Using mod_perl in a non httpd environment
Hello all, I wrote a mod_perl module managing FORM authentication (and a lot of other things). This module had to run on a platform (router) with a lot of memory/CPU. These last days, our marketing team changed the platform definition (few memory, cheap CPU) In other words, apache/mod_perl/my_module will not be used as is on the new platform. My questions: is there a way to run mod_perl/my_module on an HTTP server/reverse proxy other than apache ? If so, what kind of HTTP server/reverse proxy ? Thanks
Re: [MP2] Problem when defining new directives in a container
Any ideas ?
Gaetan
2008/10/7 titetluc titetluc [EMAIL PROTECTED]
Hello all,
I am developing a new module which defines 2 new directives (TestDirective1
and TestDirective2). These directives are usable in a container (Location,
Directory, ...).
The following code defines the directives :
=BEGIN CODE=
package TestDirective;
use warnings;
use strict;
use Carp;
use Apache2::Const -compile = qw(RAW_ARGS);
use Apache2::CmdParms ();
use Apache2::Module ();
use Apache2::Directive ();
use Apache2::Const qw(:common);
my @directives = (
{
name = 'TestDirective1',
func = __PACKAGE__ . '::TestDirective1',
args_how = Apache2::Const::RAW_ARGS,
},
{
name = 'TestDirective2',
func = __PACKAGE__ . '::TestDirective2',
args_how = Apache2::Const::RAW_ARGS,
},
);
Apache2::Module::add(__PACKAGE__, [EMAIL PROTECTED]);
sub TestDirective1 {
my ($self, $parms, $arg) = @_;
print STDERR hello\n;
$self-{TestDirective1} = 'hello';
return;
}
sub TestDirective2 {
my ($self, $parms, $arg) = @_;
my $td1 = Apache2::Module::get_config(__PACKAGE__, $parms-server);
if (defined $td1){
print STDERR world\n;
}
$self-{TestDirective2} = 'world';
return;
}
sub response {
my ($self,$r) = @_;
print 'hello world';
return OK;
}
1;
=END CODE==
When using the new directives with the following configuration file
=BEGIN CONFIG==
PerlLoadModule TestDirective;
Location /test
SetHandler perl-script
TestDirective1
TestDirective2
PerlResponseHandler TestDirectives-response
/Location
=END CONFIG==
STDERR output, when starting Apache, is
hello
world
= correct
But when using the new directives with the following configuration file
=BEGIN CONFIG==
PerlLoadModule TestDirective;
Location /test
SetHandler perl-script
TestDirective2
PerlResponseHandler TestDirectives-response
/Location
=END CONFIG==
STDERR output, when starting Apache, is
world
= incorrect
STDERR is not empty (it should)
What is wrong in the TestDirective::TestDirective2 function ?
Which test do I have to apply ('defined $td1' is not the correct test !!!)
?
Thanks
Gaetan
[MP2] Problem when defining new directives in a container
Hello all,
I am developing a new module which defines 2 new directives (TestDirective1
and TestDirective2). These directives are usable in a container (Location,
Directory, ...).
The following code defines the directives :
=BEGIN CODE=
package TestDirective;
use warnings;
use strict;
use Carp;
use Apache2::Const -compile = qw(RAW_ARGS);
use Apache2::CmdParms ();
use Apache2::Module ();
use Apache2::Directive ();
use Apache2::Const qw(:common);
my @directives = (
{
name = 'TestDirective1',
func = __PACKAGE__ . '::TestDirective1',
args_how = Apache2::Const::RAW_ARGS,
},
{
name = 'TestDirective2',
func = __PACKAGE__ . '::TestDirective2',
args_how = Apache2::Const::RAW_ARGS,
},
);
Apache2::Module::add(__PACKAGE__, [EMAIL PROTECTED]);
sub TestDirective1 {
my ($self, $parms, $arg) = @_;
print STDERR hello\n;
$self-{TestDirective1} = 'hello';
return;
}
sub TestDirective2 {
my ($self, $parms, $arg) = @_;
my $td1 = Apache2::Module::get_config(__PACKAGE__, $parms-server);
if (defined $td1){
print STDERR world\n;
}
$self-{TestDirective2} = 'world';
return;
}
sub response {
my ($self,$r) = @_;
print 'hello world';
return OK;
}
1;
=END CODE==
When using the new directives with the following configuration file
=BEGIN CONFIG==
PerlLoadModule TestDirective;
Location /test
SetHandler perl-script
TestDirective1
TestDirective2
PerlResponseHandler TestDirectives-response
/Location
=END CONFIG==
STDERR output, when starting Apache, is
hello
world
= correct
But when using the new directives with the following configuration file
=BEGIN CONFIG==
PerlLoadModule TestDirective;
Location /test
SetHandler perl-script
TestDirective2
PerlResponseHandler TestDirectives-response
/Location
=END CONFIG==
STDERR output, when starting Apache, is
world
= incorrect
STDERR is not empty (it should)
What is wrong in the TestDirective::TestDirective2 function ?
Which test do I have to apply ('defined $td1' is not the correct test !!!) ?
