On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott <barry.sc...@onelan.co.uk>wrote:
> At this point let me ask this:
>
> Is it possible with the current code to ever have the fcgid Authorizer
> called?
>
yes
This works for me, though it uses the unfortunate valid-group hack with
httpd 2.2 so that no authorizers running before fcgid think they should
evaluate:
<Location /docs>
<IfVersion >= 2.2>
AuthBasicAuthoritative Off
# AuthBasicProvider foo
</IfVersion>
# work around problem with AAA in mod_fcgid (it can't track more than
# one AAA script per URL, and even then the URL can't be handled by a
# FastCGI app)
#
# FastCgiAccessChecker %%MYHG%%/apache/fastcgi/apps/access_check.pl
# FastCgiAuthenticator %%MYHG%%/apache/fastcgi/apps/authenticate.pl
# FastCgiAuthorizer %%MYHG%%/apache/fastcgi/apps/authorize.pl
FastCgiAccessChecker %%MYHG%%/apache/fcgid/apps/aaa.pl
FastCgiAuthenticator %%MYHG%%/apache/fcgid/apps/aaa.pl
FastCgiAuthorizer %%MYHG%%/apache/fcgid/apps/aaa.pl
FastCgiAccessCheckerAuthoritative On
FastCgiAuthenticatorAuthoritative On
FastCgiAuthorizerAuthoritative On
AuthType Basic
AuthName "foo"
<IfVersion < 2.3>
<IfVersion < 2.2>
Require group foo
</IfVersion>
<IfVersion >= 2.2>
Require valid-group
</IfVersion>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3>
Require group foo
</IfVersion>
</Location>
>
> If it is not possible I'm willing to try and code the missing pieces, with
> a little
> help being pointed in the right direction.
>
I hope some "require" experts could jump in ;)
A good solution might be to associate a script with a particular
require-ment so that mod_fcgid can check the Require for any require-ments
implemented by a FastCGI script.
[too] simple example:
FCGIDRequire mydb-user /path/to/my/authorizer.sh
<Location /foo>
Require mydb-user
SetEnv whatever-needed-by-authorizer.sh
</Location>
