Re: AuthCookieDBI and Apache 2.4

[Edward J. Sabol]

On Feb 21, 2019, at 5:22 AM, Vegard Vesterheim  
wrote:
> I registered a ticket against Apache2-AuthCookieDBI regarding this issue
> a long time ago:
> 
> https://rt.cpan.org/Public/Bug/Display.html?id=106663
> 
> We do not use this any longer. But, given that the ticket is still open,
> I wonder if this ticket could be closed, or at least commented upon.

I don't think it should be closed until the issue is resolved. I've personally 
also filed an
issue on the author's GitHub for this:

https://github.com/matisse/Apache-AuthCookieDBI/issues/2

The author did respond recently to that issue, but doesn't seem to be terribly 
interested
in fixing it. If anyone wants to help collaborate on a pull request, however, 
maybe we can
actually help resolve this.

Regards,
Ed

Re: [a bit OT] AuthCookieDBI and Apache 2.4

[Paul B. Henson]

On 2/21/2019 9:46 AM, Michael Schout wrote:


Another common thing I've seen people do is return an invalid
Apache2::Const value from an Authz provider.  You must return one of a


Yup, been there done that :).


I pieced this together, if my memory is correct, from apache mailing
list posts, as well as reading the source code of apache itself.  I'm
not sure I found any definitive guide on the changes when I did this,
and it involved a good deal of research at the time.


Thanks much for putting that together, I found it an invaluable (and 
unique) resource in figuring out how that black box worked 8-/.

Re: [a bit OT] AuthCookieDBI and Apache 2.4

[Michael Schout]

On 2/21/19 3:41 AM, André Warnier (tomcat) wrote:

> 1) the "authz" function is now called *first* (before any authentication
> module has been called - even non-perl add-on ones),
> and
> 2) it *can* be called 2 or more times during the same request cycle
> and

Yes, and this allows you to do "Anonymous" authorization.  If you don't
want to do that, you simply do

  return Apache2::Const::AUTHZ_DENIED_NO_USER unless defined $r->user

at the top of your Authz provider.  The second time the handler is
called, $r->user will be set so that you can authorize "authenticated"
users.

But this is indeed one of the major things that confuses people when
moving to 2.4.

Another common thing I've seen people do is return an invalid
Apache2::Const value from an Authz provider.  You must return one of a
very specific list of values from the provider (See the
README.apache-2.4 in AuthCookie which discusses this).

> 5) there seems to be no real mod_perl-level (or even Apache-httpd-level)
> documentation available, which explains the above in a general context,
> rather than for any specific perl module.
> A good explanation is provided by Michael Schout in
> https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod,

I pieced this together, if my memory is correct, from apache mailing
list posts, as well as reading the source code of apache itself.  I'm
not sure I found any definitive guide on the changes when I did this,
and it involved a good deal of research at the time.

I had hoped to see all of this codified into some kind of general
mod_perl migration guide for Apache 2.4, similar to what happened when
we all had to migrate from Apache 1.3 to Apache 2.  Something similar to
what is on perl.apache.org [1].  But I am unsure if that site is even
maintained any longer.

Anyway, another example of an authz provider is in AuthCookie [2], where
I re-implemented apache's core authz provider, before realizing it was
not needed.

1: https://perl.apache.org/docs/2.0/user/porting/compat.html
2:
https://github.com/mschout/apache-authcookie/blob/master/lib/Apache2_4/AuthCookie.pm#L18

Regards,
Michael Schout