Thanks
Gaetan
Re: [MP2]: strange behavior with Apache2::SubRequest::run
Does anyone has additional documentation on Apache2::SubRequest::run and Apache2::SubRequest::status returned values ? Gaetan 2008/9/22 titetluc titetluc [EMAIL PROTECTED] 2008/9/19 Torsten Foertsch [EMAIL PROTECTED] On Fri 19 Sep 2008, titetluc titetluc wrote: Does your mod_perl one return Apache2::Const::REDIRECT at the end? No, the module returns Apache2::Const::MOVED_TEMPORARILY, setting the Location header by using $r-err_headers_out $ perl -MApache2::Const=REDIRECT,HTTP_MOVED_TEMPORARILY -le 'print REDIRECT; print HTTP_MOVED_TEMPORARILY' 302 302 Guess what that means. That means REDIRECT and HTTP_MOVED_TEMPORARILY are synonyms, but that does not explain the Apache2::SubRequest::run and $subr-status returned values ;-) Torsten -- Need professional mod_perl support? Just hire me: [EMAIL PROTECTED]
Re: [MP2]: strange behavior with Apache2::SubRequest::run
2008/9/19 Torsten Foertsch [EMAIL PROTECTED] On Fri 19 Sep 2008, titetluc titetluc wrote: Does your mod_perl one return Apache2::Const::REDIRECT at the end? No, the module returns Apache2::Const::MOVED_TEMPORARILY, setting the Location header by using $r-err_headers_out $ perl -MApache2::Const=REDIRECT,HTTP_MOVED_TEMPORARILY -le 'print REDIRECT; print HTTP_MOVED_TEMPORARILY' 302 302 Guess what that means. That means REDIRECT and HTTP_MOVED_TEMPORARILY are synonyms, but that does not explain the Apache2::SubRequest::run and $subr-status returned values ;-) Torsten -- Need professional mod_perl support? Just hire me: [EMAIL PROTECTED]
Re: [MP2]: strange behavior with Apache2::SubRequest::run
2008/9/18 Perrin Harkins [EMAIL PROTECTED] On Thu, Sep 18, 2008 at 10:31 AM, titetluc titetluc [EMAIL PROTECTED] wrote: I have 2 URIs returning HTTP_MOVED_TEMPORARILY The first one, /test_mod_perl is written using mod_perl The second one, /test_mod_cgi is written using CGI Does your mod_perl one return Apache2::Const::REDIRECT at the end? No, the module returns Apache2::Const::MOVED_TEMPORARILY, setting the Location header by using $r-err_headers_out - Perrin
[MP2]: strange behavior with Apache2::SubRequest::run
Hello all,
I have 2 URIs returning HTTP_MOVED_TEMPORARILY
The first one, /test_mod_perl is written using mod_perl
The second one, /test_mod_cgi is written using CGI
I call each of these URIs using a Apache2::SubRequest object
my $subr1 = $r-lookup_uri('/test_mod_perl');
my $rc1 = $subr1-run(); == $rc1 = 302
my $status1 = $subr1-status(); == $status1 = 200
my $subr2 = $r-lookup_uri('/test_mod_cgi');
my $rc2 = $subr2-run(); == $rc1 = 0
my $status2 = $subr2-status(); == $status1 = 302
Why this behavior ? Why are there differences between the 2 URIs ?
IMHO, the second behavior is the correct one.
What is your opinion ???
Thanks
[MP2]: Apache::FakeRequest for mod_perl 2
Hello all, I am working in a mod_perl2 environment. I would like to use an equivalent of Apache::FakeRequest. Where can I find such a module ? Thanks
Re: [MP2]lookup_uri and HTTPS
André, Torsten Thank you for your answer (sorry for the delay) No, Andre, your are not impertinent. I thought I had a problem related to the request scheme, but in fact, my httpd configuration was wrong !!! 2008/7/1 Torsten Foertsch [EMAIL PROTECTED]: On Tue 01 Jul 2008, titetluc titetluc wrote: I am writing an handler generating sub-requests by using the lookup_uri and run (Apache2::SubRequest) methods. My question is : is it technically possible to generate HTTPS sub-request (I observed that sub-requests were using HTTP) No, none of the protocols is used to make subreqs. HTTP/HTTPS are network protocols. With subreqs there is no network. A subreq is like a recursive call of the same request answering machine. Hence, HTTPS? is irrelevant. Normally the document accessed via a subreq has to be accessible locally. using the mod_perl API ? If yes, which API do I have to use (I can not find any examples, or I tried the APR::URI class but unsuccessfully) ? If not, which solution is possible (using LWP ?) But it can be any kind of document apache can serve. So it can be a regular file, something dynamically created (CGI/PHP/modperl etc) or even a document for which the current server acts as proxy. So in your case I see 2 options: 1) implement the included document via a CGI/modperl handler using LWP or similar 2) use mod_proxy as reverse proxy In both cases it's not possible to proxy an established SSL identity (client certificate) to the backend server due to the nature of SSL. Nor can your client verify the identity of the backend. If possible I'd go for the mod_proxy version. 1) it doesn't load perl routines in memory. 2) it passes the data an almost as fast as possible whereas homegrown LWP solutions tend to buffer the whole document before sending any output. But mod_proxy has also drawbacks. It is very difficult to make a POST request to the backend this way and feed it some data. I once had a similar problem when I wanted to include a proxied document and pass on the POST input of the original request to the backend. In the end I did it in Perl. Torsten -- Need professional mod_perl support? Just hire me: [EMAIL PROTECTED]
[MP2]how to catch the response body of a subrequest?
Hello all, I am facing a problem: I would like to call sub-requests, but the content of these sub-requests should not 'pollute' the main request. Some times ago, Torsten Foertsch sent the same question on the mod_perl mailing list (see http://marc.info/?l=apache-modperlm=111720092815754w=2) The answer from Stas Bekman was to use ... the sub request API. I reread the documentation but the solution is not very explicit. Could someone give me an example to trap the response body of the subrequest ? (Maybe the solution is to use filters but how can I create this filter ) Thanks
Re: [MP2]how to catch the response body of a subrequest?
Less than half an hour to have an answer
And the code is correctly running (my work now is to understand this cryptic
code ;-))
Thanks a lot
2008/7/1 Torsten Foertsch [EMAIL PROTECTED]:
On Tue 01 Jul 2008, titetluc titetluc wrote:
I am facing a problem: I would like to call sub-requests, but the content
of these sub-requests should not 'pollute' the main request.
my $content='';
my $subr=$r-lookup_uri( $tmpl );
$subr-add_output_filter( sub {
my ($f, $bb) = @_;
while (my $e = $bb-first) {
$e-read(my $buf);
$content.=$buf;
$e-delete;
}
return Apache2::Const::OK;
} );
$subr-run;
Torsten
--
Need professional mod_perl support?
Just hire me: [EMAIL PROTECTED]
[MP2]lookup_uri and HTTPS
Hello all, I am writing an handler generating sub-requests by using the lookup_uri and run (Apache2::SubRequest) methods. My question is : is it technically possible to generate HTTPS sub-request (I observed that sub-requests were using HTTP) using the mod_perl API ? If yes, which API do I have to use (I can not find any examples, or I tried the APR::URI class but unsuccessfully) ? If not, which solution is possible (using LWP ?) Thanks
Re: [MP2]mod_perl and index.html
2008/6/26, Torsten Foertsch [EMAIL PROTECTED]: On Thu 26 Jun 2008, titetluc titetluc wrote: In PerlResponseHandler, $r-main and $r-prev are undefined. I can not understand why $r-main AND $r-prev are not defined (intuitively, $r-prev should be defined) I'd expect $r-user to be set, not $r-prev-user nor $r-main-user. But I'd expect $r-prev to be set because $r is the result of an internal redirect. But I am not sure what exactly ap_internal_fast_redirect does. Oh my, I found it. ap_internal_fast_redirect isn't exactly an internal redirect. Instead it overrides the current request with a subreq. Look at modules/http/http_request.c. There is a comment that says something about that function: /* XXX: Is this function is so bogus and fragile that we deep-6 it? */ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r) And yes, it forgets about $r-user at least in apache 2.2.6. Maybe you file a bug for apache? Would it be rather a wrong httpd configuration: my requirement is very common (calling a response handler for an index.html and access the r-user information). I may misconfigure Apache BTW, how can I verify if it is a bug ? Which apache mailing list do I have to use ? You can check in the AuthenHandler for $r-main. If it is true you can set $r-user as well as $r-main-user. Torsten -- Need professional mod_perl support? Just hire me: [EMAIL PROTECTED]
Re: [MP2]mod_perl and index.html
2008/6/27, Rolf Schaufelberger [EMAIL PROTECTED]:
Am Donnerstag, 26. Juni 2008 16:36:49 schrieb titetluc titetluc:
sub set_user {
my ($self, $r) = @_;
Shouldn't that be
sub set_user :method {
my ($self, $r) = @_;
When you use $r as second argument ?
