Re: [RFC] Apache::DigestAPI
ok... after talking things over with Andrew a bit more, Apache::DigestAPI has become Apache::AuthDigest. the package should actually compile and work now, too :) The latest version can be grabbed here: http://www.modperlcookbook.org/~geoff/modules/Apache-AuthDigest-0.01.tar.gz Apache::AuthDigest is a suite of applications for using Digest authentication with mod_perl. It contains: Apache::AuthDigest - re-implementation of the authentication part of mod_digest.c in Perl Apache::AuthzDigest - pick up the authorization pieces of mod_digest Apache::AuthDigest::API - mod_perl API for Digest authentication a la mod_digest Apache::AuthDigest::API::Full - fully RFC 2617 compliant Digest API (not yet implemented) Apache::AuthDigest::API::Session - experimental session API any comments or feedback is welcome, as the look and feel of the suite is still evolving. --Geoff
[RFC] Apache::DigestAPI
hi all... I wanted to present Apache::DigestAPI as an RFC. the module can be downloaded here for trials: http://www.modperlcookbook.org/~geoff/modules/Apache-DigestAPI-0.01.tar.gz basically, Apache::DigestAPI is a release of Recipe 13.8 in the Cookbook - a simple API for supporting Digest authentication a la mod_digest.c from the Apache distribution. it follows the same path as the API for Basic authentication that mod_perl supports natively, providing an API so that you can authenticate using something other than the default flat-file method provided by auth_digest. keep in mind that the current implementation doesn't work with MSIE, so you'll have to use something like Opera or Konqueror (or mozilla now, I hear?) to play around with it. you can find the entire RFC for Digest authentication here (if you're interested): ftp://ftp.isi.edu/in-notes/rfc2617.txt included with Apache::DigestAPI is a subclass called Apache::DigestAPI::Session. it is an interesting but experimental interface that attempts to use the nonce part of the Digest authentication scheme to store a unique session identifier (instead of in, say, a cookie). it is experimental because I'm still playing with the interface, digesting RFC 2617, looking for possible security holes, and (in general) seeing if it can actually work like I think it can. but it is there if anyone is interested in playing around with it for fun and folly. anyway, the manpages are pretty sparse for the moment, but I plan on fixing them up before a real release. if anyone is interested in the original explanantion of the code from the book who doesn't already have it, you can see Recipe 13.8 here: http://www.modperlcookbook.org/chapters/13.8.pdf --Geoff
Re: [RFC] Apache::DigestAPI
Hello, GYApache::DigestAPI is a release of Recipe 13.8 in the Cookbook - a simple GYAPI for supporting Digest authentication a la mod_digest.c from the GYApache distribution. I think this is a great idea. I'm a huge fan of digest authentication as a simple basic authentication replacement, and many modern clients now support it. One comment, why the odd name? Shouldn't it be Apache::AuthDigest or similar? Every library is an API so it seems kind of odd to call it Apache::DigestAPI. GYkeep in mind that the current implementation doesn't work with MSIE, so GYyou'll have to use something like Opera or Konqueror (or mozilla now, I GYhear?) to play around with it. MSIE does do digest authentication that works with mod_digest.c. And Mozilla past 0.9.7 should do digest authentication. Humbly, Andrew -- Andrew Ho http://www.tellme.com/ [EMAIL PROTECTED] Engineer [EMAIL PROTECTED] Voice 650-930-9062 Tellme Networks, Inc. 1-800-555-TELLFax 650-930-9101 --
Re: [RFC] Apache::DigestAPI
Andrew Ho wrote: Hello, GYApache::DigestAPI is a release of Recipe 13.8 in the Cookbook - a simple GYAPI for supporting Digest authentication a la mod_digest.c from the GYApache distribution. I think this is a great idea. I'm a huge fan of digest authentication as a simple basic authentication replacement, and many modern clients now support it. One comment, why the odd name? Shouldn't it be Apache::AuthDigest or similar? Every library is an API so it seems kind of odd to call it Apache::DigestAPI. well, it's an API in that it doesn't do anything for you except provide an API. meaning, I'd expect Apache::AuthDigest to work as so: PerlAuthenHandler Apache::AuthDigest all this module does is provide methods that parallel $r-get_basic_auth_pw() and $r-note_basic_auth_failure - you need to use the methods yourself to build an actual authentication mechanism. GYkeep in mind that the current implementation doesn't work with MSIE, so GYyou'll have to use something like Opera or Konqueror (or mozilla now, I