On Mon, 14 Jul 2003 23:26:06 -0500 (CDT), "Geoffrey Young" wrote:
> > Instead of trying to cram multiple perl-script into the same Authen > > phase, which btw could not be done without patching Apache and/or > > mod_perl, > > if by perl-script you mean mod_perl handlers, that's not really true. > currently, mod_perl will run all configured PerlAuthenHandlers until one > returns an Apache error (401, 500, etc). when I get back from vacation in a > few weeks, the first item on my list is changing this so that mod_perl > behaves exactly like Apache: namely, that the first OK passes control to the > next phase and terminates the current phase. Sorry, I was not clear enough. The problem is that I need to run mp2-handlers before _and_ after the actual mod_auth (compiled apache binary) module. But apparently mp2 runs _all_ its Authen-handlers at the same time, ie it is not possible to split handling in the same phase between mp2 and apache -- something that I must do (afaik?) because of the ledger-counting. > > By keeping count like this (and assuming it works in a real > > situation), one can device lots of cool ways to add login and password > > policies. Just change relevant part in the Bouncer/Ledger. > > I'll take a closer look at this in a few weeks when I'm back full time, but > right now I think I would have coded it all in the PerlAuthenHandler - I > think that basic housekeeping like last-auth, etc all are ok things to put > into that phase, so it makes a certain amount of sense to add your denial > rules to that phase as well. Ok. But when I tested it in practice it failed because I need perl-Authen-code to run just before, and just after mod_auth has finished. The only way I could figure out how to do that was to put Bouncer in the Access phase and Ledger in the FixUp phase. On other words "abusing" the phases somewhat. [stuff added :-) ] # Find userinfo in cache. If user is banned, return # HTTP_UNAUTHORIZED else let him through to next handler PerlAccessHandler MyApache::Bouncer # The actual auth module. Patched so it creates an apache # request note if user is unauthorized + let request through # to next handler (DECLINED) _even tho_ user failed! AuthExternal wicauth # If apache note contains current user, update cache (nfailures # count) and return HTTP_UNAUTHORIZED or return OK PerlFixUpHandler MyApache::Ledger > anyway, I'm essentially offline for the next two weeks, but if you ping me > after that we can talk more. > good luck Thanks!