You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Charlie Garrison <ga...@zeta.org.au> on 2003/08/26 13:06:05 UTC
Ticket/cookie based authentication for mod_perl and static frontend
Good evening,
I have done a bit of research and found some possible solutions, but none of
them seem to be exactly what I want. First, the problem I need to solve...
I need to protect resources in both the static (proxy) front-end and the
mod_perl back-end. I have been using standard http authentication which works
pretty well except for not allowing a proper logout function and some caching
issues which result in occasional false FORBIDDEN responses. Since a proper
logout has become an important requirement, I am looking for other solutions.
Since I need the user credentials in the mod_perl app, I'm not happy to leave
all authentication to the front-end proxy server unless it sets the user
credentials (or some other values) before passing along the request.
I have looked at the following apache modules (for v1.3):
Cookie Authentication Version 1.9
Fake Basic Authentication using Cookies
Module homepage at ftp://ftp.kciLink.com/pub/mod_auth_cookie.c.gz
Cookie Authentication with MySQL Version 1.0
Authentication against a MySQL database with a
cryptographically secure cookie.
Module homepage at http://www.qwk.net/opensource/mod_auth_cookie_mysql/
mod_auth_mda Version 2.1
Realms for document tree and fast login for user using MD5 signed cookies.
Module homepage at http://www.frogdot.org/mod_auth_mda/
The first one, Cookie Authentication, looks nice and simple and should do what
I want. It sets the user credentials from a cookie to be processed by another
module in the request chain. But I'd prefer to have the authentication handled
by the same module. There are some caching issues with the current auth module
which I'd like to avoid (by not using the current module any longer).
The second one, Cookie Authentication with MySQL, looks like a very good
option, except for two issues. Fist, it doesn't support the 'require group...'
directive. And second, it doesn't appear to cache mysql connections so I am
concerned about the increased load from lots of quick connections.
The third one, mod_auth_mda, is probably my favourite choice (for a variety of
reasons). But it doesn't have any sample code for creating the MD5 signed
cookies with perl, and I'm not sure I feel confident about creating the needed
functions myself. All the sample code is written in Java.
Additionally, all of the above solutions require the use of cookies. It would
be nice if I could also use a URI (eg. path info) rather than just a cookie
solution.
I feel that someone must have already solved this issue so any suggestions or
advice would be appreciated. Are there any modules which I have missed? Are
the perceived problems with the above modules really an issue, or should I be
able to use one of them without any problems.
Thanks,
Charlie
--
Charlie Garrison garrison@zeta.org.au
PO Box 141, Windsor, NSW 2756, Australia
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Posted by Charlie Garrison <ga...@zeta.org.au>.
Good morning,
On 26/8/03 at 8:26 PM +0200, Thomas Klausner <do...@zsi.at> wrote:
>Hi!
>
>On Die, Aug 26, 2003 at 09:06:05 +1000, Charlie Garrison wrote:
>
>>I need to protect resources in both the static (proxy) front-end and
>>the mod_perl back-end. I have been using standard http authentication
>>which works pretty well except for not allowing a proper logout
>>function and some caching issues which result in occasional false
>>FORBIDDEN responses. Since a proper logout has become an important
>>requirement, I am looking for other solutions.
>
>Did you take a look at Apache::AuthCookie?
>http://search.cpan.org/author/MSCHOUT/Apache-AuthCookie-3.04/
Yes, I've looked at Auth::Cookie, and if I needed a mod_perl only solution, it
would be perfect.
>>Since I need the user credentials in the mod_perl app, I'm not happy
>>to leave all authentication to the front-end proxy server unless it
>>sets the user credentials (or some other values) before passing along
>>the request.
>
>As AuthCookie is a mod_perl handler, you would have to put the
>Authentification into the backend. Depending on how you generate the session
>key (i.e. the value of the Auth Cookie), you should be able to use the
>cookie in the frontend using one of the modules you mentioned (although I
>don't know any of them..)
Which sort of brings me back full circle. I'm happy to write the backend
(modperl) support myself for whatever the frontend module requires. But the
module that I would choose (mod_auth_mda) doesn't have perl examples for
creating the MD5 cookie, and I'm only borderline confident that I can take
their java examples along with the documentation to figure out perl routines
for the cookie creation.
I'm still hoping someone has already solved this issue of shared
authentication scheme between static frontend and modperl backend servers.
Thanks,
Charlie
--
Charlie Garrison garrison@zeta.org.au
PO Box 141, Windsor, NSW 2756, Australia
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Posted by Thomas Klausner <do...@zsi.at>.
Hi!
On Die, Aug 26, 2003 at 09:06:05 +1000, Charlie Garrison wrote:
> I need to protect resources in both the static (proxy) front-end and the
> mod_perl back-end. I have been using standard http authentication which works
> pretty well except for not allowing a proper logout function and some caching
> issues which result in occasional false FORBIDDEN responses. Since a proper
> logout has become an important requirement, I am looking for other solutions.