I am not a mod_perl specialist, but declaring the method without the :method
attribute works correctly. According to
http://perl.apache.org/docs/2.0/user/coding/coding.html#Method_Handlers, the
:method attribute is not required
--
Rolf Schaufelberger
Re: [MP2]mod_perl and index.html
Torsten, I created a bug. Bug number is 45297https://issues.apache.org/bugzilla/show_bug.cgi?id=45297 Thank you very much for your help 2008/6/27, Torsten Foertsch [EMAIL PROTECTED]: On Fri 27 Jun 2008, titetluc titetluc wrote: Would it be rather a wrong httpd configuration: my requirement is very common (calling a response handler for an index.html and access the r-user information). I may misconfigure Apache BTW, how can I verify if it is a bug ? Which apache mailing list do I have to use ? On the apache httpd website http://httpd.apache.org you'll find instructions how to file a bug. I have verified it without mod_perl with apache 2.2.9: DirectoryIndex index.shtml Options Includes Indexes AddType text/html .shtml AddOutputFilter INCLUDES .shtml Location /index.shtml Require valid-user AuthType basic AuthName Something very secret AuthUserFile /path/to/htpasswd /Location My index.shtml reads: html body h1Hello !--#echo var=REMOTE_USER --/h1 pre !--#printenv -- /pre /body /html If /index.shtml is requested all works normal. If only / is requested I get the password prompt. Then it shows the page but the REMOTE_USER variable is unset. This variable is r-user. File the bug then send its number to the list. I'll fill in the details. In your bug description you can reference this thread: http://www.gossamer-threads.com/lists/modperl/modperl/97533 Torsten -- Need professional mod_perl support? Just hire me: [EMAIL PROTECTED]
Re: [MP2]mod_perl and index.html
2008/6/25 titetluc titetluc [EMAIL PROTECTED]:
Hello all
I am writing a Perl module to authenticate users (using mod_perl2 and httpd
2.2.6.
I would like to display the user name (r-user) when accessing a directory
(/test_index/index.html)
I have the following httpd configuration
Location /test_index
DirectoryIndex index.html
Options +indexes
/Location
PerlModule Test
Location /test_index/index.html
Require valid-user
AuthType basic
AuthName test_index
SetHandler perl-script
PerlAuthenHandler Apache2::AuthSSO::Test-set_user
PerlResponseHandler Apache2::AuthSSO::Test-display_user
/Location
In addition, I added an empty index.html file in the htdocs/test_index
directory
The Perl Test module is
package Test;
use warnings;
use strict;
use Carp;
use Apache2::Const qw(:common);
sub set_user {
my ($self, $r) = @_;
$r-user('myself');
return OK;
}
sub display_user {
my ($self, $r) = @_;
my $user = defined $r-user ? $r-user : 'user is not defined';
print $user;
return OK;
}
1;
When I access with my browser to http://localhost/test_index/index.html,
user is set to 'myself'
BUT when I access with my browser to http://localhost/test_index/ ... user
is not defined !!!
I don't know if the problem comes from mod_perl or from the httpd
configuration.
Any help would be appreciated.
Thanks
I found a thread related to directory indexes (
http://marc.info/?l=apache-modperlm=119996305532711w=2)
According to this thread, user information could be retrieved with
$r-main-user
But in my configuration, when accessing to http://localhost/test_index/,
$r-main is always undefined in the PerlResponseHandler
Please help
Thanks
Re: [MP2]mod_perl and index.html
2008/6/26 Torsten Foertsch [EMAIL PROTECTED]:
On Wed 25 Jun 2008, titetluc titetluc wrote:
PerlModule Test
Location /test_index/index.html
Require valid-user
AuthType basic
AuthName test_index
SetHandler perl-script
PerlAuthenHandler Apache2::AuthSSO::Test-set_user
PerlResponseHandler Apache2::AuthSSO::Test-display_user
/Location
**
In addition, I added an empty index.html file in the htdocs/test_index
directory
The Perl Test module is
package Test;
use warnings;
use strict;
use Carp;
use Apache2::Const qw(:common);
sub set_user {
my ($self, $r) = @_;
$r-user('myself');
return OK;
}
sub display_user {
my ($self, $r) = @_;
my $user = defined $r-user ? $r-user : 'user is not defined';
print $user;
return OK;
}
1;
When I access with my browser to http://localhost/test_index/index.html,
user is set to 'myself'
BUT when I access with my browser to http://localhost/test_index/ ...
user
is not defined !!!
What happens here? When you access .../index.html your main request matches
the location condition and is served accordingly. If you access .../ the
main
request goes through all phases up to fixup missing the location directives
because the condition does not match. In fixup mod_dir creates an URI
subreq
for each DirectoryIndex.
mod_dir.c contains the following code:
/* The sub request lookup is very liberal, and the core
map_to_storage
* handler will almost always result in HTTP_OK as /foo/index.html
* may be /foo with PATH_INFO=/index.html, or even / with
* PATH_INFO=/foo/index.html. To get around this we insist that
the
* the index be a regular filetype.
*
* Another reason is that the core handler also makes the assumption
* that if r-finfo is still NULL by the time it gets called, the
* file does not exist.
*/
if (rr-status == HTTP_OK
( (rr-handler !strcmp(rr-handler, proxy-server))
|| rr-finfo.filetype == APR_REG)) {
ap_internal_fast_redirect(rr, r);
return OK;
}
You see, for the DirectoryIndex feature to work properly the index document
has to have an associated file. Your index document is a
PerlResponseHandler.
So, I suspect there is no index.html file. In that case $r-filename
is /path/to/test_index and $r-path_info index.html for the subreq.
Use the source, Luke!
Now, I think you can make it working in one of these ways:
1) create .../test_index/index.html as a regular file.
2) redirect /test_index/index.html to a file (Alias ).
Torsten
I created the test_index/index.html as a regular file (see the stars above
;-)).
The effect is that my PerlResponseHandler is correctly called.
