On Tue, Sep 29, 2009 at 12:51 PM, Barry Scott <barry.sc...@onelan.co.uk>wrote:
> Barry Scott wrote: > >> Jeff Trawick wrote: >> >>> On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott >>> <barry.sc...@onelan.co.uk<mailto: >>> barry.sc...@onelan.co.uk>> wrote: >>> >>> Jeff Trawick wrote: >>> >>> On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott >>> <barry.sc...@onelan.co.uk <mailto:barry.sc...@onelan.co.uk> >>> <mailto:barry.sc...@onelan.co.uk >>> <mailto:barry.sc...@onelan.co.uk>>> wrote: >>> >>> The mod_fcgid page says to ask on dev I assume that this is the >>> right place to ask. >>> >>> I'm using mod_fcgid from svn with HTTPD 2.2. >>> >>> I want to use a fast CGI authorizer to allow me to control >>> access >>> based on my rules. >>> The authorizer needs to be a long running process - never >>> exits. >>> >>> I know that the fcgid code is noticing the directive >>> because I can >>> change the filename >>> and see the error message from the sources. >>> >>> But I'm at a lose as to the required to get this >>> configuration to >>> actually call my code. >>> mod_fcgid is not starting up the authorizer process. >>> >>> I have the following fcgid specific lines in my httpd.conf >>> file: >>> >>> ---- httpd.conf ---- >>> ... >>> LoadModule fcgid_module modules/mod_fcgid.so >>> ... >>> >>> Listen *:9000 >>> <VirtualHost *:9000> >>> <Location /> >>> Order allow,deny >>> Allow from all >>> AuthType Digest >>> >>> >>> Did you really mean Digest authentication instead of Basic >>> authentication? >>> >>> mod_fcgid only supports Basic, AFAICT. >>> >>> /* Get the user password */ >>> if ((res = ap_get_basic_auth_pw(r, &password)) != OK) >>> return res; >>> >>> >>> I don't want to be an authenticator, I want to be a authorizer. >>> Authorizer has no need of passwords right. >>> >>> >>> whoops :( >>> >>> yes >>> >>> your "require valid-user" implies that you don't need authorization; try >>> "require valid-group" instead >>> >> >> I want the users password checked and to only proceed if it is valid. >> I also want to run the fcgi Authorizer to check that the URL being >> access is allowed according to the logic in my Authorizer code. >> > "require valid-user" means that all it takes to access this resource is a properly authenticated user. If mod_authz_user sees "valid-user" during the authorization stage, it returns OK and mod_fcgid' authorization hook is not called. You want to take it further and also run the authorizer, since a properly authenticated user is not good enough. So "require valid-user" or "require user xxx" or other checks that can be made since the user is already known can't be used. "require valid-group" is a hack to bypass checks that the AAA modules know how to make (require user foo, require group bar, require ldap-group ..., etc.). There's no provision to allow a FastCGI authorizer app to implement a particular authorization require-ment. "require group foo" can also get you to your authorizer (subject to what the group file module would do). I haven't checked if that required group name is available to your authorize. > >> To that end I have the following: >> >> <Location /> >> Order allow,deny >> Allow from all >> >> # Use digest auth to check the username/password pair >> AuthType Digest >> AuthName "Manager System" >> # no one gets in without a valid username/password pair >> Require valid-user >> > mod_authz_user always returns OK from authorization hook with this require > >> # Use these files to find the passwd and group information >> AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group >> > not needed and maybe harmful depending on your require directive > AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd >> >> # Run the Authorizer.sh to veto URL based on the username >> FastCgiAuthorizer >> /home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh >> >> </Location> >> >> What triggers HTTPD to call the Authorizer.sh code? >> Surely not the commands that control authentication checks? >> > yes, the require directive; furthermore, if authorization hooks called before mod_fcgid's think they have answered the question authoritatively, mod_fcgid won't be called > >> I cannot find Require valid-group defined in the 2.2 docs. >> >> Do you mean I need to add: >> >> Require group nosuchgroup >> > > This does not work... because mod_authz_groupfile sees your AuthGroupFile and tries to answer based on its contents (as well as whether or not that check is authoritative (see http://httpd.apache.org/docs/2.2/mod/mod_authz_groupfile.html#authzgroupfileauthoritative))? > > >> And that will cause the mod_authn_user (or what ever module) to try >> and match nosuchgroup. When it fails my Authenicator will be run >> to see if it can handle that directive? >> >> Isn't this module crying out for a directive like: >> >> Require fcgid-authenticater-user-is-valid >> > I think so, but something appropriate for authorization, since the mod_fcgid-driven authorization app shouldn't care how the user was authenticated.
