Quoting Carl Brewer <[EMAIL PROTECTED]>: > Forgive me for asking yet another fundamentally basic question. > > I'm cutting a web app over from PHP to mod_perl 2, and > am wondering how 'best' (for which there are many flavours ...) > to handle authentication. > > At present I've knocked up a site that does auth via a > form and state tracking with Session.pm. The form checks > usernames & passwords against a MySQL database, and the state is > maintained by Session. This seems quite logical to me, coming from > essentially a CGI background, but the discussion of handlers > around here makes me believe there's a better way?
I would highly recommend the Eagle book if you are looking to move beyond CGI when using mod_perl. I know that you are looking at mod_perl2, and the Eagle book does not cover mod_perl2, but it will give you great insight into how mod_perl and Apache works. And lucky for you, since you are interested in Authentication and Authorization, that chapter happens to be available online. http://modperl.com:9000/book/chapters/ch6.html Also checkout the great documentation available at http://perl.apache.org/ If you want a good example of how to implement Authentication and Authorization in mod_perl, then look on CPAN for the man Apache::Auth* modules. I have used Apache::AuthCookie in many projects and it has relatively good documentation. You will also find tonnes of info on Authentication if you search the mailing list archives. > I see threads here discussing the use of handlers, which I > don't really understand how they fit into the picture, > they seem to my poor understanding to be a hardcoded > chunk in httpd.conf, for handling authentation/state. Is > there anywhere a dumb beginers guide to how this > works? The easiest way to explain it is to just look at Apache's Basic Authentication support at first. The one where the browser pops up a window and you type in your username and password, and Apache authenticates the user for you before it will allow the CGI script to be executed or the html file to be downloaded. You configure that in httpd.conf or in .htaccess files, telling Apache who has access to specific files and directories. This is just your standard access control stuff. Now imagine that you can use that same core functionality in Apache, but write the routines yourself in perl. And instead of the ugly login popup you can instead create an HTML login page. > Do they set environment variables or something > that a script can then look for that the script can be sure > is legit? Yes, they set the HTTP_USER variable to the users login when a user is authenticated. But your script doesn't need to even worry about that, because Apache won't execute the script unless the user is authorized. So if the script is executing, then the user is authenticated... > for now I'm continuing with my form based authentication, > but is there a 'better' way? And if so, what makes it better? The biggest benefit I find is that you can separate your authentication code from the rest of the code. With an Authentication handler, your CGI script or content handler will never even be executed unless the user has been authenticated. Also, how would you use a CGI based authentication scheme to limit access to a static HTML file, or an image? It can't be done cleanly. But with Authentication handlers, you can hook them to a <Location> or <Directory> directive or even a <Files> directive in the httpd.conf file. So you can protect an entire directory with ease. Cheers, Cees
