Re: separating C from V in MVC
I just wanted to comment on Number 3, here. Scroll down ;-)
kyle dawkins wrote:
Fran (et al)
I've stayed out of the MVC chitchat for a long time (very interesting
thread) because it's such a deep topic. But seeing as how Fran has
some concrete questions...
3. How do you prevent a Controller from just becoming another big if
statement, or is this their purpose in life?
See Jeff's previous mail. Your structure is crying out for a dispatch
table; Jeff suggests building this out of a hash that defines what
actions to perform based on what your query values are. That's a great
place to start. GET RID OF YOUR BIG IF STATEMENT ASAP.
If I read this right, then it's something I am already doing and I'll
throw it in here to show:
## My idea of a dispatch table!
my %actions = (
'view' = 'FES::Control::View',
'logout' = 'FES::Control::Logout',
'edit' = 'FES::Control::Edit',
'notes'= 'FES::Control::Notes',
'save' = 'FES::Control::Save',
'calendar' = 'FES::Util::Calendar',
);
sub handler {
my $r = Apache::Request-new(shift);
## BEGIN ignore (DECLINE) image requests and allow regular apache to
handle them.
return DECLINED if $r-content_type =~ /image/;
## END ignore image requests
my $act = $r-param('act') || 'view';
if (my $h = $actions{$act}) {
$r-push_handlers(PerlHandler = $h);
$r-handler('perl-script');
return DECLINED;
} else {
my $stmt = There is no such action as \' . $act . \'\n;
$r-pnotes('error', $stmt);
$r-push_handlers(PerlHandler = 'FES::Error::Error');
$r-handler('perl-script');
return DONE;
} ## end else [ if (my $h = $actions{$act...
}
1;
That's how I impliment at least _part_ of my controller without
resorting to huge IF statements.
Is this what was meant guys?
--Jon R.
If this is overly simplistic, or not what you meant, feel free to smack
me around.
Re: Idiot question: headers at the base of the page.
Don't recall offhand, but I know there is an http.conf momd_perl config command that will set 'auto-header' for you. Perhaps that is already on? --Jon Robison Issac Goldstand wrote: umm... If you send them twice. Aside from happening by doing $r-send_http_header twice (it's happened), it could be something else is automatically sending header s for you... Just an idea... Issac - Original Message - From: Rafiq Ismail (ADMIN) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 13, 2002 12:19 AM Subject: Idiot question: headers at the base of the page. I'm doing squinty eyed coding and need someone to knock common sense into me. In the right order - as far as I can see - I have my content_type ;send_http_headers; $r-print'ed. With loads of poo in between. Under what circumstances would my page render, dumping the HTTP headers at the base? Other than their being sequentially out of order, that is. It's probably one of those look at it again in the morning questions. Someone hit me over the head with a hammer please.
Sending Mail
Can anyone give me recommendations on a good Mail handler that integrates well with mod_perl? I have a system whereby I want to give people the ability to mail the currently viewed page to someone. Once they select a To: address, the system will look up some data, re-construct the viewed page in a textual format, and send the mail. I'm just looking for recommendations on a good perl mailing module for this kind of use. --Jon Robison
Re: Sending Mail
Can MIME::Lite do attachments? --Jon Joe Breeden wrote: We use MIME::Lite seems to work well for us. -Original Message- From: Jon Robison [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 8:57 AM To: [EMAIL PROTECTED] Subject: Sending Mail Can anyone give me recommendations on a good Mail handler that integrates well with mod_perl? I have a system whereby I want to give people the ability to mail the currently viewed page to someone. Once they select a To: address, the system will look up some data, re-construct the viewed page in a textual format, and send the mail. I'm just looking for recommendations on a good perl mailing module for this kind of use. --Jon Robison
Re: Sending Mail
Geesh, it's nice having the books author(s) on the mailing list here! --Jon R. Geoffrey Young wrote: Jon Robison wrote: Can MIME::Lite do attachments? yes. there is an example in the cookbook that uses MIME::Lite: http://www.modperlcookbook.org/code/ch15/Cookbook/Mail.pm http://www.modperlcookbook.org/code/ch15/Cookbook/EmailUploads.pm HTH --Geoff
MVC Topic Joy
I can make no claims to being any kind of exceptional programmer. Heck, I don't even claim to be half bad. But this topic has really revealed to me that the concept of MVC means many things to many people. In the end, I think what I have concluded, at least for my purposes, is simply this: 1. Modules that deal with core data (i.e. that read/write to the database) shall never output HTML/XML/Whatever. Just hashed (complex) data, or simple arrays. 2. Modules that DO create HTML/XML/Whatever should take the core level data and make the html 3. Modules that present the data should take the html produced by #2 above, wrap as needed in start and end tags, and spit out the resulting page. They data output by #2 shouldn't matter to this module. Whereas I know this is overly simplistic, I think that as a rule, it should work. If I catch myself sticking HTML into the output from my DBI call before I return the final result, I know I have broken my rule and should re-think whatever I am doing. I should never really have to edit #3 (the Viewer), because the HTML construction should be done in #2. If I find myself editing my viewer to accomodate some function I am adding to the overall system, I know I need to re-think what I am doing. Simplistic, yes. Workable, yes. It meets the KISS principle, at least. ;-) Comments, disagreements, smacks across the virtual face willingly accepted. --Jon Robison