GYhear?) to play around with it. MSIE does do digest authentication that works with mod_digest.c. And Mozilla past 0.9.7 should do digest authentication. are you sure? I can't get it to work right now using MSIE 5.00.31. in fact, I can confirm that Apache sends the 401, but MSIE doesn't even display a dialogue box. Opera works just fine. when I was researching this for the book, it was my understanding that MSIE requires parameters not supplied by mod_digest.c (such as qop) for it's implementation. some old threads on new-httpd on mod_auth_digest.c pointed me in this direction, IIRC. then there was this recent article: http://www.eweek.com/article/0,3658,s=702a=24177,00.asp which, even though it seemed to confirm what I had found out, suprised me somewhat, since I figured it was old news that MSIE and Apache's standard (for lack of a better term) Digest implementation didn't play nice together... --Geoff
Re: [RFC] Apache::DigestAPI
Hello, GYwell, it's an API in that it doesn't do anything for you except provide GYan API. meaning, I'd expect Apache::AuthDigest to work as so: GY GYPerlAuthenHandler Apache::AuthDigest GY GYall this module does is provide methods that parallel GY$r-get_basic_auth_pw() and $r-note_basic_auth_failure - you need to GYuse the methods yourself to build an actual authentication mechanism. I just commented this because it would make more sense to me as someone looking to implement digest authentication in Perl if an Apache::AuthDigest module existed which WAS useable directly as a PerlAuthenHandler (with a configuration API identical or similar to mod_digest.c), and the API came bundled with it if you wanted to use it directly. I could imagine there being a different namespace (I want the methods, so I use Apache::AuthDigest::API), or Deep Perl Magick (when I use Apache::AuthDigest::API in a handler or an Apache::Registry script, $r-note_basic_auth_failure() suddenly just works because someone mucked with Apache's namespace), or some permutation thereof (when I have Apache::AuthDigest as a PerlAuthenHandler, $r-note_basic_auth_failure() just works in any associated mod_perl handlers or scripts). That would mean that you could just download one package, with a name one would expect when asking the question how can I implement digest authentication in a mod_perl enabled server without recompiling Apache? On a totally different note, I can't seem to get this module to load properly at build time: % perl Makefile.PL % make % perl -Mblib -MApache::DigestAPI -e0 Can't locate loadable object for module Apache::DigestAPI in @INC (@INC contains: /home/andrew/install/pm/Apache-DigestAPI-0.01/blib/arch /home/andrew/install/pm/Apache-DigestAPI-0.01/blib/lib /usr/libdata/perl5/i386-openbsd/5.6.1 /usr/local/libdata/perl5/i386-openbsd/5.6.1 /usr/libdata/perl5 /usr/local/libdata/perl5 /usr/local/libdata/perl5/site_perl/i386-openbsd /usr/libdata/perl5/site_perl/i386-openbsd /usr/local/libdata/perl5/site_perl /usr/libdata/perl5/site_perl /usr/local/lib/perl5/site_perl .) at -e line 0 This is on OpenBSD 3.1, with Perl 5.6.1. After installing the module anyway and trying it inside mod_perl itself, I get a similar error in the server error_log: [Thu May 23 14:21:30 2002] [error] Can't locate loadable object for module Apache::DigestAPI in @INC (@INC contains: /home/andrew/pm/Zeuscat-Addressbook/blib/arch /home/andrew/pm/Zeuscat-Addressbook/blib/lib /usr/local/encap/mod_perl-1.26/lib/site_perl/5.6.1/i386-openbsd /usr/libdata/perl5/i386-openbsd/5.6.1 /usr/local/libdata/perl5/i386-openbsd/5.6.1 /usr/libdata/perl5 /usr/local/libdata/perl5 /usr/local/libdata/perl5/site_perl/i386-openbsd /usr/libdata/perl5/site_perl/i386-openbsd /usr/local/libdata/perl5/site_perl /usr/libdata/perl5/site_perl /usr/local/lib/perl5/site_perl . /home/andrew/httpd/ /home/andrew/httpd/lib/perl) at /var/www/htdocs/zeuscat.com/andrew/test/digest/digest.pl line 9 Compilation failed in require at /var/www/htdocs/zeuscat.com/andrew/test/digest/digest.pl line 9. BEGIN failed--compilation aborted at /var/www/htdocs/zeuscat.com/andrew/test/digest/digest.pl line 9. I also note that during building, I end up with a Session.so in blib/arch, but after doing make install, Session.so disappears. There is also an DigestAPI.xs that gets copied into blib/lib/Apache, which seems fishy. Humbly, Andrew -- Andrew Ho http://www.tellme.com/ [EMAIL PROTECTED] Engineer [EMAIL PROTECTED] Voice 650-930-9062 Tellme Networks, Inc. 1-800-555-TELLFax 650-930-9101 --
Re: [RFC] Apache::DigestAPI