Did you take a look at Apache::AuthCookie?
http://search.cpan.org/author/MSCHOUT/Apache-AuthCookie-3.04/
> Since I need the user credentials in the mod_perl app, I'm not happy to leave
> all authentication to the front-end proxy server unless it sets the user
> credentials (or some other values) before passing along the request.
As AuthCookie is a mod_perl handler, you would have to put the
Authentification into the backend. Depending on how you generate the session
key (i.e. the value of the Auth Cookie), you should be able to use the
cookie in the frontend using one of the modules you mentioned (although I
don't know any of them..)
--
#!/usr/bin/perl http://domm.zsi.at
for(ref bless{},just'another'perl'hacker){s-:+-$"-g&&print$_.$/}
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Posted by Charlie Garrison <ga...@zeta.org.au>.
Good afternoon,
On 27/8/03 at 9:45 AM -0400, Michael <ka...@thismetalsky.org> wrote:
>> Any other suggestions?
>
>I'd think you'd want to have the same authentication process for both, and a
>shared database (or something) to store the session data. Have the front-end
>do the login part, pass the client to the backend, which discovers that the
>client is already authenticated.
Using tickets for authentication will work with both the front and backend
servers. I was having problems finding a solution which had an apache module
(written in C) plus support/examples for perl to use in the backend. With
thanks to Cees Hek <ce...@sitesuite.com.au> I found mod_auth_tkt which does
just what I need.
Charlie
--
Charlie Garrison garrison@zeta.org.au
PO Box 141, Windsor, NSW 2756, Australia
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Posted by Michael <ka...@thismetalsky.org>.
On Wed, Aug 27, 2003 at 15:45:11, Charlie Garrison said...
> >I haven't been 100% happy with any of the systems written by other
> >people so I've always just written my own. It's a rather simple
>
> Do you also write the apache module for the frontend server? I'm very
> competent at perl, but not competent enough to write an apache module.
>
> Any other suggestions?
I'd think you'd want to have the same authentication process for both, and a
shared database (or something) to store the session data. Have the front-end
do the login part, pass the client to the backend, which discovers that the
client is already authenticated.
Are you looking for something that's just a drop-in solution, transparent to
the backend completely, not part of the backend software? I'd think in that
case, you'd want something like PerlAuthenHandler and PerlAuthzHandler, let
them manage the logins and just pass the client down to the backend software.
I could still be way off here though.
--
Michael Stella | Sr. Unix Engineer / Developer | http://www.thismetalsky.org
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Posted by Charlie Garrison <ga...@zeta.org.au>.
Good afternoon,
On 27/8/03 at 9:37 AM -0400, Michael <ka...@thismetalsky.org> wrote:
>>The reason this question is mod_perl related is that he is doing the
>>initial authentication using mod_perl, and is creating a cookie based
>>ticket. But he wants that ticket to also be accepted by a
>>non-mod_perl enabled server (ie a front end proxy).
>
>So the database connection has to persist from the mod_perl
>authentication scheme to the backend software? Interesting... Does
>that work?
This isn't really an issue with database connections. It's just the
authentication data/method that needs to persist for both. And that is handled
by a cookie/ticket authentication.
Thanks to Cees Hek <ce...@sitesuite.com.au> for helping me find a module I had
lost track of. The module is mod_auth_tkt and can be found here:
http://www.openfusion.com.au/labs/mod_auth_tkt/
I'm on my way to having an elegant solution now.
Thanks to all who responded.
Charlie
--
Charlie Garrison garrison@zeta.org.au
PO Box 141, Windsor, NSW 2756, Australia
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Posted by Michael <ka...@thismetalsky.org>.
On Wed, Aug 27, 2003 at 14:49:05, Cees Hek said...
> It was easy to miss in the email if you skimmed it, but he is looking for a C
> based module, so any perl based solutions are out.
Whoops, you're right, I did just skim it.
> The reason this question is mod_perl related is that he is doing the initial
> authentication using mod_perl, and is creating a cookie based ticket. But he
> wants that ticket to also be accepted by a non-mod_perl enabled server (ie a
> front end proxy).
So the database connection has to persist from the mod_perl authentication
scheme to the backend software? Interesting... Does that work?
--
Michael Stella | Sr. Unix Engineer / Developer | http://www.thismetalsky.org
If Bill Gates had a nickel for every time Windows crashed...
..oh wait, he does.
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Posted by Charlie Garrison <ga...@zeta.org.au>.
Good afternoon,
On 27/8/03 at 2:49 PM +1000, Cees Hek <ce...@sitesuite.com.au> wrote:
>> Umm, use Apache::DBI, that's what it's for.