Re: MVC Topic Joy
Essentially a Dispatch.pm module, which simply looks at the url string params and sets a Handler based upon the value of the action param. (After handling security, etc.). In most cases the Handler is set to view, in which case View.pm instantiates other modules objects, (and those instantiations use other url string data to determine what to construct into the object). View then just spits out the default head, body (created with the other objects) and footer. All of the real work is done by the other modules. View.pm could care less what comes back from $html_obj-view_data. It just adds the result to $body. It's the html module's job to fill the return from view_data with the correct information. Hope this explanation serves. Like I said, I can't lay claim to being a guru ;-) --Jon Perrin Harkins wrote: Jon Robison wrote: I should never really have to edit #3 (the Viewer), because the HTML construction should be done in #2. If I find myself editing my viewer to accomodate some function I am adding to the overall system, I know I need to re-think what I am doing. In an MVC system, you would definitely need to edit the controller any time you change the input side of the user interface. You may or may not need to change the model and view as well. Which part handles taking the user input, figuring out which methods to call on the model objects, and choosing a view (usually a template) to show? This is all stuff that the controller would do in an MVC system, and you don't seem to have one in your description. If you don't have a controller, you will end up wedging that stuff into the model objects which makes them a lot less reusable. Don't get me wrong: a basic script + a template is still better than a basic script + a bunch of print statements, but there is value in the separation of the controller and the model too. - Perrin
Re: RPM for apache/mod_perl/mod_ssl
fliptop, I'll take a copy of that spec file, if you don't mind!!! --Jon Robison fliptop wrote: Fran Fabrizio wrote: We're currently struggling for an easy way to distribute our apache/mod_perl/mod_ssl-based application to our data center folks who are in a different state and whom we must presume know nothing about apache, mod_perl or mod_ssl and are capable of nothing more complicated than using RPM to install/update a package. As such, does there exist such a thing as an RPM that installs apache with mod_perl AND mod_ssl enabled? I presume this would also have to include openssl. I can only imagine what a pain it would be to create this beast, but if it's been done, I'd like to give it a try. what o/s and version are you running? i have an rpm for apache 1.3.22, mod_perl 1.26, and mod_ssl 2.8.5 that i run on redhat 6.2. i'd be glad to give you the .src (or the .rpm if you also run redhat 6.2) if you would like it. or, i could just give you the .spec if you'd like to build a new rpm with the latest versions.
Re: Apache::TicketAccess
You might want to consider Apache::AuthTicket, which IS in CPAN. It's an expanded version of the Eagle book's modules, and very capable, yet also relatively simple. --Jon Robison Per Einar Ellefsen wrote: At 21:50 31.05.2002, Arnold van Kampen wrote: Hi Where did it go? The modules written for the Eagle book haven't been released to CPAN. They are available online. See http://modperl.com:9000/book/source/apachemod-code-1.02/lib/Apache/ -- Per Einar Ellefsen [EMAIL PROTECTED]
Re: [OT] Refs don't work, like I want
In support of F. Xavier Noria, and in simpler terms - your $vars = {
. } overwrote your previous assignment of $vars-{'key2'}.
Perhaps you could have done:
my $var = {};
$var-{'key2'} = some value;
my @args = qw/ XXX YYY ZZZ /;
my @vals = qw/ AAA BBB CCC /;
my $i;
for ($i =0; $i scalar(@args); $i++) {
$vars-{$args[$i]} = $vals[$i];
}
$var-{'key1'} = some other value;
This would not have overwritten the $var-{'key2'} assignment.
--Jon Robison
F.Xavier Noria wrote:
On Fri, 17 May 2002 17:10:53 +0300 (EEST)
Viljo Marrandi [EMAIL PROTECTED] wrote:
: $vars-{'key2'} = value of second key;
The hash $vars points to has a key named key2.
: $vars = {
: xxx = AAA,
: yyy = BBB,
: zzz = CCC,
: };
Now you change the reference stored in $var. It points to an entirely
new hash, whose keys are xxx, yyy and zzz.
: $vars-{'key1'} = value of first key;
Here you add the key key1 to the hash $vars points to.
: Problem is, that value of key2 is lost after I set values to xxx, yyy and
: zzz, but key1 is ok.
