just use mod_auth_env
> (assuming it will work) and provide instructions for how to build and
> install the .deb file, but I'd sure rather use stock modules.
>
> Thanks!
> Jesse
>
>
> On Tue, 2018-09-25 at 14:54 -0600, Jesse Norell wrote:
> > Hello,
> >
> > I'm trying to use an authz_dbd query to authorize based on the
> > value
> > of a cookie (ie. if PHPSESSID cookie is set, a db query can test if
> > it
> > should be authorized). It seems the only parameter AUTHzDBDQuery
> > will
> > supply to the sql query is the username in place of %s; this could
> > work
> > if I could set what REMOTE_USER should be prior to the query
> > running,
> > but I haven't found a way to do so. Eg. here the username for the
> > query is from the auth provider (anon), the SetEnv doesn't the
> > query:
> >
> > <Directory "/whatever/">
> > AuthName "Name"
> > AuthType Basic
> > AuthBasicProvider anon
> >
> > Anonymous_NoUserID on
> > Anonymous_MustGiveEmail off
> > Anonymous anonymous "*"
> >
> > SetEnvIf Cookie "PHPSESSID=([^ ]+)" REMOTE_USER=$1
> >
> > Require dbd-group foo
> >
> > # this will work, for any username entered in the browser:
> > #AuthzDBDQuery "SELECT 'foo' FROM sys_session"
> >
> > # this does not work to obtain %s from PHPSESSID:
> > AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id =
> > %s"
> >
> > </Directory>
> >
> > I'm pretty sure I must convince apache to set a new REMOTE_USER
> > (or
> > httpd_username?) internal variable, not an environment variable,
> > but
> > I
> > don't see how. If I don't specify any AuthType, or set it to None,
> > the
> > AuthzDBDQuery never runs and the error.log says it requires
> > authentication but authentication is not set up. Any ideas are
> > appreciated - thanks!
> >
> > I'm running 2.4.25-3+deb9u5 from debian stretch.
> >
> > Thanks,
> > Jesse Norell
> >
--
Jesse Norell
Kentec Communications, Inc.
970-522-8107 - www.kci.net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org