Geoffrey, André, Thank you for your answer. Conclusion: I will have to: . write my own PerlAuthzHandler . define a new directive to define my group
Thanks again 2008/6/19 André Warnier <[EMAIL PROTECTED]>: > Hi. > > I believe that the issue below is more in the way of thinking about this, > than a real technical issue. > > You don't need to involve Apache in the group part. > I don't think that Apache, per se, even has a field "group" in his internal > Request structure. > That is probably why you do not find any API to set or read it. > > Let my explain how I understand it : > > Authentication consists of finding out who the user is. > To simplify, we could say that this consists of getting and verifying his > user-id. > But, at the same time, we could collect some additional attributes about > him, like his email address, or a list of groups of which he is a member. > The application /may/ want to authenticate users in order to (later) also > authorise them or not to do something. But not necessarily; it could also > be only for the purpose of logging who accessed the page. > > Anyway, now your Authentication module has done it's job, it has > authenticated the user and saved his user-id. It does not really care what > this user-id will be used for, that is not it's job. > > The module returns OK, and Apache continues. > > ----- end of authentication ---- > > .... some time passes > > ----- start of authorization --- > > This consists of verifying if this resource that is requested can be > returned, depending on some criteria. > Usually, it will depend on the userid, or some characteristic of the user. > But not necessarily : it could also depend on a secret key that is included > in a cookie, for example (if the key is there, the resource is granted, and > otherwise not). > If this check is succesful, the authorization returns OK. If it is not, it > returns not-OK. > > ---- end of authorization --- > > Apache checks the return code. If it is OK, Apache serves the page. If it > is not-OK, Apache returns a "forbidden" page. > > --- end of request --- > > Now, in your case, you want > a) to authenticate the user > b) later, to authorize access to a resource, in function of some > characteristic of that user (is he member of one of the authorized groups) > > You have already done (a), with a PerlAuthenHandler, and you have stored > the user-id in the request, so you can get at it later. > > If you add a PerlAuthzHandler for authorization, then what your handler has > to do is : > > 1. find out which groups are authorized to access this resource. > That could be by getting the contents of the "require" clause of the Apache > configuration, or by getting the value of some "PerlSetVar" in the same > section (e.g. PerlSetVar AuthorizedGroups "group1,group2") > (in your module, you would get this value as > $OKgroups = $r->dir_config("AuthorizedGroups"); > > 2. find out if this userid (stored in the request) is a member of one of > these groups. > For that, you need some additional information about the user, not just his > user-id. This you could do using a "group" file, like Apache does in it's > Basic authentication scheme (AuthGroupFile xxxx), and read it and parse it > when you need to, and then compare the result to $OKgroups. > But that would be inefficient. > > Since in (a) you are already accessing some information about the user (to > verify his userid), I would at the same time collect information about which > groups he belongs to, and save that somewhere in the Request object, for > example with something like > $r->pnotes('groups' => $groups); > > Then later, your module (b) can get it back, with > $groups = $r->pnotes('groups'); > and compare this to the authorized groups. > > I hope this helps. > André > > > > titetluc titetluc wrote: > >> Hello all, >> >> I am writing a mod_perl authentication module (My::Auth). >> >> This module sets the user using the Apache2::RequestRec::user method. >> >> package My::Auth; >> sub { >> .... >> $r->user('getting the user in my module internal structure'); >> return OK; >> } >> >> In the Apache configuration file, I can use the configuration >> >> <Location /test_user> >> PerlAuthHandler My::Auth >> Require user user1 >> .... >> </Location> >> >> I would like to use my module in another configuration where group is >> checked >> >> <Location /test_group> >> PerlAuthHandler My::Auth >> Require group group1 >> .... >> </Location> >> >> I can not find any mod_perl API method (Apache2::RequestRec::group ?) to >> set >> the group. I only found Apache2::RequestRec::require method, but this >> method >> only read the require configuration. >> >> One way to solve the problem is the modify the My::Auth::handler method : >> >> package My::Auth; >> sub { >> .... >> $r->user('getting the user in my module internal structure'); >> my $requires = $r->requires; >> >> # here the code to verify authorization >> >> return OK; >> } >> >> but I think this is a workaround: >> . My::Auth::handler is an AUTHENTICATION handler >> . the code to verify the AUTHORIZATION should have to be executed by the >> httpd core. >> >> How can I manage authorization in this case ? >> >> Thanks >> >>