$vars contains a reference to a hash that has nothing to do with the
first one, you didn't create a key named key2 in that hash.
-- fxn
Re: the cookbook review on perl.com
Not sure I would want this person evaluating my books . . . not so great if you need your hands holded. Somebody get this reviewer a grammer checker! --Jon Robison Stas Bekman wrote: For a nice review of the latest and the greatest mod_perl cookbook head to perl.com: http://www.perl.com/pub/a/2002/04/25/review.html (by Simon Cozens) __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
Re: the cookbook review on perl.com
No it is not. It should read not so great if you need your hands held. --Jon R Wiswell, Virginia wrote: Somebody get this reviewer a grammer checker! this is a joke, right? -Original Message- From: Jon Robison [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 9:14 AM To: Stas Bekman Cc: [EMAIL PROTECTED] Subject: Re: the cookbook review on perl.com Not sure I would want this person evaluating my books . . . not so great if you need your hands holded. Somebody get this reviewer a grammer checker! --Jon Robison Stas Bekman wrote: For a nice review of the latest and the greatest mod_perl cookbook head to perl.com: http://www.perl.com/pub/a/2002/04/25/review.html (by Simon Cozens) __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
Re: the cookbook review on perl.com
Oye! Hmmat least I have the excuse that I'm not a writer ;-) --Jon Fran Fabrizio wrote: Wiswell, Virginia wrote: Somebody get this reviewer a grammer checker! this is a joke, right? Uh, Jon, she was pointing out that you misspelled 'grammar'. :-) -Fran
Re: the cookbook review on perl.com
Crud! Well, at least I hadn't said spell checker! --Jon fliptop wrote: Jon Robison wrote: No it is not. It should read not so great if you need your hands held. i think he was referring to the fact that you spelled grammar incorrectly.
Re: Apache::OK error
maybe a use Apache::Constants qw/ :common /;
--Jon Robison
Lihn, Steve wrote:
Hi,
I am testing the Apache::Echo connection handler for Apache2 and mod_perl 2.
But encounter the following error:
[Thu Apr 25 15:32:15 2002] [error] failed to resolve handler `Apache::Echo'
[Thu Apr 25 15:32:15 2002] [error] Bareword Apache::OK not allowed while
strict subs in use at C:\Apache2/blib/lib/Apache2/Apache/Echo.pm line 25.
Compilation failed in require at (eval 2) line 3.
What do I miss?
--Steve
--
package Apache::Echo;
use strict;
use Apache::Connection ();
use APR::Socket ();
use constant BUFF_LEN = 1024;
sub handler {
my Apache::Connection $c = shift;
my APR::Socket $socket = $c-client_socket;
my $buff;
for (;;) {
my($rlen, $wlen);
my $rlen = BUFF_LEN;
$socket-recv($buff, $rlen);
last if $rlen = 0;
$wlen = $rlen;
$socket-send($buff, $wlen);
last if $wlen != $rlen;
}
return Apache::OK;
}
1;
__END__
Steve Lihn
FIS Database Support, Merck Co., Inc.
Tel: (908) 423 - 4441
--
Notice: This e-mail message, together with any attachments, contains information of
Merck Co., Inc. (Whitehouse Station, New Jersey, USA) that may be confidential,
proprietary copyrighted and/or legally privileged, and is intended solely for the use
of the individual or entity named in this message. If you are not the intended
recipient, and have received this message in error, please immediately return this by
e-mail and then delete it.
==
Re: full-featured online database apps
It was my understanding that there are numerous tools for converting tables like this at the mysql.com site. Some will even access the Access tables via ODBC and create a set of tables directly for you, or just make dumps that can be read into MySQL. Once made, Webmin does a good job of administering mysql databases. www.webmin.com --Jon Robison Adi Fairbank wrote: Does anyone know of a good customizable, user-friendly, online database application, preferably mod_perl-based? I want to migrate a small Access database to MySQL with a web interface, for added features and room for growth. Has anyone come across a good open source project or toolkit that would make this job really easy? TIA, -Adi
Re: Apache::Session
As an add-on to this, does anyone know if one could use MySQL HEAP (memory resident) tables for the session table? --Jon Robison Rob Bloodgood wrote: I am using Apache::Session with Postgresql. Unfortunately I had never worked with a huge amount of data before I started to program something like a (little) web application. I happily packed everything in the session(s-table) that might be of any use. It hit me hard that it takes a veeey long time to get all the stuff out of the session(s-table) each time the client sends another request. Sorry if this is obvious, but do you have an index on your sessions table, on the sessionid column? Because, without an index, PG will have to do a full table read for each request. Which means the more sessions you get, the slower each lookup is going to be. Whereas, if you index SESSIONID (or SESSION_ID or whatever it is), it can go right to the row in question and return it immediately. L8r, Rob #!/usr/bin/perl -w use Disclaimer qw/:standard/;
Re: how to pass data in internal redirects?