Andrew Ho wrote: Hello, GYwell, it's an API in that it doesn't do anything for you except provide GYan API. meaning, I'd expect Apache::AuthDigest to work as so: GY GYPerlAuthenHandler Apache::AuthDigest GY GYall this module does is provide methods that parallel GY$r-get_basic_auth_pw() and $r-note_basic_auth_failure - you need to GYuse the methods yourself to build an actual authentication mechanism. I just commented this because it would make more sense to me as someone looking to implement digest authentication in Perl if an Apache::AuthDigest module existed which WAS useable directly as a PerlAuthenHandler (with a configuration API identical or similar to mod_digest.c), and the API came bundled with it if you wanted to use it directly. hmmm. ok, lemme think on that. in general, I don't think there are many mod_perl modules out there that re-implement default Apache functionality, so it was never my intent to redo mod_digest in Perl. also, all of the other Apache::Auth* modules seem to be specific authentication schemes (Raduis, SMB, DBI, etc). what I was trying to do was create a way for people to be able to do the same thing for Digest auth, since there is no way now. hence the API designation - I'm really just extending the mod_perl API proper here... I could imagine there being a different namespace (I want the methods, so I use Apache::AuthDigest::API), ok. or Deep Perl Magick (when I use Apache::AuthDigest::API in a handler or an Apache::Registry script, $r-note_basic_auth_failure() suddenly just works because someone mucked with Apache's namespace), or some permutation thereof (when I have Apache::AuthDigest as a PerlAuthenHandler, $r-note_basic_auth_failure() just works in any associated mod_perl handlers or scripts). yucko. personally I hate action-at-a-distance behaviors. That would mean that you could just download one package, with a name one would expect when asking the question how can I implement digest authentication in a mod_perl enabled server without recompiling Apache? On a totally different note, I can't seem to get this module to load properly at build time: % perl Makefile.PL % make % perl -Mblib -MApache::DigestAPI -e0 I'll look more closely at this tomorrow, but I don't expect that would ever work, as note_digest_auth_failure() is really part of the Apache API (stolen via XS) and needs a real request object. try $ make test and see if the live tests (via Apache::Test) work. (a good time to check out the httpd-test project, no? :) Can't locate loadable object for module Apache::DigestAPI in INC (INC contains: /home/andrew/install/pm/Apache-DigestAPI-0.01/blib/arch /home/andrew/install/pm/Apache-DigestAPI-0.01/blib/lib /usr/libdata/perl5/i386-openbsd/5.6.1 /usr/local/libdata/perl5/i386-openbsd/5.6.1 /usr/libdata/perl5 /usr/local/libdata/perl5 /usr/local/libdata/perl5/site_perl/i386-openbsd /usr/libdata/perl5/site_perl/i386-openbsd /usr/local/libdata/perl5/site_perl /usr/libdata/perl5/site_perl /usr/local/lib/perl5/site_perl .) at -e line 0 This is on OpenBSD 3.1, with Perl 5.6.1. After installing the module anyway and trying it inside mod_perl itself, I get a similar error in the server error_log: [Thu May 23 14:21:30 2002] [error] Can't locate loadable object for module Apache::DigestAPI in INC (INC contains: /home/andrew/pm/Zeuscat-Addressbook/blib/arch /home/andrew/pm/Zeuscat-Addressbook/blib/lib /usr/local/encap/mod_perl-1.26/lib/site_perl/5.6.1/i386-openbsd /usr/libdata/perl5/i386-openbsd/5.6.1 /usr/local/libdata/perl5/i386-openbsd/5.6.1 /usr/libdata/perl5 /usr/local/libdata/perl5 /usr/local/libdata/perl5/site_perl/i386-openbsd /usr/libdata/perl5/site_perl/i386-openbsd /usr/local/libdata/perl5/site_perl /usr/libdata/perl5/site_perl /usr/local/lib/perl5/site_perl . /home/andrew/httpd/ /home/andrew/httpd/lib/perl) at /var/www/htdocs/zeuscat.com/andrew/test/digest/digest.pl line 9 Compilation failed in require at /var/www/htdocs/zeuscat.com/andrew/test/digest/digest.pl line 9. BEGIN failed--compilation aborted at /var/www/htdocs/zeuscat.com/andrew/test/digest/digest.pl line 9. hmm. I'll take a look. I have no problem using it from either Apache::Test or my local installation, but I may have missed something simple. I'm on linux, fwiw. try copying the config in t/conf/extra.conf.in and see if that works - you may need to pre-load the module specifically via PerlModule and not a use in startup.pl... I also note that during building, I end up with a Session.so in blib/arch, but after doing make install, Session.so disappears. There is also an DigestAPI.xs that gets copied into blib/lib/Apache, which seems fishy. I have no idea on either count - I'm trusting ExtUtils::MakeMaker entirely here, which is really a pot of black magic. anyway, as I said, I'll look more into it tomorrow. thanks for the feedback, though. much