But my problem is that I can not retrieved the user (set in the
PerlAuthenHandler) in the PerlResponseHandler.
In PerlResponseHandler, $r-main and $r-prev are undefined. I can not
understand why $r-main AND $r-prev are not defined (intuitively, $r-prev
should be defined)
Torsten
--
Need professional mod_perl support?
Just hire me: [EMAIL PROTECTED]
Re: [MP2]: setting group for a request (require group ...)
Geoffrey, André,
Thank you for your answer.
Conclusion: I will have to:
. write my own PerlAuthzHandler
. define a new directive to define my group
Thanks again
2008/6/19 André Warnier [EMAIL PROTECTED]:
Hi.
I believe that the issue below is more in the way of thinking about this,
than a real technical issue.
You don't need to involve Apache in the group part.
I don't think that Apache, per se, even has a field group in his internal
Request structure.
That is probably why you do not find any API to set or read it.
Let my explain how I understand it :
Authentication consists of finding out who the user is.
To simplify, we could say that this consists of getting and verifying his
user-id.
But, at the same time, we could collect some additional attributes about
him, like his email address, or a list of groups of which he is a member.
The application /may/ want to authenticate users in order to (later) also
authorise them or not to do something. But not necessarily; it could also
be only for the purpose of logging who accessed the page.
Anyway, now your Authentication module has done it's job, it has
authenticated the user and saved his user-id. It does not really care what
this user-id will be used for, that is not it's job.
The module returns OK, and Apache continues.
- end of authentication
some time passes
- start of authorization ---
This consists of verifying if this resource that is requested can be
returned, depending on some criteria.
Usually, it will depend on the userid, or some characteristic of the user.
But not necessarily : it could also depend on a secret key that is included
in a cookie, for example (if the key is there, the resource is granted, and
otherwise not).
If this check is succesful, the authorization returns OK. If it is not, it
returns not-OK.
end of authorization ---
Apache checks the return code. If it is OK, Apache serves the page. If it
is not-OK, Apache returns a forbidden page.
--- end of request ---
Now, in your case, you want
a) to authenticate the user
b) later, to authorize access to a resource, in function of some
characteristic of that user (is he member of one of the authorized groups)
You have already done (a), with a PerlAuthenHandler, and you have stored
the user-id in the request, so you can get at it later.
If you add a PerlAuthzHandler for authorization, then what your handler has
to do is :
1. find out which groups are authorized to access this resource.
That could be by getting the contents of the require clause of the Apache
configuration, or by getting the value of some PerlSetVar in the same
section (e.g. PerlSetVar AuthorizedGroups group1,group2)
(in your module, you would get this value as
$OKgroups = $r-dir_config(AuthorizedGroups);
2. find out if this userid (stored in the request) is a member of one of
these groups.
For that, you need some additional information about the user, not just his
user-id. This you could do using a group file, like Apache does in it's
Basic authentication scheme (AuthGroupFile ), and read it and parse it
when you need to, and then compare the result to $OKgroups.
But that would be inefficient.
Since in (a) you are already accessing some information about the user (to
verify his userid), I would at the same time collect information about which
groups he belongs to, and save that somewhere in the Request object, for
example with something like
$r-pnotes('groups' = $groups);
Then later, your module (b) can get it back, with
$groups = $r-pnotes('groups');
and compare this to the authorized groups.
I hope this helps.
André
titetluc titetluc wrote:
Hello all,
I am writing a mod_perl authentication module (My::Auth).
This module sets the user using the Apache2::RequestRec::user method.
package My::Auth;
sub {
$r-user('getting the user in my module internal structure');
return OK;
}
In the Apache configuration file, I can use the configuration
Location /test_user
PerlAuthHandler My::Auth
Require user user1
/Location
I would like to use my module in another configuration where group is
checked
Location /test_group
PerlAuthHandler My::Auth
Require group group1
/Location
I can not find any mod_perl API method (Apache2::RequestRec::group ?) to
set
the group. I only found Apache2::RequestRec::require method, but this
method
only read the require configuration.
One way to solve the problem is the modify the My::Auth::handler method :
package My::Auth;
sub {
$r-user('getting the user in my module internal structure');
my $requires = $r-requires;
# here the code to verify authorization
return OK;
}
but I think this is a workaround:
. My::Auth::handler is an AUTHENTICATION handler
. the code to verify the AUTHORIZATION should have to be executed by the
httpd core.
How can I manage authorization in this case ?
Thanks
[MP2]: setting group for a request (require group ...)
Hello all,
I am writing a mod_perl authentication module (My::Auth).
This module sets the user using the Apache2::RequestRec::user method.
package My::Auth;
sub {
$r-user('getting the user in my module internal structure');
return OK;
}
In the Apache configuration file, I can use the configuration
Location /test_user
PerlAuthHandler My::Auth
Require user user1
/Location
I would like to use my module in another configuration where group is
checked
Location /test_group
PerlAuthHandler My::Auth
Require group group1
/Location
I can not find any mod_perl API method (Apache2::RequestRec::group ?) to set
the group. I only found Apache2::RequestRec::require method, but this method
only read the require configuration.
One way to solve the problem is the modify the My::Auth::handler method :
package My::Auth;
sub {
$r-user('getting the user in my module internal structure');
my $requires = $r-requires;
# here the code to verify authorization
return OK;
}
but I think this is a workaround:
. My::Auth::handler is an AUTHENTICATION handler
. the code to verify the AUTHORIZATION should have to be executed by the
httpd core.
How can I manage authorization in this case ?
Thanks
Re: [MP2]: no access to the perl source when using the perl debugger
2008/6/3, Perrin Harkins [EMAIL PROTECTED]: On Tue, Jun 3, 2008 at 4:51 AM, titetluc titetluc [EMAIL PROTECTED] wrote: The symptoms: the debugger is correcly called but does not dipslay the source script. Your guess is correct !!! I called Apache::DB-init() too late Thanks a lot for your valuable help. My guess is that you are loading the code being debugged before calling Apache::DB-init(), so this code was compiled with no debugging hooks installed. Either make your call to Apache::DB sooner or take this stuff out of your startup.pl and load it later when you want to debug it. - Perrin
[MP2]: no access to the perl source when using the perl debugger
Hello all,
I am trying to use the perl debugger (using Apache mod_perl-2.0.2-6.3.el5
and httpd httpd-2.2.3-11.el).
I followed the instructions in
http://www.perl.com/pub/a/2006/02/09/debug_mod_perl.html and
http://perl.apache.org/docs/1.0/guide/debug.html but the debugger does not
run correctly.
