Thank you, it works. ------------------------------------------------------------------------------ # http://perl.apache.org/docs/2.0/api/Apache2/RequestRec.html use CGI; #use Apache (); #use APR::Base64; use Apache2::Access (); use Apache2::RequestRec (); use Apache2::RequestUtil ();
my $q = CGI->new; #print $ENV{MOD_PERL_API_VERSION} . "\n"; #my $r = Apache->request(); my $r = Apache2::RequestUtil->request(); #httpd.conf # get the global request object (requires PerlOptions +GlobalRequest) $pw = $r->headers_in->{Authorization}; #$pw =~ s/^Basic //; #$pw = APR::Base64::decode($pw); print $q->header(); #print "Apache->request: ". $pw . "<br>\n"; (my $rc, $pw)=$r->get_basic_auth_pw; print "Apache2 Access get_basic_auth_pw: " . $pw . "<br>\n"; ---------------------------------------------------------------------------------- -- Deutsche Telekom AG Seamless ICT Security Infrastructure & Management im Auftrag T-Systems International GmbH Dipl. Inf Alexander Elgert Langwadener Strasse 17 64625 Bensheim +49 176 22 717 661 (Mobil) +49 671 83419-12 (Tel) +49 671 83419-30 (Fax) E-Mail: alexander.elg...@gmx.de ________________________________________ Von: Torsten Förtsch [torsten.foert...@gmx.net] Gesendet: Mittwoch, 16. Mai 2012 12:37 An: modperl@perl.apache.org Cc: Elgert, Alexander Betreff: Re: AW: AW: AUTH password On Wednesday, 16 May 2012 11:25:56 alexander.elg...@t-systems.com wrote: > sure I am interested in the mod_perl answer to retrieve the AUTH password. ($pw=APR::Base64::decode $r->headers_in->{Authorization})=~s/.*://; or use Apache2::Access (); ($rc, $pw)=$r->get_basic_auth_pw; > I am using mod_perl on a x86 sparc with oracle 10, 32 bit client. > > If the payload is stored to a harddisk, then it makes sense to encrypt the > payload. But as said, I do not want to talk about all the reasons, why I > prefer this solution. With pure modperl nothing is stored/cached on disk. CGI.pm may store file uploads. HTTP headers are not stored in any way. The operating system, however, may decide to store this information on disk by means of virtual memory management. To prevent that you can turn off swapping completely or forbid swapping by locking your process into RAM (see mlockall(2)). As for the 2 mod_rewrite based solutions, both reveal the password at least on standard Linux to a possibly unauthorized audience even with SSL if a traditional CGI script is involved. Both rely on passing the information via the process environment which is readable via /proc. This is perhaps the reason why the header was not passed on in the first place. Torsten Förtsch -- Need professional modperl support? Hire me! (http://foertsch.name) Like fantasy? http://kabatinte.net