Re: Ticket/cookie based authentication for mod_perl and static frontend
Good afternoon, On 27/8/03 at 9:37 AM -0400, Michael [EMAIL PROTECTED] wrote: The reason this question is mod_perl related is that he is doing the initial authentication using mod_perl, and is creating a cookie based ticket. But he wants that ticket to also be accepted by a non-mod_perl enabled server (ie a front end proxy). So the database connection has to persist from the mod_perl authentication scheme to the backend software? Interesting... Does that work? This isn't really an issue with database connections. It's just the authentication data/method that needs to persist for both. And that is handled by a cookie/ticket authentication. Thanks to Cees Hek [EMAIL PROTECTED] for helping me find a module I had lost track of. The module is mod_auth_tkt and can be found here: http://www.openfusion.com.au/labs/mod_auth_tkt/ I'm on my way to having an elegant solution now. Thanks to all who responded. Charlie -- Charlie Garrison[EMAIL PROTECTED] PO Box 141, Windsor, NSW 2756, Australia -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Good afternoon, On 27/8/03 at 9:45 AM -0400, Michael [EMAIL PROTECTED] wrote: Any other suggestions? I'd think you'd want to have the same authentication process for both, and a shared database (or something) to store the session data. Have the front-end do the login part, pass the client to the backend, which discovers that the client is already authenticated. Using tickets for authentication will work with both the front and backend servers. I was having problems finding a solution which had an apache module (written in C) plus support/examples for perl to use in the backend. With thanks to Cees Hek [EMAIL PROTECTED] I found mod_auth_tkt which does just what I need. Charlie -- Charlie Garrison[EMAIL PROTECTED] PO Box 141, Windsor, NSW 2756, Australia -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Good morning, On 26/8/03 at 8:26 PM +0200, Thomas Klausner [EMAIL PROTECTED] wrote: Hi! On Die, Aug 26, 2003 at 09:06:05 +1000, Charlie Garrison wrote: I need to protect resources in both the static (proxy) front-end and the mod_perl back-end. I have been using standard http authentication which works pretty well except for not allowing a proper logout function and some caching issues which result in occasional false FORBIDDEN responses. Since a proper logout has become an important requirement, I am looking for other solutions. Did you take a look at Apache::AuthCookie? http://search.cpan.org/author/MSCHOUT/Apache-AuthCookie-3.04/ Yes, I've looked at Auth::Cookie, and if I needed a mod_perl only solution, it would be perfect. Since I need the user credentials in the mod_perl app, I'm not happy to leave all authentication to the front-end proxy server unless it sets the user credentials (or some other values) before passing along the request. As AuthCookie is a mod_perl handler, you would have to put the Authentification into the backend. Depending on how you generate the session key (i.e. the value of the Auth Cookie), you should be able to use the cookie in the frontend using one of the modules you mentioned (although I don't know any of them..) Which sort of brings me back full circle. I'm happy to write the backend (modperl) support myself for whatever the frontend module requires. But the module that I would choose (mod_auth_mda) doesn't have perl examples for creating the MD5 cookie, and I'm only borderline confident that I can take their java examples along with the documentation to figure out perl routines for the cookie creation. I'm still hoping someone has already solved this issue of shared authentication scheme between static frontend and modperl backend servers. Thanks, Charlie -- Charlie Garrison[EMAIL PROTECTED] PO Box 141, Windsor, NSW 2756, Australia -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
On Tue, Aug 26, 2003 at 21:06:05, Charlie Garrison said... The second one, Cookie Authentication with MySQL, looks like a very good option, except for two issues. Fist, it doesn't support the 'require group...' directive. And second, it doesn't appear to cache mysql connections so I am concerned about the increased load from lots of quick connections. Umm, use Apache::DBI, that's what it's for. I feel that someone must have already solved this issue so any suggestions or advice would be appreciated. Are there any modules which I have missed? Are the perceived problems with the above modules really an issue, or should I be able to use one of them without any problems. I haven't been 100% happy with any of the systems written by other people so I've always just written my own. It's a rather simple process. Right now I have one method that uses cookies in one module, another that uses cookies but splits things up into separate modules, and a third that adds a (md5 hash) parameter to the URI. All work very well, though I prefer the cookie method myself. If there's really nothing out there to add a hash to the URI, I could probably be convinced to package up the code I have, simple as it may be. -- Michael Stella | Sr. Unix Engineer / Developer | http://www.thismetalsky.org Knowledge is power. Power corrupts. Study hard. Be Evil. - Thyra -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Quoting Michael [EMAIL PROTECTED]: On Tue, Aug 26, 2003 at 21:06:05, Charlie Garrison said... The second one, Cookie Authentication with MySQL, looks like a very good option, except for two issues. Fist, it doesn't support the 'require group...' directive. And second, it doesn't appear to cache mysql connections so I am concerned about the increased load from lots of quick connections. Umm, use Apache::DBI, that's what it's for. It was easy to miss in the email if you skimmed it, but he is looking for a C based module, so any perl based solutions are out. The reason this question is mod_perl related is that he is doing the initial authentication using mod_perl, and is