$r-pnotes persist across internal_redirects, I believe. --Jon Robison Igor Sysoev wrote: On Tue, 26 Feb 2002, F. Xavier Noria wrote: I suppose that controllers would use internal redirects to call the views, is there a way to pass Perl data this way? For example, in the hangman game in O'Reilly's book a controller would load a session from the cookie, process user's guest, modify the state and redirect the request internally to the view. Ideally the view shouldn't read the data to display from the database again... could it be passed somehow by the first content handler? As far as I know r-notes() do not persist across internal redirections. You can try r-err_header_out() but clean up it in second handler before content output. Igor Sysoev
Re: Question...
On page leave? Well I think you can of course use javascript on all the links on the page, but I don't believe you can do much about the user typing in a new url in the browser. . . but that's just IMHO. --Jon Ryan Parr wrote: I think I'm missing something... If you set a session cookie (i.e. one with no expiry time) then the cookie will be deleted immediately upon browser close, forcing the user to login again if they've closed their browser instance. If you don't use cookies and allow basic auth then the exact same behavior is called, forcing the user to re-login only if they've closed that browser instance. Is there someway to expire cookies on page leave, or is this the smartass thing you were referring to? :) -- Ryan Parr - Original Message - From: Jon Robison [EMAIL PROTECTED] To: Ron Beck [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, February 12, 2002 12:28 PM Subject: Re: Question... Cookies! /me is in smartass mode today. --Jon Ron Beck wrote: Hello all, I need to know how to clear the $ENV variables. For example, I use a .htaccess file for specific directories which requires the user to enter userID and password. When they exit the page, I want them to have to re-enter userID and passwd if they enter the page again. Does anyone know how this is accomplished? TIA, Ron
Re: Question...
Cookies! /me is in smartass mode today. --Jon Ron Beck wrote: Hello all, I need to know how to clear the $ENV variables. For example, I use a .htaccess file for specific directories which requires the user to enter userID and password. When they exit the page, I want them to have to re-enter userID and passwd if they enter the page again. Does anyone know how this is accomplished? TIA, Ron
Re: [OT] callisto software graphics
Obviously one of those Use our program to build your web site in just 1 hour! things. Maybe NOFusion? It used to come with a bunch of those Fast Templates --Jon R. Aaron Ross wrote: http://callistocms.com v http://w.moreover.com/ hmmm -- aaron ross . alias i, inc email . [EMAIL PROTECTED] phone . 215 545 6428
Re: DECLINED unless 'text/html' but images never make it
How about trying: return DECLINED unless $r-is_initial_req; Image calls are not initial requests, they are sub requests. --Jon Robison R.Munden wrote: I've a script (controlled by a Location directive) that wraps a standard header and footer around an HTML page I've this at the top of my script: my $r = shift; return DECLINED unless ($r-content_type() eq 'text/html'); but any images that may be inline never make it to the browser (also, if I explicitly call the image in question it never makes it to the browser). Apache gives a 200 status code for these requests in the access log but Netscape 6.2 just sits there and IE returns a 'Cannot find server...' error. Any ideas, where to start looking, etc.? --rjm-- -- Disclaimer: Any resemblance between the above views and those of my employer, my terminal, or the view out my window are purely coincidental. Any resemblance between the above and my own views is non-deterministic. The question of the existence of views in the absence of anyone to hold them is left as an exercise for the reader. The question of the existence of the reader is left as an exercise for the second god coefficient. (A discussion of non-orthogonal, non-integral polytheism is beyond the scope of this article.)
Re: Suggestions on an XML-RPC Service using modperl?
