On Feb 12, 2019, at 2:25 PM, Edward J. Sabol <edwardjsa...@gmail.com> wrote: > Hello! I have a project that has successfully used Apache2::AuthCookieDBI > with mod_perl on Apache 2.2 and Apache 2.0 before that for many years. For > various reasons, we are looking at moving this project to a new system that > uses Apache 2.4 exclusively, and the custodians of this new system are > disinclined to use Apache 2.2 even in a dual lightweight/heavyweight server > configuration. > > I know AuthCookie has been updated by the magnificient Michael Schout to > support Apache 2.4, but AuthCookieDBI hasn't seen a release in many years.
> On Feb 21, 2019, at 3:52 PM, Edward J. Sabol <edwardjsa...@gmail.com> wrote: > On Feb 21, 2019, at 5:22 AM, Vegard Vesterheim <vegard.vesterh...@uninett.no> > wrote: >> I registered a ticket against Apache2-AuthCookieDBI regarding this issue >> a long time ago: >> >> https://rt.cpan.org/Public/Bug/Display.html?id=106663 >> >> We do not use this any longer. But, given that the ticket is still open, >> I wonder if this ticket could be closed, or at least commented upon. > > I don't think it should be closed until the issue is resolved. I've > personally also filed an issue on the author's GitHub for this: > > https://github.com/matisse/Apache-AuthCookieDBI/issues/2 > > The author did respond recently to that issue, but doesn't seem to be > terribly interested in fixing it. If anyone wants to help collaborate on a > pull request, however, maybe we can actually help resolve this. Eight months later (really it only took one day of coding--most of the time/effort was getting our dev system upgraded to use Apache 2.4.41 and mod_perl 2.0.11), I've successfully ported Apache2::AuthCookieDBI's group authorization to work with Apache 2.4.x. It works on my system, and I am now looking at submitting a pull request on GitHub for this issue. I submitted a couple of PRs to https://github.com/matisse/Apache-AuthCookieDBI over the summer, and the maintainer released a new version. So I'm hopeful we can get a new release out with Apache 2.4.x support baked in. Before (or after) submitting the PR, would anyone be interested in reviewing my code for correctness? I also had a several questions: Currently, the group authz code is in a separate Apache2_4::AuthCookieDBI module which inherits from Apache2::AuthCookieDBI. I was wondering if the code could be moved to Apache2::AuthCookieDBI and the separate file could be eliminated. Any suggestions or tips on doing that? The AUTHZ_* Apache2::Const's needed for Apache 2.4.x authz are a problem, I think? Do they exist on Apache versions less than 2.4.0? Along those lines, what's the best way to determine the Apache version in non-testsuite code? Should I use Apache::Test's have_min_apache_version() regardless? Apache2::AuthCookieDBI stashes the valid/authorized group in $r->subprocess_env('AUTH_COOKIE_DBI_GROUP') so that higher-level interface code can reference it. To eliminate multiple database queries for the same request (at one point, I was seeing 4+ requests per request since the URL was a directory and Apache was authz'ing the directory and then the index.html in that directory), I was wondering if checking for the presence of $r->subprocess_env('AUTH_COOKIE_DBI_GROUP') and using that instead of querying the database again was secure? It all seems to work in my testing and it drastically cuts down on repeated database queries, but I'm worried I might be doing something insecure. Thanks, Ed