The symptoms: the debugger is correcly called but does not dipslay the
source script. For example, when I access to the
Apache2::AuthSSO::Angie::authenticate_form method (declared in a
PerlAuthentHandler), the debugger displays
Apache2::AuthSSO::Angie::authenticate_form((eval
150)[/mnt/go/public/perl/Apache2-AuthSSO/lib/Apache2/AuthSSO/Sessions.pm:42]:1):
1: (caller(0))[0]
instead of
Apache2::AuthSSO::Angie::authenticate_form(/mnt/go/public/perl/Apache2-AuthSSO-Angie/lib//Apache2/AuthSSO/Angie.pm:55):
55: my ($self, $r) = @_;
On the contrary, I can access the souce code for a method declared in the
PerlResponseHandler (see trace below)
What is wrong in my configuration ?
Could you please give me some hints ?
Below the debugger output :
[EMAIL PROTECTED] Apache-DB-0.13]# /usr/sbin/httpd -X -DPERLDB
[notice] Apache::DB initialized in child 26694
Loading DB routines from perl5db.pl version 1.28
Editor support available.
Enter h or `h h' for help, or `man perldebug' for more help.
Apache2::Status::handler(/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/Apache2/Status.pm:110):
110:my ($r) = @_;
DB1 c
Apache2::AuthSSO::Angie::authenticate_form((eval
150)[/mnt/go/public/perl/Apache2-AuthSSO/lib/Apache2/AuthSSO/Sessions.pm:42]:1):
1: (caller(0))[0]
DB1 n
Apache2::AuthSSO::Angie::authenticate_form((eval
151)[/mnt/go/public/perl/Apache2-AuthSSO/lib/Apache2/AuthSSO/Sessions/Cache/FastMmap.pm:44]:1):
1: (caller(0))[0]
DB1
snip
DB1 r
scalar context return from Apache2::AuthSSO::Angie::authenticate_form: 0
Apache2::AuthSSO::session_refresh((eval
161)[/mnt/go/public/perl/Apache2-AuthSSO/lib/Apache2/AuthSSO/Session.pm:64]:1):
1: (caller(0))[0]
DB1 n
Apache2::AuthSSO::session_refresh((eval
162)[/mnt/go/public/perl/Apache2-AuthSSO/lib/Apache2/AuthSSO/Session.pm:83]:1):
1: (caller(0))[0]
DB1
Apache2::AuthSSO::session_refresh((eval
163)[/mnt/go/public/perl/Apache2-AuthSSO/lib/Apache2/AuthSSO/Session.pm:174]:1):
1: (caller(0))[0]
DB1
Apache2::AuthSSO::session_refresh((eval
164)[/mnt/go/public/perl/Apache2-AuthSSO/lib/Apache2/AuthSSO/Session.pm:90]:1):
1: (caller(0))[0]
DB1 r
scalar context return from Apache2::AuthSSO::session_refresh: 0
Apache2::AuthSSO::BackEndFactory::send_to((eval
175)[/mnt/go/public/perl/Apache2-AuthSSO/lib/Apache2/AuthSSO/BackEndFactory.pm:179]:1):
1: (caller(0))[0]
DB1 r
scalar context return from Apache2::AuthSSO::BackEndFactory::send_to: 0
Apache2::AuthSSO::Angie::authenticate_form((eval
185)[/mnt/go/public/perl/Apache2-AuthSSO/lib/Apache2/AuthSSO/Sessions.pm:42]:1):
1: (caller(0))[0]
DB1 r
scalar context return from Apache2::AuthSSO::Angie::authenticate_form: 0
Apache2::AuthSSO::session_refresh((eval
196)[/mnt/go/public/perl/Apache2-AuthSSO/lib/Apache2/AuthSSO/Session.pm:64]:1):
1: (caller(0))[0]
DB1 r
scalar context return from Apache2::AuthSSO::session_refresh: 0
Apache2::AuthSSO::BackEndFactory::send_to((eval
210)[/mnt/go/public/perl/Apache2-AuthSSO/lib/Apache2/AuthSSO/BackEndFactory.pm:179]:1):
1: (caller(0))[0]
DB1 r
scalar context return from Apache2::AuthSSO::BackEndFactory::send_to: 0
Apache2::AuthSSO::Test::response(/usr/lib/perl5/site_perl/5.8.5/Apache2/AuthSSO/Test.pm:16):
16: my ($self,$r) = @_;
DB1 n
Apache2::AuthSSO::Test::response(/usr/lib/perl5/site_perl/5.8.5/Apache2/AuthSSO/Test.pm:18):
18: my $cookie = 1;
DB1
Apache2::AuthSSO::Test::response(/usr/lib/perl5/site_perl/5.8.5/Apache2/AuthSSO/Test.pm:19):
19: $r-content_type('text/plain');
DB1
[MP2][QUESTION]Adding handlers when defining a new directive
Hello,
I am writing a new mod_perl Apache (mod_perl2) to manage session tracking
and SSO
This module defines a new Apache directive (MyNewDirective), which is usable
in a location, filesdirectory block.
For example
Location /a_test
Set-Handler perl-script
MyNewDirective a_test arg1 arg2
PerlResponseHandler ResponseHandlerToTestTheNewDirective
/Location
Location /another_test
Set-Handler perl-script
PerlResponseHandler ResponseHandlerToTestTheNewDirective
/Location
When this directive is used, my module should a PerlLogHandler automatically
to obtain the following configuration
Location /a_test
Set-Handler perl-script
MyNewDirective a_test arg1 arg2
PerlResponseHandler ResponseHandlerToTestTheNewDirective
PerlLogHandler TestPerlLogHandler
/Location
Location /another_test
Set-Handler perl-script
PerlResponseHandler ResponseHandlerToTestTheNewDirective
/Location
I tried to use the push_handler method when the 'MyNewDirective' is defined.
my @directives = ({name = 'MyNewDirective ', func =
__PACKAGE__.'::MyNewDirective'});
Apache2::Module::add(__PACKAGE__, [EMAIL PROTECTED]);
sub MyNewDirective {
my ($self, $parms, $arg) = @_;
# blablabla
$parms-server-push_handlers(PerlLogHandler = sub {my ($r) _ @_;
$r-server-error_log('hello world'); return Apache2::Const::OK;});
# blablabla
return;
}
This code works ... but for any blocks.
For example, if I access the URI '/a_test', the PerlLogHandler will be
called BUT if I access the URI '/another_test', the PerlLogHandler will also
be called.
Do I use the mod_perl API correctly ?
What is wrong in my code ?
Thanks.
Gaetan
Re: [MP2][QUESTION]Adding handlers when defining a new directive
It works !
Thanks a lot.
One additionnal question: does the hook ordering work (according to the
mod_perl documentation, it does not !) ?
