On Wed, Sep 30, 2009 at 12:11 PM, Jeff Trawick <traw...@gmail.com> wrote:
> On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott <barry.sc...@onelan.co.uk>wrote: > >> At this point let me ask this: >> >> Is it possible with the current code to ever have the fcgid Authorizer >> called? >> > > yes > > This works for me, though it uses the unfortunate valid-group hack with > httpd 2.2 so that no authorizers running before fcgid think they should > evaluate: > > <Location /docs> > <IfVersion >= 2.2> > AuthBasicAuthoritative Off > # AuthBasicProvider foo > </IfVersion> > > # work around problem with AAA in mod_fcgid (it can't track more than > # one AAA script per URL, and even then the URL can't be handled by a > # FastCGI app) > # > # FastCgiAccessChecker %%MYHG%%/apache/fastcgi/apps/access_check.pl > # FastCgiAuthenticator %%MYHG%%/apache/fastcgi/apps/authenticate.pl > # FastCgiAuthorizer %%MYHG%%/apache/fastcgi/apps/authorize.pl > > FastCgiAccessChecker %%MYHG%%/apache/fcgid/apps/aaa.pl > FastCgiAuthenticator %%MYHG%%/apache/fcgid/apps/aaa.pl > FastCgiAuthorizer %%MYHG%%/apache/fcgid/apps/aaa.pl > > FastCgiAccessCheckerAuthoritative On > FastCgiAuthenticatorAuthoritative On > FastCgiAuthorizerAuthoritative On > > AuthType Basic > AuthName "foo" > > <IfVersion < 2.3> > > <IfVersion < 2.2> > Require group foo > </IfVersion> > > <IfVersion >= 2.2> > Require valid-group > </IfVersion> > > Order allow,deny > Allow from all > </IfVersion> > > <IfVersion >= 2.3> > Require group foo > </IfVersion> > > </Location> > > > >> >> If it is not possible I'm willing to try and code the missing pieces, with >> a little >> help being pointed in the right direction. >> > > I hope some "require" experts could jump in ;) > > A good solution might be to associate a script with a particular > require-ment so that mod_fcgid can check the Require for any require-ments > implemented by a FastCGI script. > > [too] simple example: > > FCGIDRequire mydb-user /path/to/my/authorizer.sh > > <Location /foo> > Require mydb-user > SetEnv whatever-needed-by-authorizer.sh > </Location> > > BTW, authentication is another area where mod_fcgid could better fit in with httpd (in this case, 2.2+). Bundled authn module implement a "provider," and the admin can specify which provider(s) handles authn. That's better than just calling all the authn hooks in a somewhat mysterious order and having them look at other config to decide if they should try to authenticate. It would be nice to configure a FastCGI authenticator as a provider, and then specify that the provider should be used within a particular container.