As far as the cacheing goes, we have had extremely good luck with IPC::ShareLite used to share info across mod_perl processes. --Jon R. Chip Turner wrote: Bruce W. Hoylman [EMAIL PROTECTED] writes: Ciao! I would like some input on an intranet web service I am currently in the process of designing, the core of which will be modperl on UN*X. Excellent choice. This works quite well. Of course, like others on this list, I might be a bit biased. The service itself is to access a couple of back end data stores given parameters received in an XML-RPC request, then return the results in an XML-RPC formated response. The data from the back end sources will be loaded into memory at service initialization, for fast access. The data is small enough and memory plentiful enough to allow this. How often does the data change? How is it stored on the back end? You may not need to cache anything if, say, you have a decent SQL database on the backend. Caching never hurts, but it isn't always necessary. The Cache::* modules may be of use for this, though, should you still need it. You also might want to consider not sharing the data in each process; the complexity gained vs the memory lost by storing it in each process may be a workable tradeoff. I probably would try it first with no cache, then a per-process on-demand cache, then finally a shared cache, in that order. That's pretty much it in terms of the high level data flow. It has to be relatively fast, OTO 5+ requests/sec. as a relative volumetric. This should be quite easy. I don't have the necessary setup handy to benchmark it, but I imagine you can easily achieve performance at that level using Frontier::RPC inside a mod_perl handler. We typically use custom code for interfacing the handler, but IIRC the Frontier module comes with a mod_perl handler that, if not enturely suitable, is easily modified to your needs. I'm going to use modperl due to the embedded perl interpreter characteristics it provides, allowing initialization overhead to be incurred at startup. I also wish to use an in-memory, read-only hash structure shared across all modperl processes for access to the cached back end data, rather than making expensive calls to these stores for each request. Again, throughput is critical. Five hits/second should be absolutely no problem. If you expect slow clients, a mod_proxy in front of things (http://perl.apache.org/guide) can help. I would like your thoughts on the cache management concept of the service. I'm looking at MLDBM::Sync as the mechanism for managing the filesystem representation of the in-memory hash content. What to manage the in-memory structure itself in terms of accessing its content? Is a Tie structure too expensive? I want to end up with a single structure accessible to all of the modperl processes, loaded at service Chip -- Chip Turner [EMAIL PROTECTED] Red Hat Network
PushHandler and Cookies
I'm having some troubles with a system I am writing. The system uses
the Ticket system from the Eagle book, with some minor modifications.
I have also created a logout module, which SHOULD delete the person's
cookie and redirect them to the main page (where they should be
re-directed by the Ticket system to a login screen as the cookie is
gone).
Currently, it isn't working. I had it working (click Log Out and
you got sent to the login screen), but I noticed that the cookie wasn't
deleted, and that I could type the correct URL (non Ticket redir url)
into the browser and I was back in! This is obviously not a good thing!
I placed a bunch of print STDERR statements in it and what I see now
in the log (after editing to try and make it correctly delete the
cookie) is the logout module processes correctly, the action does get
re-set to view. . . and then it re-runs the logout module! Maybe I'm
not using the correct Apache return name (DONE, OK, DECLINED, etc.)? or
maybe I'm just totally screwing up the cookie re-make.
Can anyone take a moment and review this code to see what this beginner
has fouled up?
Modified TicketAccess.pm:
###
package FES::Apache::TicketAccess;
use strict;
use Apache::Constants qw(:common);
use FES::Apache::TicketTool ();
sub handler {
my $r = shift;
my %input = $r-args; # for
checking input items
my $ticketTool = FES::Apache::TicketTool-new($r);
my($result, $msg) = $ticketTool-verify_ticket($r);
unless ($result) {
$r-log_reason($msg, $r-filename);
my $cookie = $ticketTool-make_return_address($r);
$r-err_headers_out-add('Set-Cookie' = $cookie);
return FORBIDDEN;
}
## Here is where I added a push_handler insert.
my $action = defined $input{'act'} ? $input{'act'} : 'view';
if ($action eq 'logout') {
$r-push_handlers('PerlHandler' = 'FES::Control::Logout');
return OK;
} elsif ($action eq 'view') {
$r-push_handlers('PerlHandler' = 'FES::Control::View');
return OK;
} else {
$r-push_handlers('PerlHandler' = 'FES::Control::View');
return OK;
}
}
1;
##
And the Logout module hit by clicking a link built as
a href=/fes?act=logoutLog Out/a
package FES::Control::Logout;
use strict;
use Apache;
use Apache::Constants qw(:common);
use CGI::Cookie;
sub handler {
my $r = shift;
my $q = new CGI;
my $ticket = _get_ticket('r' = $r);
## These next two lines are to re-make the two cookies set
## by the Ticket system from the Eagle book to expiration dates
## from before today, thus deleting them (I wish!)
my $cookie1 = new
CGI::Cookie(-name='Ticket',-value=undef,
-expires='-100m');
my $cookie2 = new
CGI::Cookie(-name='request_uri',-value=undef,
-expires='-100m');
$r-header_out('Set-Cookie',[$cookie1,$cookie2]);
$r-internal_redirect(/fes);
return OK;
}
sub _get_ticket {
my $args = {
'r' = undef,
@_
};
my $r = $args-{'r'};
my %cookies = fetch CGI::Cookie;
my %ticket = $cookies{'Ticket'}-value;
return \%ticket;
}
1;
##3
I have tried switching from CGI::Cookie to Apache::Cookie (and modifying
the commands to suit) - no luck. Same thing.
Can anyone see something obvious that I am doing wrong? I realized that
this is probably a newbie question, but I could use the help. I have
re-written the Logout.pm a dozen times, to no avail.
