On 2/21/19 3:41 AM, André Warnier (tomcat) wrote: > 1) the "authz" function is now called *first* (before any authentication > module has been called - even non-perl add-on ones), > and > 2) it *can* be called 2 or more times during the same request cycle > and
Yes, and this allows you to do "Anonymous" authorization. If you don't want to do that, you simply do return Apache2::Const::AUTHZ_DENIED_NO_USER unless defined $r->user at the top of your Authz provider. The second time the handler is called, $r->user will be set so that you can authorize "authenticated" users. But this is indeed one of the major things that confuses people when moving to 2.4. Another common thing I've seen people do is return an invalid Apache2::Const value from an Authz provider. You must return one of a very specific list of values from the provider (See the README.apache-2.4 in AuthCookie which discusses this). > 5) there seems to be no real mod_perl-level (or even Apache-httpd-level) > documentation available, which explains the above in a general context, > rather than for any specific perl module. > A good explanation is provided by Michael Schout in > https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod, I pieced this together, if my memory is correct, from apache mailing list posts, as well as reading the source code of apache itself. I'm not sure I found any definitive guide on the changes when I did this, and it involved a good deal of research at the time. I had hoped to see all of this codified into some kind of general mod_perl migration guide for Apache 2.4, similar to what happened when we all had to migrate from Apache 1.3 to Apache 2. Something similar to what is on perl.apache.org [1]. But I am unsure if that site is even maintained any longer. Anyway, another example of an authz provider is in AuthCookie [2], where I re-implemented apache's core authz provider, before realizing it was not needed. 1: https://perl.apache.org/docs/2.0/user/porting/compat.html 2: https://github.com/mschout/apache-authcookie/blob/master/lib/Apache2_4/AuthCookie.pm#L18 Regards, Michael Schout
