On Mon, 14 Jul 2003 23:26:06 -0500 (CDT), "Geoffrey Young" wrote:
> > Instead of trying to cram multiple perl-script into the same Authen
> > phase, which btw could not be done without patching Apache and/or
> > mod_perl,
>
> if by perl-script you mean mod_perl handlers, that's not really true.
> currently, mod_perl will run all configured PerlAuthenHandlers until one
> returns an Apache error (401, 500, etc). when I get back from vacation in a
> few weeks, the first item on my list is changing this so that mod_perl
> behaves exactly like Apache: namely, that the first OK passes control to the
> next phase and terminates the current phase.
Sorry, I was not clear enough. The problem is that I need to run mp2-handlers before
_and_
after the actual mod_auth (compiled apache binary) module. But apparently mp2 runs
_all_
its Authen-handlers at the same time, ie it is not possible to split handling in the
same
phase between mp2 and apache -- something that I must do (afaik?) because of the
ledger-counting.
> > By keeping count like this (and assuming it works in a real
> > situation), one can device lots of cool ways to add login and password
> > policies. Just change relevant part in the Bouncer/Ledger.
>
> I'll take a closer look at this in a few weeks when I'm back full time, but
> right now I think I would have coded it all in the PerlAuthenHandler - I
> think that basic housekeeping like last-auth, etc all are ok things to put
> into that phase, so it makes a certain amount of sense to add your denial
> rules to that phase as well.
Ok. But when I tested it in practice it failed because I need perl-Authen-code to run
just
before, and just after mod_auth has finished. The only way I could figure out how to do
that was to put Bouncer in the Access phase and Ledger in the FixUp phase. On other
words
"abusing" the phases somewhat.
[stuff added :-) ]
# Find userinfo in cache. If user is banned, return
# HTTP_UNAUTHORIZED else let him through to next handler
PerlAccessHandler MyApache::Bouncer
# The actual auth module. Patched so it creates an apache
# request note if user is unauthorized + let request through
# to next handler (DECLINED) _even tho_ user failed!
AuthExternal wicauth
# If apache note contains current user, update cache (nfailures
# count) and return HTTP_UNAUTHORIZED or return OK
PerlFixUpHandler MyApache::Ledger
> anyway, I'm essentially offline for the next two weeks, but if you ping me
> after that we can talk more.
> good luck
Thanks!
