AW: AW: AW: AUTH password

Wed, 16 May 2012 06:48:09 -0700 

Thank you, it works.

------------------------------------------------------------------------------
# http://perl.apache.org/docs/2.0/api/Apache2/RequestRec.html
use CGI;
#use Apache ();
#use APR::Base64;
use Apache2::Access ();
use Apache2::RequestRec ();
use Apache2::RequestUtil ();

my $q = CGI->new;
#print $ENV{MOD_PERL_API_VERSION} . "\n";
#my $r = Apache->request();
my $r = Apache2::RequestUtil->request(); #httpd.conf # get the global request 
object (requires PerlOptions +GlobalRequest)
$pw = $r->headers_in->{Authorization};
#$pw =~ s/^Basic //;
#$pw = APR::Base64::decode($pw);

print $q->header();
#print "Apache->request: ". $pw . "<br>\n";

(my $rc, $pw)=$r->get_basic_auth_pw;
print "Apache2 Access get_basic_auth_pw: " . $pw . "<br>\n";
----------------------------------------------------------------------------------


--
Deutsche Telekom AG
Seamless ICT Security Infrastructure & Management
im Auftrag T-Systems International GmbH
Dipl. Inf Alexander Elgert
Langwadener Strasse 17
64625 Bensheim
+49 176 22 717 661 (Mobil)
+49 671 83419-12 (Tel)
+49 671 83419-30 (Fax)
E-Mail: alexander.elg...@gmx.de

________________________________________
Von: Torsten Förtsch [torsten.foert...@gmx.net]
Gesendet: Mittwoch, 16. Mai 2012 12:37
An: modperl@perl.apache.org
Cc: Elgert, Alexander
Betreff: Re: AW: AW: AUTH password

On Wednesday, 16 May 2012 11:25:56 alexander.elg...@t-systems.com wrote:
> sure I am interested in the mod_perl answer to retrieve the AUTH password.

($pw=APR::Base64::decode $r->headers_in->{Authorization})=~s/.*://;

or

use Apache2::Access ();
($rc, $pw)=$r->get_basic_auth_pw;

> I am using mod_perl on a x86 sparc with oracle 10, 32 bit client.
>
> If the payload is stored to a harddisk, then it makes sense to encrypt the
> payload. But as said, I do not want to talk about all the reasons, why I
> prefer this solution.

With pure modperl nothing is stored/cached on disk. CGI.pm may store file
uploads. HTTP headers are not stored in any way. The operating system,
however, may decide to store this information on disk by means of virtual
memory management. To prevent that you can turn off swapping completely or
forbid swapping by locking your process into RAM (see mlockall(2)).

As for the 2 mod_rewrite based solutions, both reveal the password at least on
standard Linux to a possibly unauthorized audience even with SSL if a
traditional CGI script is involved. Both rely on passing the information via
the process environment which is readable via /proc. This is perhaps the
reason why the header was not passed on in the first place.

Torsten Förtsch

--
Need professional modperl support? Hire me! (http://foertsch.name)

Like fantasy? http://kabatinte.net

Reply via email to