RE: Auth Handlers
He he : ) I think this discussion is being miscommunicated (if that is a relevant word). I do not want authorization to be performed in the typical manner. Perhaps I want the information from a form submit or a cookie. I understand how the Apache authentication configuration works but I want to strictly use mod_perl to modify the authentication mechanisms without the standard Apache intervention. You mean you want to do authorization in a FixupHandler?? No, this is what I currently have to do to avoid Apache from sending the 'auth request' headers to the browser and still perform custom authentication via a form submit, cookie, etc. Thanks, : ) No problem, I guess I am unsure if this is the proper way to setup an Access, Authen, Authz handler. When I use this configuration my 'handler()' method does not get called and I get an error in the logs: [Mon Dec 10 13:13:03 2001] [crit] [client 192.168.0.1] configuration error: couldn't check user. No user file?: /index.html I think Apache is looking for the wrong file. Check the config for AuthUserFile. Did you use htpasswd to create it? I tried moving it down to be an Authz handler but the same error occurs. However, if I push this package as a FixupHandler it works fine and the 'handler()' method gets called. You mean you want to do authorization in a FixupHandler?? If you like I can let you have some scripts which will show you one way of checking for authorization without a second request for a username/password, assuming that at some stage in the browser session one was already supplied. Is that what you meant? 73, Ged.
RE: Auth Handlers
--On mardi 11 décembre 2001 23:36 +0100 J. Zobel [EMAIL PROTECTED] wrote: On Tue, 2001-12-11 at 21:00, Stathy Touloumis wrote: Actually, I DON'T want the browser to prompt for a username/pass. I saw the examples in the eagle book and they all seem to use Authz, with Auth handlers using the example you showed. Perhaps I need to modify the headers so that the prompt does not occur? I have the exact same problem. I want my AuthenHandler to decide if the user is prompted for a password. Unfortunately the book tells me: By the time the handler is called, Apache will have done most of the work in negotiating the HTTP Basic authentication protocol. It will have alerted the browser that authentication is required to access the page, and the browser will have prompted the user to enter his name and password. Has anybody got an idea how to let a handler decide, if autthen. is required? You could use a PerlAccessHandler, if you figure authentication isn't required you run $r-set_handlers(PerlAuthenHandler = [\OK]); -- Eric Cholet
RE: Auth Handlers
What I have down is moved out specific auth handler down the chain into the 'fixup' state but it would be much nicer (and ituitive) to place it in the appropriate position. On Tue, 2001-12-11 at 21:00, Stathy Touloumis wrote: Actually, I DON'T want the browser to prompt for a username/pass. I saw the examples in the eagle book and they all seem to use Authz, with Auth handlers using the example you showed. Perhaps I need to modify the headers so that the prompt does not occur? I have the exact same problem. I want my AuthenHandler to decide if the user is prompted for a password. Unfortunately the book tells me: By the time the handler is called, Apache will have done most of the work in negotiating the HTTP Basic authentication protocol. It will have alerted the browser that authentication is required to access the page, and the browser will have prompted the user to enter his name and password. Has anybody got an idea how to let a handler decide, if autthen. is required?
RE: Auth Handlers
Right, this is fairly obvious but we are trying to prevent apache from sending the 'login' headers if successful authorization does not occur. It seems to me that to do this the handler will need to be moved up or down the chain which can be unintuitive. Thanks, Has anybody got an idea how to let a handler decide, if autthen. is required? You can do this via an access handler. For example, we use the access handler to see if the user is coming in from a trusted ip address. If they are then they are authorized to use the site. Otherwise, the user must login. The module looks like package TrustedAuth; ... sub access_handler { my $r = shift; if ( ... ) { # Have a trusted host so don't ask user to login $r-set_handlers( PerlAuthenHandler = [ \OK ] ); } return OK; } sub authen_handler { # normal stuff here } 1; and my httpd.conf has PerlModule TrustedAuth Location /secure AuthName Secure AuthType basic Require valid-user PerlAccessHandler TrustedAuth::access_handler PerlAuthenHandler TrustedAuth::authen_handler /Location --- Andrew Gilmartin Senior Developer Ingenta [EMAIL PROTECTED] andrewgilmartin (aim) 401-743-3713 (cell)
RE: Auth Handlers
-- Stathy Touloumis [EMAIL PROTECTED] on 12/12/01 10:31:37 -0600 Right, this is fairly obvious but we are trying to prevent apache from sending the 'login' headers if successful authorization does not occur. It seems to me that to do this the handler will need to be moved up or down the chain which can be unintuitive. Other approach is to use a separate login site and redirect people there if they don't meet the auth. criteria to begin with. This way you don't have to send AUTH_REQUIRED, just a redirect (or internal redirect). -- Steven Lembark 2930 W. Palmer Workhorse Computing Chicago, IL 60647 +1 800 762 1582
RE: Auth Handlers
: ) No problem, I guess I am unsure if this is the proper way to setup an Access, Authen, Authz handler. When I use this configuration my 'handler()' method does not get called and I get an error in the logs: [Mon Dec 10 13:13:03 2001] [crit] [client 192.168.0.1] configuration error: couldn't check user. No user file?: /index.html I tried moving it down to be an Authz handler but the same error occurs. However, if I push this package as a FixupHandler it works fine and the 'handler()' method gets called. Thanks, -Original Message- From: Ged Haywood [mailto:[EMAIL PROTECTED]] Sent: Monday, December 10, 2001 7:16 PM To: Stathy Touloumis Cc: mod_perl List Subject: RE: Auth Handlers On Mon, 10 Dec 2001, Stathy Touloumis wrote: Directory /home/stathy/apache/html AuthName Login AuthType Base::Session::Handler require valid-user PerlAuthenHandler Base::Session::Handler /Directory Forgive me, it's late, and I'm afraid I've deleted the original question. But there isn't much here to go on... 73, Ged.
