Re: Setting require in Authentication handler?
I need to decide who has access based on the URI. I guess this means I can't use Apache's Basic auth module, since I can't dynamically set require. Does the cookbook have a code sample of checking the password for basic authentication? -Todd On Mon, 20 May 2002, Geoffrey Young wrote: Todd Chapman wrote: Can dir_config be used to set 'require' in an authentication handler? no. dir_config() provides access to a mod_perl specific table of variables, not generic Apache configuration directives. there is no API for setting the Require directive - it needs to be in your httpd.conf. I would then return DECLINED do that Apache's Basic auth handler would do the heavy lifting of checking the password. if you're looking to do conditional authentication what you really need to do is a bit backward - turn on all authentication hooks using the Require directive then use your handler to return OK when you don't want Apache to check the password. See recipe 13.5 in the cookbook for more information. the Satisfy any Apache directive may be able to help as well if you're using host-based criteria to determine whether you want to require a login. HTH --Geoff
Re: Setting require in Authentication handler?
That makes sense. I can't use mod_auth because I can't set Require. I'm using Basic authentication and text based password files. Unfortunately, I can't find an Apache::Auth* module that handles basic authentication against text files. Did I miss it somewhere? Thanks. -Todd On Mon, 20 May 2002, Geoffrey Young wrote: Does the cookbook have a code sample of checking the password for basic authentication? well, not via .htpasswd files, no. in general, it doesn't make much sense to use mod_perl to duplicate the same things that Apache already does for you, since the Apache code is faster, has had more eyeballs looking at it for longer, etc. in that sense you wouldn't want to write your own routine to just check a flat file. where mod_perl really shines wrt authentication is with all the other things Perl does well, such as using DBI to authenticate against a database, or working with other schemes like SMB or Radius - see the 25+ Apache::Auth* modules on CPAN for just about anything you could think of. however, we do describe how to use the mod_perl API to interact with Apache the same way mod_auth does using $r-get_basic_auth_pw() and $r-not_basic_auth_failure() in a few different ways. you will also find those two methods in the eagle book if you have it. make sense? --Geoff
Re: Setting require in Authentication handler?
On Mon, 20 May 2002, Geoffrey Young wrote: Todd Chapman wrote: That makes sense. I can't use mod_auth because I can't set Require. well, if you're saying that you don't have the ability to set the Require directive at all (as in you don't have access to edit httpd.conf), then you can't run any authentication handler - mod_auth, mod_perl, or otherwise. Apache core requires the Require directive to be set to something before it will even try to run the authen/authz phases of the request. so, you may be out of luck and need to resort to the CGI tricks of yore where everything is clumped in the content-generation phase (and of which I'm not that familiar). I can set Require, but I will have to ignore it's value since the realm, password file, and require are decided based on the URI. I'm using Basic authentication and text based password files. Unfortunately, I can't find an Apache::Auth* module that handles basic authentication against text files. Did I miss it somewhere? I'm not sure, but it may not exist for the reason I stated eariler about mod_perl not duplicating default Apache behavior. IIRC, there is one that authenticates against /etc/passwd, so maybe you can use that as an example of flat file based processing. in general, though, the steps are pretty much the same no matter which authentication method you choose. see http://www.modperlcookbook.org/code/ch13/Cookbook/Authenticate.pm for an example - all you need to do is replace the authenticate_user() subroutine with calls that validate the user based on your own criteria. Thanks. Sounds like we need an Apache::AuthBasicFile since mod_auth doesn't allow Require to be set dynamically. -Todd HTH --Geoff
Re: Setting require in Authentication handler?
Todd Chapman wrote: Can dir_config be used to set 'require' in an authentication handler? no. dir_config() provides access to a mod_perl specific table of variables, not generic Apache configuration directives. there is no API for setting the Require directive - it needs to be in your httpd.conf. I would then return DECLINED do that Apache's Basic auth handler would do the heavy lifting of checking the password. if you're looking to do conditional authentication what you really need to do is a bit backward - turn on all authentication hooks using the Require directive then use your handler to return OK when you don't want Apache to check the password. See recipe 13.5 in the cookbook for more information. the Satisfy any Apache directive may be able to help as well if you're using host-based criteria to determine whether you want to require a login. HTH --Geoff
Re: Setting require in Authentication handler?