--Jon Robison
Re: Doing Authorization using mod_perl from a programmersperspective
To insert a new comment on this old item: What about sockets? I am in the middle of trying to use $c = $r-connection and $c-remote_addr as part of the cookie name. (So far I am having trouble with the fact that remote_addr returns packed info, and I am still searching for how to unpack it - if you know, tell me!). It's not 'foolproof', but how many casual cookie stealers can force their browser to use a particular socket? This little method would even allow me to open multiple windows into a secured area, each with a different username, etc. (Very usefull during user interface development, etc. where menus differ based on some criteria for users) --Jon Robison David Young wrote: fliptop wrote: Joe Breeden wrote: How does this work in an environment with two (or more) computers with the exact same configuration, and probably the same HTTP_USER_AGENT behind the same proxy? How do you know that one user isn't using another users session? you don't. the session hijacker still would need to know the real user's username, password, and HTTP_USER_AGENT configuration. The session hijacker would not need to know the username and password. They would only need to sniff the cookie from the network, and then send it from a client identifying itself as the same User Agent. my point was that this solves the problem of using the ip address in the md5 hash when the client is behind a proxy server. This does not solve the problem: IP address of users behind Proxy is not unique. The User Agent is not unique either. Using User Agent solves nothing, and is in fact far less secure, since the client can set the User Agent header to be just about anything. At least the IP address has to be correct (but not unique) if the client wants to get a response.
Deleting a cookie
I have created a login system using the wonderful Ticket system from the
Eagle book. I have modified TicketAccess so that after authentication,
it reviews the arguments in the query string and does push_handler, the
handler being chosen based on the args.
My only problem is that I want to provide the users with a logout button
which will delete the cookie from thier browser, yet I cannot find how!.
I have reviewed every module on my system with 'Cookie' in the name
(Apache::Cookie, CGI::Cookie, etc.) and nowhere does it tell how to do
this. There is a small mention of changing the expiration to 0, but
apparently I am doing it wrong (possible confusing point is the use of
an 'expires' value in the cookie itself, seperate, I think, from the
'expires' attribute on the cookie?)
I know it is a lot to ask, but I am relatively new to this part of
mod_perl (pushing handlers, etc.), so if anyone can look at this and
replace my BLOCKED comments with a couple of helpfull lines, I would
greatly appreciate it!
Thanks in advance -
Jonathon Robison
Below is my modified TicketAccess, as well as the Logout module I am
re-directing to for logout action:
=
package FES::Apache::TicketAccess;
use strict;
use Apache::Constants qw(:common);
use FES::Apache::TicketTool ();
sub handler {
my $r = shift;
my %input = $r-args;
# for checking input items
my $ticketTool = FES::Apache::TicketTool-new($r);
my($result, $msg) = $ticketTool-verify_ticket($r);
unless ($result) {
$r-log_reason($msg, $r-filename);
my $cookie = $ticketTool-make_return_address($r);
$r-err_headers_out-add('Set-Cookie' = $cookie);
return FORBIDDEN;
}
## Here is where we need to insert a push_handler insert. I won't need
## the requested uri from the $r, since the $r goes along for the ride
in## push_handler
my $action = defined $input{'act'} ? $input{'act'} : 'view';
print STDERR action is defined as $action\n; ## DEBUGGING
if ($action eq 'logout') {
$r-push_handlers('PerlHandler' = 'FES::Control::Logout');
return OK;
} elsif ($action eq 'view') {
$r-push_handlers('PerlHandler' = 'FES::Control::View');
return OK;
} else {
$r-push_handlers('PerlHandler' = 'FES::Control::View');
return OK;
}
## ARE THOSE THE CORRECT THINGS TO 'RETURN' FOR THESE CASES?
}
1;
==
And the Logout.pm:
=
package FES::Control::Logout;
use strict;
use Apache;
use Apache::Constants qw(:common);
use FES::Common::Common qw( header footer);
use CGI qw/:standard/;
use CGI::Cookie;
sub handler {
my $r = shift;
my $q = new CGI;
my $ticket = _get_ticket('r' = $r);
## HERE IS WHERE I NEED TO 1.) DELETE USER'S TICKET COOKIE AND
## 2.) REDIRECT THEM TO /FES (w/o bringing old
$r),(WHERE THEY SHOULD GET
## A NEW LOGIN SCREEN BECAUSE COOKIE IS
GONE.)