>
>It was easy to miss in the email if you skimmed it, but he is looking for a C
>based module, so any perl based solutions are out.
>
>The reason this question is mod_perl related is that he is doing the initial
>authentication using mod_perl, and is creating a cookie based ticket. But he
>wants that ticket to also be accepted by a non-mod_perl enabled server (ie a
>front end proxy).
Thanks for the clarification. And the requirement for something that works in
both modperl and non-modperl servers is also part of the subject line.
But I'll try to make the problem/requirements more clear in future emails.
Thanks,
Charlie
--
Charlie Garrison garrison@zeta.org.au
PO Box 141, Windsor, NSW 2756, Australia
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Posted by Cees Hek <ce...@sitesuite.com.au>.
Quoting Michael <ka...@thismetalsky.org>:
> On Tue, Aug 26, 2003 at 21:06:05, Charlie Garrison said...
>
> > The second one, Cookie Authentication with MySQL, looks like a very good
> > option, except for two issues. Fist, it doesn't support the 'require
> group...'
> > directive. And second, it doesn't appear to cache mysql connections so I
> am
> > concerned about the increased load from lots of quick connections.
>
> Umm, use Apache::DBI, that's what it's for.
It was easy to miss in the email if you skimmed it, but he is looking for a C
based module, so any perl based solutions are out.
The reason this question is mod_perl related is that he is doing the initial
authentication using mod_perl, and is creating a cookie based ticket. But he
wants that ticket to also be accepted by a non-mod_perl enabled server (ie a
front end proxy).
Cheers,
Cees
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static
frontend
Posted by Ged Haywood <ge...@www2.jubileegroup.co.uk>.
Hi there,
On Wed, 27 Aug 2003, Charlie Garrison wrote:
> Do you also write the apache module for the frontend server? I'm very
> competent at perl, but not competent enough to write an apache module.
It's not so hard. There's a skeleton module in the Apache sources for
you to start with, take a look at it.
73,
Ged.
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Posted by Charlie Garrison <ga...@zeta.org.au>.
Good afternoon,
On 27/8/03 at 12:05 AM -0400, Michael <ka...@thismetalsky.org> wrote:
>>The second one, Cookie Authentication with MySQL, looks like a very
>>good option, except for two issues. Fist, it doesn't support the
>>'require group...' directive. And second, it doesn't appear to cache
>>mysql connections so I am concerned about the increased load from
>>lots of quick connections.
>
>Umm, use Apache::DBI, that's what it's for.
Except that I'm looking for a solution which will also work in the static
(proxy) front-end. I'm currently using Apache::DBI for the backend and it
works well. I also want a solution which doesn't rely on browser based http
authentication since logging out is a requirement.
>>I feel that someone must have already solved this issue so any
>>suggestions or advice would be appreciated. Are there any modules
>>which I have missed? Are the perceived problems with the above
>>modules really an issue, or should I be able to use one of them
>>without any problems.
>
>I haven't been 100% happy with any of the systems written by other
>people so I've always just written my own. It's a rather simple
>process. Right now I have one method that uses cookies in one module,
>another that uses cookies but splits things up into separate modules,
>and a third that adds a (md5 hash) parameter to the URI. All work
>very well, though I prefer the cookie method myself.
Do you also write the apache module for the frontend server? I'm very
competent at perl, but not competent enough to write an apache module.
Any other suggestions?
Thanks,
Charlie
--
Charlie Garrison garrison@zeta.org.au
PO Box 141, Windsor, NSW 2756, Australia
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Posted by Michael <ka...@thismetalsky.org>.
On Tue, Aug 26, 2003 at 21:06:05, Charlie Garrison said...
> The second one, Cookie Authentication with MySQL, looks like a very good
> option, except for two issues. Fist, it doesn't support the 'require group...'
> directive. And second, it doesn't appear to cache mysql connections so I am
> concerned about the increased load from lots of quick connections.
Umm, use Apache::DBI, that's what it's for.
> I feel that someone must have already solved this issue so any suggestions or
> advice would be appreciated. Are there any modules which I have missed? Are
> the perceived problems with the above modules really an issue, or should I be
> able to use one of them without any problems.
I haven't been 100% happy with any of the systems written by other people so
I've always just written my own. It's a rather simple process. Right now I
have one method that uses cookies in one module, another that uses cookies but
splits things up into separate modules, and a third that adds a (md5 hash)
parameter to the URI. All work very well, though I prefer the cookie method
myself.
If there's really nothing out there to add a hash to the URI, I could probably
be convinced to package up the code I have, simple as it may be.
--
Michael Stella | Sr. Unix Engineer / Developer | http://www.thismetalsky.org
Knowledge is power. Power corrupts. Study hard. Be Evil. - Thyra
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html