Gaetan
2008/4/29, Philippe M. Chiasson [EMAIL PROTECTED]:
titetluc titetluc wrote:
Hello,
I am writing a new mod_perl Apache (mod_perl2) to manage session
tracking and SSO
This module defines a new Apache directive (MyNewDirective), which is
usable in a location, filesdirectory block.
For example
Location /a_test
Set-Handler perl-script
MyNewDirective a_test arg1 arg2
PerlResponseHandler ResponseHandlerToTestTheNewDirective
/Location
Location /another_test
Set-Handler perl-script
PerlResponseHandler ResponseHandlerToTestTheNewDirective
/Location
When this directive is used, my module should a PerlLogHandler
automatically to obtain the following configuration
Location /a_test
Set-Handler perl-script
MyNewDirective a_test arg1 arg2
PerlResponseHandler ResponseHandlerToTestTheNewDirective
PerlLogHandler TestPerlLogHandler
/Location
Location /another_test
Set-Handler perl-script
PerlResponseHandler ResponseHandlerToTestTheNewDirective
/Location
I tried to use the push_handler method when the 'MyNewDirective' is
defined.
my @directives = ({name = 'MyNewDirective ', func =
__PACKAGE__.'::MyNewDirective'});
Apache2::Module::add(__PACKAGE__, [EMAIL PROTECTED]);
sub MyNewDirective {
my ($self, $parms, $arg) = @_;
# blablabla
$parms-server-push_handlers(PerlLogHandler = sub {my ($r) _ @_;
$r-server-error_log('hello world'); return Apache2::Const::OK;});
Right here, you are adding your handler to the current *server*
configuration
object, effectively enabling this handler for eery requests to that
server/vhost
# blablabla
return;
}
This code works ... but for any blocks.
For example, if I access the URI '/a_test', the PerlLogHandler will be
called BUT if I access the URI '/another_test', the PerlLogHandler will also
be called.
See above.
Do I use the mod_perl API correctly ?
Correctly, yes. Unfortunately, it's not what you are trying to do.
What is wrong in my code ?
If you want to push your loghandler only for requests for your configured
module, I would just delay the loghandler registration until runtime and
do it in your content handler with
$r-push_handlerrs(...)
Or you can do it in your command handler, but like so
sub MyLogHandler {
[...]
}
sub MyNewDirective {
my ($self, $param, $arg) = @_;
$parms-add_config([PerlLogHandler MyLogHandler]);
[...]
--
Philippe M. Chiasson GPG: F9BFE0C2480E7680 1AE53631CB32A107 88C3A5A5
http://gozer.ectoplasm.org/ m/gozer\@(apache|cpan|ectoplasm)\.org/
[MP2][QUESTION]Attribute::Handlers usage with mod_perl
Hello all,
I would like to use attributes (Attribute::Handlers) in a mod_perl module.
I defined my attribute:
use Attribute::Handlers;
sub Catch_error ATTR(CODE, BEGIN) { ... }
My module uses this attribute:
sub foo :Catch_error{
}
But this does not work.
I searched in the mod_perl mailing list and found interesting threads
(OO handlers and Attribute::Handlers - cant use under mod_perl?).
Attribute::Handlers would be incompatible with mod_perl (CHECK phase
is not handled by mod_perl). But according to Geoffrey Young and James
Smith, it should work (Apache::Handler module uses the
Attribute::Handlers module).
I had a look at the Apache::Handler but I can not see any declaration
differences with my module.
Could someone give some tips to make my attribute usable in mod_perl ?
Thanks
Gaetan
PS: I already send this post on this mailing list but it seems that
the post was not received. Is this mailing list
[MP2][QUESTION]Apache::Handler usage with mod_perl
Hello all,
I would like to use attributes (Attribute::Handlers) in a mod_perl module.
I defined my attribute:
use Attribute::Handlers;
sub Catch_error ATTR(CODE, BEGIN) { ... }
My module uses this attribute:
sub foo :Catch_error{
}
But this does not work.
I searched in the mod_perl mailing list and found interesting threads
(OO handlers and Attribute::Handlers - cant use under mod_perl?).
Attribute::Handlers would be incompatible with mod_perl (CHECK phase
is not handled by mod_perl). But according to Geoffrey Young and James
Smith, it should work (Apache::Handler module uses the
Attribute::Handlers module).
I had a look at the Apache::Handler but I can not see any declaration
differences with my module.
Could someone give some tips to make my attribute usable in mod_perl.
Thanks
Gaetan
Re: [MP2][QUESTION]Session and inactivity
2008/2/13, Perrin Harkins [EMAIL PROTECTED]:
On Feb 13, 2008 2:03 AM, titetluc titetluc [EMAIL PROTECTED] wrote:
By pooling, I mean the fact that expired sessionS have to be REGULARLY
purge
(in opposed to a callback mechanism (IMHO, the best solution ). This
callback would be called on ONE session expiration and would suppress
it.
You would not have any purge latency with such a solution).
There were multiple suggestions that worked through the sort of
callback solution you describe: mod_auth_tkt, CHI, storing a timestamp
in the session (as opposed to in a separate column in the sessions
database table), Apache::SessionManager...
All of these modules propose an expiration mechanism, but they do not
propose a mechanism to automatically destroy session at expiration (this is
what I call a callback mechanism).
This implies that the session destruction has to be called explicitly.
We could imagine an interface where a callback is defined when a session is
created
For example,
session_create(inactivity = 30, callback = sub{print Session
automagically destroyed;})
There would be no need to call a session_delete function !!
Gaetan
- Perrin
Re: [MP2][QUESTION]Session and inactivity
2008/2/11, Perrin Harkins [EMAIL PROTECTED]: On Feb 11, 2008 11:10 AM, titetluc titetluc [EMAIL PROTECTED] wrote: From your previous answers, I conclude that there is no way to suppress a session automagically by using the mod_perl API (unless using XS to implement a monitor hook -proposed in Apache 2.2 native API by Torsten). Sessions are not part of the mod_perl (or apache) API at all, so working with them will always be a separate thing. I think there were some pretty good tools pointed out though, and hopefully one of them suits your needs. You can always install custom code at various phases of the request to validate a user's credentials and take action based on them. The only way to suppress sessions is to use a pooling mechanism. I don't know what you mean by pooling here. OK, pooling is maybe a franglais (mix of French and English) term By pooling, I mean the fact that expired sessionS have to be REGULARLY purge (in opposed to a callback mechanism (IMHO, the best solution ). This callback would be called on ONE session expiration and would suppress it. You would not have any purge latency with such a solution). Gaetan - Perrin
Re: [MP2][QUESTION]Session and inactivity
Hello all,
2008/2/6, titetluc titetluc [EMAIL PROTECTED]:
Oups
I answered directly to Torsten by error
Here is my answer and the reply
2008/2/6, Torsten Foertsch [EMAIL PROTECTED]:
On Wed 06 Feb 2008, titetluc titetluc wrote:
The module I am developing has to delete the cookie if it is not
refreshed
regularly.