}
sub _get_ticket {
my $args = {
'r' = undef,
@_
};
my $r = $args-{'r'};
my %cookies = CGI::Cookie-parse($r-header_in('Cookie'));
# TESTING
my %ticket = $cookies{'Ticket'}-value; # TESTING
return \%ticket;
}
1;
=
Re: Doing Authorization using mod_perl from a programmers perspective
Randall, you want to expound upon that? --Jon Robison Randal L. Schwartz wrote: fliptop == fliptop [EMAIL PROTECTED] writes: fliptop i have found that using the HTTP_USER_AGENT environment fliptop variable instead of ip address solves the problem with proxy fliptop servers and the md5 hash. anyone ever tried this as a simple fliptop workaround? Nobody with any sense. It's flawed. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: Doing Authorization using mod_perl from a programmers perspective
How about using an Apache::Sessions id instead of IP address? --Jon Robison Randal L. Schwartz wrote: fliptop == fliptop [EMAIL PROTECTED] writes: fliptop i have found that using the HTTP_USER_AGENT environment fliptop variable instead of ip address solves the problem with proxy fliptop servers and the md5 hash. anyone ever tried this as a simple fliptop workaround? Nobody with any sense. It's flawed. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: Doing Authorization using mod_perl from a programmers perspective
fliptop wrote: Jon Robison wrote: The most relevant section for you is the Ticket system he describes. (I believe the section header says something about Cookies, but you'll know you have the right one when you see TicketAccess.pm, TicketTools.pm, and TicketMaster.pm. One nice addition is the ability to add encryption to the Ticket, and the fact that the author used an MD5 hash (of an MD5 hash!) in the cookie, so verification of the authenticity of the user is pretty solid so long as you leave in things like ip address, etc. which he uses in the cookie by default. (Although AOL and some proxy systems might cause this to be trouble). AND, he also uses a mysql db for the i have found that using the HTTP_USER_AGENT environment variable instead of ip address solves the problem with proxy servers and the md5 hash. anyone ever tried this as a simple workaround? I think one problem with that is that is fails to uniquely identify the person. Someone please tell me if I am wrong - does the USER_AGENT field get some kind of special serial number from the browser, or is it just a version identified? Best example - large company with 1000 PC's, all with same Netscape installed. How then does the HTTP_USER_AGENT field deliniate between PC's? --Jon
Re: Doing Authorization using mod_perl from a programmers perspective
Jonathon,
I am doing exactly this also. What works is this:
Get a copy of Writing Apache modules with perl and C and read it.
The most relevant section for you is the Ticket system he describes. (I
believe the section header says something about Cookies, but you'll know
you have the right one when you see TicketAccess.pm, TicketTools.pm, and
TicketMaster.pm. One nice addition is the ability to add encryption to
the Ticket, and the fact that the author used an MD5 hash (of an MD5
hash!) in the cookie, so verification of the authenticity of the user is
pretty solid so long as you leave in things like ip address, etc. which
he uses in the cookie by default. (Although AOL and some proxy systems
might cause this to be trouble). AND, he also uses a mysql db for the
passwords, etc. All in all, a VERY usefull section of the book.
As for pushing content after authorization, take a very close look at
the $r-push_handler() function. I use it like this:
my $input = $r-args (or however you want to get input - Apache::Request
is a good way)
if (defined $input-{some_param}) {
$r-push_handler( PerlHandler = MyActionModule );
} else {
$r-push_handler(PerlHandler = MyErrorModule );
}
Because the request object (usually $r) exists in it's same state when
the new PerlHandler is called, grabbing $input again (via whatever
method) can be used to determine what action the module takes.
This isn't precise, so please read the manual before using this, but you
get the idea. One thing to keep in mind is that perl_handlers
(PerlHandler) is a stack that will draw from the top, so it is FILO, not
FIFO.
Hope this helps.
Jonathon Robison
Uniphied Thought, LLC.
Jonathan E. Paton wrote:
I am trying to create a website with predominantly dynamic
content (mod_perl + DBI + mySQL) for an online community.
I can manage Perl and mySQL fairly proficently, however
I've no idea how to successfully create what I want using
mod_perl and Apache (actually, I know next to nothing about
them).
--- Background information ---
The website shall be split into a public and private
section, and will share a common layout and appearance
(although I might add little visual clues to indicate which
section they are in). When members wish to login I want
them to do so via the public section (from that page), and
then be able to access the additional links/features of the
private section.
I wish to handle all the database actions in my own code,
unless something fits perfectly. When members try to
login, my aims are:
1. Check login name, and password.
2. Check member hasn't been suspended.
3. Return the membership ID number for the next stage.
The membership ID number will be used to decide what access
level the members have (what forums, tools etc they can see
and use). The SQL table is specified as:
CREATE TABLE access (
member_id int(10) unsigned NOT NULL,
account_name varchar(16) NOT NULL,
account_password varchar(16) NOT NULL,
state enum('A', 'S') DEFAULT 'A' NOT NULL,
PRIMARY KEY (account_name)
);
Imagine I now create an object to wrap around this, with
the following method:
my $permission = $access-check($account_name,
$account_password);
which returns the membership number if valid,
or the value -1 for a suspended account,
or undef for no account.
--- Questions ---
1. Can this be done (nicely) as a
authentication/authorization handlier?
2. Do most hosting companies allow
authentication/authorization handlers? (Using HostRocket
at the moment).
