WAS: A better way to handle multiple client authentication? AND ALSO: Dynamically setting PerlVars in Apache per-request
Sorry for the long subject but I solved the questions I posted about and
thought I would share my $solution.
The initial problem was:
Right now I have an application set up for multiple clients: clientA,
clientB, clientC.
Each client has their own users.
The way I have it setup is clientA goes to http://www.site.com/clientA
and is presented with a login screen which is triggered by an .htaccess
file in a directory called /clientA. The .htaccess file directs Apache
to perform DBI-based authentication using Apache2::AuthCookieDBI.
PerlSetVar AuthDBI_DSN DBI:mysql:clientA
This works great, but I am aware of the limitations and I would like to
set up some rules in the Apache config that accomplish this all without
.htaccess files in every directory for every client (gonna get tricky
around 100,000 clients for sure!)
William T. had an interesting suggestion to use the 'pwd_whereclause'
but that wasn't exactly what I needed. So my first go at it resulted in
my second question, about setting PerlSetVar on the fly, per-request and
do authentication that way.
Adam Prime (a Great Canadian) replied with a big hint that lead to my
solution, he suggested just subclassing Apache2::AuthCookieDBI
And voila! So in case anyone else ever needs to do this hopefully they
can save some time, here is my $solution;
myAUTH.pm:
package myAUTH;
use base qw(Apache2::AuthCookieDBI);
#$CONFIG_DEFAULT is initialized in the parent (use base ...)
$CONFIG_DEFAULT{myAuthDBI_DSN} = DBI:mysql:database=client;
sub client {
... do stuff to determine your client ID...
}
1;
Anything else you need to change WRT the DBI can be done with the
$CONFIG_DEFAULT variable. Use your new myAUTH module in the AuthType
myAUTH section. If you want to get more fancy you can explore into
dir_config.
Anyway, I hope that helps somebody.
Tosh
--
McIntosh Cooey - Twelve Hundred Group LLC - http://www.1200group.com/
Dynamically setting PerlVars in Apache per-request
WAS: A better way to handle multiple client authentication? Yeah I use something similar in another application, but in this application I actually need to change the Auth_DBI_data_source variable since the FROM pwd_table would actually need to be FROM clientA.pwd_table and I can't see how to set this on the fly. I could probably also set the: Auth_DBI_pwd_table variable as well, but again the per-request setting is what's throwing me off. PerlSetVar Auth_DBI_data_source DBI:mysql:clientA or PerlSetVar Auth_DBI_pwd_table clientA.pwd_table Which is why I thought: RewriteRule ^/(.+)/$ PerlSetVar Auth_DBI_data_source DBI:mysql:$1 I was hoping a SetEnvIf or IfDefine would work but after reading more about Apache configuration I see it won't. Anyway, this is straying too far into Apache territory so I guess I will just set those variables within a modified Apache::AuthDBI I guess if anyone already knows an auth module that does that above that would be awesome, or if anyone knows how to easily change PerlVars on the fly within the Apache config/htaccess space that's be great, otherwise it's a small change to the above module. Thanks again! Tosh William T wrote: The documentation alludes to the variable 'pwd_whereclause'. If this variable is set it will be used in the passwd query. I would try and set it per client so that the query gets an additional where clause: SELECT pwd_field FROM pwd_table WHERE uid_field = user AND client = clientA I havn't actually tried this so I don't know if there are any caveats, but from the docs at least it seems possible. The only trick is making sure you can reset the pwd_whereclause with each different client url, and make client an additional column in your pwd_table. -- -wjt -- McIntosh Cooey - Twelve Hundred Group LLC - http://www.1200group.com/
Re: Dynamically setting PerlVars in Apache per-request
My suggestion would be to subclass AuthDBI to make the constructor fiddle with the dir_config entries that AuthDBI uses. See the docs for dir_config (the perl interface to PerlSetVar variables: http://perl.apache.org/docs/2.0/api/Apache2/ServerUtil.html#C_dir_config_ I have no idea how subclass friendly AuthDBI is or isn't. Adam Tosh Cooey wrote: WAS: A better way to handle multiple client authentication? Yeah I use something similar in another application, but in this application I actually need to change the Auth_DBI_data_source variable since the FROM pwd_table would actually need to be FROM clientA.pwd_table and I can't see how to set this on the fly. I could probably also set the: Auth_DBI_pwd_table variable as well, but again the per-request setting is what's throwing me off. PerlSetVar Auth_DBI_data_source DBI:mysql:clientA or PerlSetVar Auth_DBI_pwd_table clientA.pwd_table Which is why I thought: RewriteRule ^/(.+)/$ PerlSetVar Auth_DBI_data_source DBI:mysql:$1 I was hoping a SetEnvIf or IfDefine would work but after reading more about Apache configuration I see it won't. Anyway, this is straying too far into Apache territory so I guess I will just set those variables within a modified Apache::AuthDBI I guess if anyone already knows an auth module that does that above that would be awesome, or if anyone knows how to easily change PerlVars on the fly within the Apache config/htaccess space that's be great, otherwise it's a small change to the above module. Thanks again! Tosh William T wrote: The documentation alludes to the variable 'pwd_whereclause'. If this variable is set it will be used in the passwd query. I would try and set it per client so that the query gets an additional where clause: SELECT pwd_field FROM pwd_table WHERE uid_field = user AND client = clientA I havn't actually tried this so I don't know if there are any caveats, but from the docs at least it seems possible. The only trick is making sure you can reset the pwd_whereclause with each different client url, and make client an additional column in your pwd_table. -- -wjt