The question: how can I manage this timeout inactivity ?
The best solution would be to use a mechanism where callbacks
(deleting the
cookie rfom the database) would be called automatically on inactivity.
Does such an API is proposed by :
. the APR API
. mod_perl API
. an Apache2::xxx perl module
. a CPAN module
If not, how can I solve my problem ? (I could verify regularly in the
DB
storage, but this is a last resort solution. Even in this case, how
could I
implement it ?)
Apache (at least 2.2.x) implements a monitor hook, see
server/mpm_common.c.
To use this hook you'd have to write a bit XS stuff like Geoff's
AuthenHook, ... since there is AFAIK no CPAN module. This hook is run
from
time to time in the parent apache.
Otherwise there are 2 standard ways to do that:
- a cron job or something similar in the DB itself
- check each time in a connection cleanup handler (to do it not too
often you
can use a global variable that holds the timestamp of the last cleanup
and
run it only if the difference to the current time grows too big.)
I am using the Apache::Session module to manage ... sessions.
Apache::Session does not manage session expiration
I found the following comment on the CPAN rating on Apache::Session module (
http://cpanratings.perl.org/dist/Apache-Session)
Quotation:
There is no support for temporary session keys. I'd like to be able to set
a key that expires in X minutes. This can be handled by writing your own
wrapper that sets a special session key, but it would be nice to be in the
API somewhere.
I've since switched my site over to using Data::Uniqid for session ID
generation and Cache::FileCache for storing temporary form data.
Data::Uniqid assures me that the ID it generates is very unique, so I don't
have to store every session in my database. And FileCache has the expiration
support I need for holding temporary form data.
I am not sure this will solve my problem, but I think this is also a good
I'd go for one of the standard ways since:
- easier to implement
- your code doesn't run as root
One naive question: how can I declare a global variable under mod_perl ?
Each request is run with a thread and by default Perl does not share
variables !
I declared my variable as shared (using the threads::shared module) but
this declaration does not seem to be sufficient in a mod_perl
environment
!!!
I meant something like this:
package My::Cleanup;
use strict;
use Apache2::Const -compile=('OK', 'DECLINED');
use Apache2::RequestRec ();
use Apache2::Connection ();
use APR::Pool ();
my $lastrun=0; # this is the global variable: one per process
my $check_interval=60; #check every minute
sub run {
my $time=time;
if( $time$lastrun+$check_interval ) {
$lastrun=$time;
# here you can check the modification time ((stat)[9]) of a file on
disk
# flock() it with LOCK_NB set and return if flock fails.
# alternatively you can implement an interface to apr_proc_mutex which
is
# quite easy, see ThreadMutex for example.
# or you implement $lastrun in your database.
# or you use BerkeleyDB which is actually shared memory.
# doit
...
}
return Apache2:Const::OK;
}
sub handler {
my ($r)[EMAIL PROTECTED];
unless( $r-connection-pnotes-{cleanup_installed} ) {
$r-connection-pool-cleanup_register(\run);
$r-connection-pnotes-{cleanup_installed}=1;
}
return Apache2::Const::DECLINED;
}
Then:
# install it either as PerlPostReadRequestHandler or as
# PerlHeaderParserHandler
PerlInitHandler My::Cleanup
I'd implement the process global variable as shown plus perhaps another
variable in the database if the session is stored there. It depends on how
expensive your cleanup is.
Torsten
Torsten
[MP2][QUESTION]Session and inactivity
Hello mod_perl users,
I am developing a mod_perl module (MyModule) to manage
sessions/authentication.
This module:
- uses Apache::Session to store session-related information
- is cookie-based
- manages session inactivity
This module could be used in the following example.
Location /protected_url
PerlAuthenHandler MyModule
AuthType Basic
AuthBasicProvider ...
require valid-user
PerlFixupHandler MyModule-cookie_create_refresh
/Location
If request has no cookie, then basic authentication is required.
If basic authent is correct, then a cookie is created in the fixup
handler.
If request has a cookie, then the cookie is refreshed in the fixup handler.
A basic description of the module in pseudo-perl:
package MyModule;
use Apache::Session::xxx;
use Apache::Cookie;
sub handler{
my $r = shift;
if (cookie_not_present_in_request()){
return DECLINED;
}
return cookie_verify(); #use of Apache::Session as a DB storage
}
sub cookie_create_refresh{
my $class = shift;
if (cookie_not_present_in_request()){
create_cookie_with_Apache::Session::xxx_module();
create_cookie_with_Apache::Cookie_module();
}
else {
refresh_cookie_with_Apache::Session::xxx_module();
refresh_cookie_with_Apache::Cookie_module();
}
return OK;
}
The module I am developing has to delete the cookie if it is not refreshed
regularly.
The question: how can I manage this timeout inactivity ?
The best solution would be to use a mechanism where callbacks (deleting the
cookie rfom the database) would be called automatically on inactivity.
Does such an API is proposed by :
. the APR API
. mod_perl API
. an Apache2::xxx perl module
. a CPAN module
If not, how can I solve my problem ? (I could verify regularly in the DB
storage, but this is a last resort solution. Even in this case, how could I
implement it ?)
Thanks
Gaetan
Re: [MP2][QUESTION]Session and inactivity
Oups
I answered directly to Torsten by error
Here is my answer and the reply
2008/2/6, Torsten Foertsch [EMAIL PROTECTED]:
On Wed 06 Feb 2008, titetluc titetluc wrote:
The module I am developing has to delete the cookie if it is not
refreshed
regularly.
The question: how can I manage this timeout inactivity ?
The best solution would be to use a mechanism where callbacks (deleting
the
cookie rfom the database) would be called automatically on inactivity.
Does such an API is proposed by :
. the APR API
. mod_perl API
. an Apache2::xxx perl module
. a CPAN module
If not, how can I solve my problem ? (I could verify regularly in the DB
storage, but this is a last resort solution. Even in this case, how
could I
implement it ?)
Apache (at least 2.2.x) implements a monitor hook, see
server/mpm_common.c.
To use this hook you'd have to write a bit XS stuff like Geoff's
AuthenHook, ... since there is AFAIK no CPAN module. This hook is run from
time to time in the parent apache.
Otherwise there are 2 standard ways to do that:
- a cron job or something similar in the DB itself
- check each time in a connection cleanup handler (to do it not too often
you
can use a global variable that holds the timestamp of the last cleanup and
run it only if the difference to the current time grows too big.)