3. What is the most appropriate session management system?
I'm thinking of using cookies (client side) to store a
session key, rather than resubmitting the password data.
The server side stores this session key in the database.
4. How does the membership ID get passed to the next stage?
5. What is the time to do additional access checking (for
senior/admin users)? I was planning to do it a little
later on, but it is probably better to do it once (i.e.
with this).
6. What is a realistic time to expect all this to happen
in?
I'm sure I've missed a few questions...
Any help appriecated, especially links to relevent
documentation.
Jonathan Paton
NB - Whilst my preferred answer to these questions is a
coded solution, I have a restriction (self imposed) - I'd
prefer to have full copyright on the final code, thus I ask
any major ideas/code includes permission to use it freely -
or else be good enough to be worth adding your name provide
I use it :)
__
Do You Yahoo!?
Everything you'll ever need on one web page from News and Sport to Email and Music
Charts
http://uk.my.yahoo.com
Silly Newbie Question: cookies and such
Unfortunatly, I find myself with a silly newbie question: I need to make an Apache module (not a Registry script) which will: 1. Check for a cookie, and if not there, pushhandler to a module for logging in (keeping the original request at hand for use after they succeed in logging in). 2. Extract data from the cookie (encrypted for security?) 3. Based on data from both the query string ($r-args?) and from data in the cookie, pushhandler to another module. I have looked at Apache::AuthCookie - it didn't seem to make much sense to me. Apache::Session looks promising, but the instructions don't say how to set up the mysql tables, etc. My worst problem is that I haven't had occasion to deal with cookies much (setting, checking,etc.) in the past and I know this is hampering my understanding. Can anyone give me a general overview (use this module, this way, etc.)? I'm not totally new to Apache Modules, but my experience is gleaned from writing modules already pushed into the handler stack by PerlTransHandlers written by someone else. I don't want to use PerlTransHandler, just PerlHandler, so I can use Location in perl.conf. In conclusion: I'm making a system/site where no .html files even exist. I need to handle security via a mysql db, and to push handlers based on a part of the url and a piece of the cookie which identifies the user as either a teacher, student, or parent (oops... I gave it away ;-) Jonathon Robison
Re: [JOB] Red Hat Network Web Engineer positions open
Jiminy Crickets Chip! Yer makin me drool! If it weren't for the Move to NC part, I'd be doing my best to be your new closest buddy ;-) --Jon Robison Uniphied Thought, LLC Dearborn, MI Chip Turner wrote: Hello all, We have a couple openings doing intense and interesting mod_perl work here at Red Hat. Formal description is below. Key skills are perl, mod_perl, apache, and DBI (especially Oracle). Must relocate to Research Triangle Park, North Carolina. Job Title: Web Engineer Red Hat is looking for some skilled web engineers to design, enhance, and implement applications on the Red Hat web site. You will work on a global team to create a best-of-breed web site and implement web services that support Red Hat's Open Source products and services. The ideal candidate will have the following characteristics: 1. Ability to learn. Candidate must show they can adapt to the rapidly changing technology landscape. 2. Ability to communicate. Candidate must show that they can express ideas with elegance and flair. 3. Mature technical ability. Candidate must understand how the web works from a low to a high level. Candidate must also understand how quality software is designed and constructed. We want you to think as much as you code. Other required skills: Four year degree or equivalent industry experience. Previous experience developing web applications, preferably for a high volume revenue based web site. Understanding and experience with object-oriented design and coding. Experience using Perl with Apache, preferably mod_perl directly. Understanding of relational database concepts and SQL (prefer Oracle) Experience with HTML and HTML tools, as well as XML and XHTML. Knowledge of basic Software Engineering concepts: development models, testing, documentation, and revision control. Pluses: Knowledge of Red Hat's products and services. Understanding of Apache 1.3.x configuration. Knowledge of Apache internals and C module development also a plus. Expert Perl programming experience including: Perl web applications under Apache and mod_perl, Apache modules, Perl modules, Perl OOP extensions. Languages: Java, Javascript, Python, PHP, C, C++ Web Technology: XML, XSLT and XML-RPC; Internationalization; Applications Servers (HTML::Mason, Embperl, Apache::ASP, Zope, Zentropa, AxKit, Cocoon etc.); Search systems and concepts; cookies and authentication mechanisms Oracle database and Oracle Applications (ERP, CRM) Experience. -- Chip Turner [EMAIL PROTECTED] Red Hat Network
Re: @INC
Plows, Sean (London) wrote: How can I set this as my cgi's can't locate my libs? Regards, Sean Plows Sean - try use lib '/path/to/my/libs'; That should append your library path to @INC. Word on the street is that you NEVER EVER want to mess with @INC directly. Jon Robison !Uniphied Thought, LLC