Todd Chapman wrote: I need to decide who has access based on the URI. I guess this means I can't use Apache's Basic auth module, since I can't dynamically set require. as I was saying, go ahead and set the Require directive on the Location (or whatever) that you want to protect. if a URI comes in that you want to allow _without_ checking the password just call $r-set_handlers(PerlAuthenHandler = [\OK]); which will essentially short-circuit Apache's default authentication mechanism before mod_auth gets the chance to step in. you could do this from a PerlAccessHandler or (I suppose) a PerlTransHandler. you could probably even just return OK from a PerlAuthenHandler if $r-uri =~ m/some_ok_uri/ and skip the previous code (though if you use something other than Require valid-user you'll have to skip the Authorization phase as well using a similar measure). basically, mod_perl gives you a hook into authentication that lets you do whatever you want - returning OK says that you have validated the user using your own criteria, and mod_auth need not run. returning DECLINED (as you mentioned earlier) allows mod_auth to run. Does the cookbook have a code sample of checking the password for basic authentication? well, not via .htpasswd files, no. in general, it doesn't make much sense to use mod_perl to duplicate the same things that Apache already does for you, since the Apache code is faster, has had more eyeballs looking at it for longer, etc. in that sense you wouldn't want to write your own routine to just check a flat file. where mod_perl really shines wrt authentication is with all the other things Perl does well, such as using DBI to authenticate against a database, or working with other schemes like SMB or Radius - see the 25+ Apache::Auth* modules on CPAN for just about anything you could think of. however, we do describe how to use the mod_perl API to interact with Apache the same way mod_auth does using $r-get_basic_auth_pw() and $r-not_basic_auth_failure() in a few different ways. you will also find those two methods in the eagle book if you have it. make sense? --Geoff
Re: Setting require in Authentication handler?
Todd Chapman wrote: That makes sense. I can't use mod_auth because I can't set Require. well, if you're saying that you don't have the ability to set the Require directive at all (as in you don't have access to edit httpd.conf), then you can't run any authentication handler - mod_auth, mod_perl, or otherwise. Apache core requires the Require directive to be set to something before it will even try to run the authen/authz phases of the request. so, you may be out of luck and need to resort to the CGI tricks of yore where everything is clumped in the content-generation phase (and of which I'm not that familiar). I'm using Basic authentication and text based password files. Unfortunately, I can't find an Apache::Auth* module that handles basic authentication against text files. Did I miss it somewhere? I'm not sure, but it may not exist for the reason I stated eariler about mod_perl not duplicating default Apache behavior. IIRC, there is one that authenticates against /etc/passwd, so maybe you can use that as an example of flat file based processing. in general, though, the steps are pretty much the same no matter which authentication method you choose. see http://www.modperlcookbook.org/code/ch13/Cookbook/Authenticate.pm for an example - all you need to do is replace the authenticate_user() subroutine with calls that validate the user based on your own criteria. HTH --Geoff
Re: Setting require in Authentication handler?
A remark: in many cases, the authentication against the password file can be replaced by verifying valid FTP/Telnet login to localhost, not only because the password (shadow) file is usually not avialble for Apache account but also secure. In the ticketing system, the FTP/Telnet authentication runs only at the first time of login and the follow-up access can goes without re-FTP and so is pretty fast. Check this : http://modperl.home.att.net Peter Bi - Original Message - From: Geoffrey Young [EMAIL PROTECTED] To: Todd Chapman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, May 20, 2002 6:50 AM Subject: Re: Setting require in Authentication handler? Todd Chapman wrote: That makes sense. I can't use mod_auth because I can't set Require. well, if you're saying that you don't have the ability to set the Require directive at all (as in you don't have access to edit httpd.conf), then you can't run any authentication handler - mod_auth, mod_perl, or otherwise. Apache core requires the Require directive to be set to something before it will even try to run the authen/authz phases of the request. so, you may be out of luck and need to resort to the CGI tricks of yore where everything is clumped in the content-generation phase (and of which I'm not that familiar). I'm using Basic authentication and text based password files. Unfortunately, I can't find an Apache::Auth* module that handles basic authentication against text files. Did I miss it somewhere? I'm not sure, but it may not exist for the reason I stated eariler about mod_perl not duplicating default Apache behavior. IIRC, there is one that authenticates against /etc/passwd, so maybe you can use that as an example of flat file based processing. in general, though, the steps are pretty much the same no matter which authentication method you choose. see http://www.modperlcookbook.org/code/ch13/Cookbook/Authenticate.pm for an example - all you need to do is replace the authenticate_user() subroutine with calls that validate the user based on your own criteria. HTH --Geoff
Setting require in Authentication handler?
Can dir_config be used to set 'require' in an authentication handler? I would then return DECLINED do that Apache's Basic auth handler would do the heavy lifting of checking the password. Thanks! -Todd