RE: Auth Handlers
: ) No problem, I guess I am unsure if this is the proper way to setup an Access, Authen, Authz handler. When I use this configuration my 'handler()' method does not get called and I get an error in the logs: This is *not* the correct way to invoke it. Directory /home/stathy/apache/html AuthName Login # This is incorrect # AuthType Base::Session::Handler # *This* is what you need if you want the # browser to prompt for a username/pass AuthType Basic require valid-user PerlAuthenHandler Base::Session::Handler /Directory I just checked my answers from the Eagle (Writing Apache Modules with Perl and C), and that's the correct way. If I'm not mistaken, the chapter on Authentication is one of the sample chapters that's online at http://www.modperl.com. Have a look over there, it'll straighten you right out. :-) L8r, Rob #!/usr/bin/perl -w use Disclaimer qw/:standard/;
RE: Auth Handlers
Actually, I DON'T want the browser to prompt for a username/pass. I saw the examples in the eagle book and they all seem to use Authz, with Auth handlers using the example you showed. Perhaps I need to modify the headers so that the prompt does not occur? Thanks for the info, -Original Message- From: Rob Bloodgood [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 11, 2001 12:54 PM To: Stathy Touloumis Cc: mod_perl Subject: RE: Auth Handlers : ) No problem, I guess I am unsure if this is the proper way to setup an Access, Authen, Authz handler. When I use this configuration my 'handler()' method does not get called and I get an error in the logs: This is *not* the correct way to invoke it. Directory /home/stathy/apache/html AuthName Login # This is incorrect # AuthType Base::Session::Handler # *This* is what you need if you want the # browser to prompt for a username/pass AuthType Basic require valid-user PerlAuthenHandler Base::Session::Handler /Directory I just checked my answers from the Eagle (Writing Apache Modules with Perl and C), and that's the correct way. If I'm not mistaken, the chapter on Authentication is one of the sample chapters that's online at http://www.modperl.com. Have a look over there, it'll straighten you right out. :-) L8r, Rob #!/usr/bin/perl -w use Disclaimer qw/:standard/;
RE: Auth Handlers
On Tue, 2001-12-11 at 21:00, Stathy Touloumis wrote: Actually, I DON'T want the browser to prompt for a username/pass. I saw the examples in the eagle book and they all seem to use Authz, with Auth handlers using the example you showed. Perhaps I need to modify the headers so that the prompt does not occur? I have the exact same problem. I want my AuthenHandler to decide if the user is prompted for a password. Unfortunately the book tells me: By the time the handler is called, Apache will have done most of the work in negotiating the HTTP Basic authentication protocol. It will have alerted the browser that authentication is required to access the page, and the browser will have prompted the user to enter his name and password. Has anybody got an idea how to let a handler decide, if autthen. is required? Thanx, Joachim # *This* is what you need if you want the # browser to prompt for a username/pass AuthType Basic require valid-user PerlAuthenHandler Base::Session::Handler /Directory
Re: Auth Handlers
Hi there, On Mon, 10 Dec 2001, Stathy Touloumis wrote: error : [Mon Dec 10 13:09:35 2001] [crit] [client 192.168.6.59] configuration error: couldn't check user. No user file?: /index.html Send the config? 73, Ged.
RE: Auth Handlers
Directory /home/stathy/apache/html AuthName Login AuthType Base::Session::Handler require valid-user PerlAuthenHandler Base::Session::Handler /Directory Send the config?
RE: Auth Handlers
On Mon, 10 Dec 2001, Stathy Touloumis wrote: Directory /home/stathy/apache/html AuthName Login AuthType Base::Session::Handler require valid-user PerlAuthenHandler Base::Session::Handler /Directory Forgive me, it's late, and I'm afraid I've deleted the original question. But there isn't much here to go on... 73, Ged.