creating a cookie based ticket. But he wants that ticket to also be accepted by a non-mod_perl enabled server (ie a front end proxy). Cheers, Cees -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Good afternoon, On 27/8/03 at 2:49 PM +1000, Cees Hek [EMAIL PROTECTED] wrote: Umm, use Apache::DBI, that's what it's for. It was easy to miss in the email if you skimmed it, but he is looking for a C based module, so any perl based solutions are out. The reason this question is mod_perl related is that he is doing the initial authentication using mod_perl, and is creating a cookie based ticket. But he wants that ticket to also be accepted by a non-mod_perl enabled server (ie a front end proxy). Thanks for the clarification. And the requirement for something that works in both modperl and non-modperl servers is also part of the subject line. But I'll try to make the problem/requirements more clear in future emails. Thanks, Charlie -- Charlie Garrison[EMAIL PROTECTED] PO Box 141, Windsor, NSW 2756, Australia -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Good afternoon, On 27/8/03 at 12:05 AM -0400, Michael [EMAIL PROTECTED] wrote: The second one, Cookie Authentication with MySQL, looks like a very good option, except for two issues. Fist, it doesn't support the 'require group...' directive. And second, it doesn't appear to cache mysql connections so I am concerned about the increased load from lots of quick connections. Umm, use Apache::DBI, that's what it's for. Except that I'm looking for a solution which will also work in the static (proxy) front-end. I'm currently using Apache::DBI for the backend and it works well. I also want a solution which doesn't rely on browser based http authentication since logging out is a requirement. I feel that someone must have already solved this issue so any suggestions or advice would be appreciated. Are there any modules which I have missed? Are the perceived problems with the above modules really an issue, or should I be able to use one of them without any problems. I haven't been 100% happy with any of the systems written by other people so I've always just written my own. It's a rather simple process. Right now I have one method that uses cookies in one module, another that uses cookies but splits things up into separate modules, and a third that adds a (md5 hash) parameter to the URI. All work very well, though I prefer the cookie method myself. Do you also write the apache module for the frontend server? I'm very competent at perl, but not competent enough to write an apache module. Any other suggestions? Thanks, Charlie -- Charlie Garrison[EMAIL PROTECTED] PO Box 141, Windsor, NSW 2756, Australia -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
On Wed, Aug 27, 2003 at 14:49:05, Cees Hek said... It was easy to miss in the email if you skimmed it, but he is looking for a C based module, so any perl based solutions are out. Whoops, you're right, I did just skim it. The reason this question is mod_perl related is that he is doing the initial authentication using mod_perl, and is creating a cookie based ticket. But he wants that ticket to also be accepted by a non-mod_perl enabled server (ie a front end proxy). So the database connection has to persist from the mod_perl authentication scheme to the backend software? Interesting... Does that work? -- Michael Stella | Sr. Unix Engineer / Developer | http://www.thismetalsky.org If Bill Gates had a nickel for every time Windows crashed... ..oh wait, he does. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
On Wed, Aug 27, 2003 at 15:45:11, Charlie Garrison said... I haven't been 100% happy with any of the systems written by other people so I've always just written my own. It's a rather simple Do you also write the apache module for the frontend server? I'm very competent at perl, but not competent enough to write an apache module. Any other suggestions? I'd think you'd want to have the same authentication process for both, and a shared database (or something) to store the session data. Have the front-end do the login part, pass the client to the backend, which discovers that the client is already authenticated. Are you looking for something that's just a drop-in solution, transparent to the backend completely, not part of the backend software? I'd think in that case, you'd want something like PerlAuthenHandler and PerlAuthzHandler, let them manage the logins and just pass the client down to the backend software. I could still be way off here though. -- Michael Stella | Sr. Unix Engineer / Developer | http://www.thismetalsky.org -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Ticket/cookie based authentication for mod_perl and static frontend
Hi! On Die, Aug 26, 2003 at 09:06:05 +1000, Charlie Garrison wrote: I need to protect resources in both the static (proxy) front-end and the mod_perl back-end. I have been using standard http authentication which works pretty well except for not allowing a proper logout function and some caching issues which result in occasional false FORBIDDEN responses. Since a proper logout has become an important requirement, I am looking for other solutions. Did you take a look at Apache::AuthCookie? http://search.cpan.org/author/MSCHOUT/Apache-AuthCookie-3.04/ Since I need the user credentials in the mod_perl app, I'm not happy to leave all authentication to the front-end proxy server unless it sets the user credentials (or some other values) before passing along the request. As AuthCookie is a mod_perl handler, you would have to put the Authentification into the backend. Depending on how you generate the session key (i.e. the value of the Auth Cookie), you should be able to use the cookie in the frontend using one of the modules you mentioned (although I don't know any of them..) -- #!/usr/bin/perl http://domm.zsi.at for(ref bless{},just'another'perl'hacker){s-:+-$-gprint$_.$/} -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html