I'd go for one of the standard ways since:
- easier to implement
- your code doesn't run as root
One naive question: how can I declare a global variable under mod_perl ?
Each request is run with a thread and by default Perl does not share
variables !
I declared my variable as shared (using the threads::shared module) but
this declaration does not seem to be sufficient in a mod_perl environment
!!!
I meant something like this:
package My::Cleanup;
use strict;
use Apache2::Const -compile=('OK', 'DECLINED');
use Apache2::RequestRec ();
use Apache2::Connection ();
use APR::Pool ();
my $lastrun=0; # this is the global variable: one per process
my $check_interval=60; #check every minute
sub run {
my $time=time;
if( $time$lastrun+$check_interval ) {
$lastrun=$time;
# here you can check the modification time ((stat)[9]) of a file on disk
# flock() it with LOCK_NB set and return if flock fails.
# alternatively you can implement an interface to apr_proc_mutex which is
# quite easy, see ThreadMutex for example.
# or you implement $lastrun in your database.
# or you use BerkeleyDB which is actually shared memory.
# doit
...
}
return Apache2:Const::OK;
}
sub handler {
my ($r)[EMAIL PROTECTED];
unless( $r-connection-pnotes-{cleanup_installed} ) {
$r-connection-pool-cleanup_register(\run);
$r-connection-pnotes-{cleanup_installed}=1;
}
return Apache2::Const::DECLINED;
}
Then:
# install it either as PerlPostReadRequestHandler or as
# PerlHeaderParserHandler
PerlInitHandler My::Cleanup
I'd implement the process global variable as shown plus perhaps another
variable in the database if the session is stored there. It depends on how
expensive your cleanup is.
Torsten
Torsten
Re: [MP2] [QUESTION] authentication modules (reuse of mod_auth_basic, mod_auth_digest, mod_auth_ntlm) and cookies
Thank you for your answer Rafael My comments are below 2008/1/29, Rafael Caceres [EMAIL PROTECTED]: Gaetan: On Tue, 2008-01-29 at 10:51 +0100, titetluc titetluc wrote: Hello all Apache mod_perl2 module experts (I am a newbie with Apache), Hope I am clear in my explanations (my English is not so good and I had a lot of problems explaining my needs by mail. I am not sure that everybody will read entirely this mail ;-))) The direct question: Is it possible to: . use the mod_auth_basic module (or mod_auth_digest or mod_auth_ntlm) to authenticate a client for the first request, . then create a session tracking module (based on cookies) for the next requests (I would write this last module in Perl) The cookie needs to be setup upon authentication, so you have to use an authentication module other than the basic authentication, which does not set up a cookie. This is one of my problem: how can I link basic authentication with a cookie ? One of the solution I proposed (but it it feasible with Apache infrastructure and AuthType directive) was to declare different authentication type with the AuthType directive Location /docs_protected_access_basic AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie /Location This would mean that : . MySessionModuleVerifyCookie would be first called, verifying if the cookie is present and correct . If no cookie, then basic authent is requested . if basic authent ok, then MySessionModuleGenerateCookie generates a valid cookie In fact, my ultimate objective was to have an authentication framework based on cookie. It would be possible, with such a framework, to define client authentication type. The following example would mean: use cookie for authentication tracking, but first request can be authenticated with SSL. If SSL not available, use NTLM. If NTLM not available, use Form authentication. SSL, NTLM and Form authentication woul be external module I would re-used Location /docs_protected_access AuthType AuthentFrameworkCookie AuthOrder SSL NTLM Form /Location Modules on Internet offer only one kind of authentication. Combining 2 (or more) authentication type is hard to configure (see SSL with basic authent http://www.modssl.org/docs/2.8/ssl_howto.html). And worse, combining authentication type with cookie is harder. Due to planning constraints, I will have to be less ... ambitious ;-) The indirect question (good luck ;)) I am currently working on a project to develop a server hosting HTTP applications developed with different technologies and I am in charge of the session management (authentication along with SSO) for the HTTP-based applications. Applications are developed in . PHP . Servlet I can not modify these applications (in term of authentication) My objective is to offer SSO, meaning that the end-user will be asked authentication only once, when accessing PHP or servlet (backend). The idea: an Apache module will simulate an HTTP client against the PHP or the servlet by sending basic authentication to PHP/servlet (ok, I simplify the problem, because the PHP or servlet container could require another authentication mechanism) Apache would act as a front-end and would . manage authentication against the client . manage session tracking with cookies . simulate the client authentication against the application (servlet or PHP) by sending basic authentication to the servlet or PHP applications (or any other mechanism, depending on the application authentication mechanism) Take a look at the AuthCookie and AuthTicket modules, they can be used to easily build a solution like the one you are indicating. I already studied these modules, but they manage only form authentication. In any case, I think I will use the AuthCookie module to build a POC. I will write a session tracking module (using the PerlAuthenHandler handler). This module will manage: . a cookie for session tracking . the client simulation (using basic authentication or any other mechanism) against the back-end (PHP/Servlet) My requirement: this module has to be usable with any existing client authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO mod_auth_ntlm, ...) For example, . a client (a web services based client) uses basic authentication for the first request then a cookie is used for the next requests . a client (a browser) uses FORM authentication for the first request then a cookie is used for the next requests. . a client uses NTLM authentication . a client uses digest authentication I would imagine the Apache configuration as below Location /docs_protected_access_basic AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie /Location This would mean that : . MySessionModuleVerifyCookie would be first called, verifying
[MP2] [QUESTION] authentication modules (reuse of mod_auth_basic, mod_auth_digest, mod_auth_ntlm) and cookies
Hello all Apache mod_perl2 module experts (I am a newbie with Apache), Hope I am clear in my explanations (my English is not so good and I had a lot of problems explaining my needs by mail. I am not sure that everybody will read entirely this mail ;-))) The direct question: Is it possible to: . use the mod_auth_basic module (or mod_auth_digest or mod_auth_ntlm) to authenticate a client for the first request, . then create a session tracking module (based on cookies) for the next requests (I would write this last module in Perl) The indirect question (good luck ;)) I am currently working on a project to develop a server hosting HTTP applications developed with different technologies and I am in charge of the session management (authentication along with SSO) for the HTTP-based applications. Applications are developed in . PHP . Servlet I can not modify these applications (in term of authentication) My objective is to offer SSO, meaning that the end-user will be asked authentication only once, when accessing PHP or servlet (backend). The idea: an Apache module will simulate an HTTP client against the PHP or the servlet by sending basic authentication to PHP/servlet (ok, I simplify the problem, because the PHP or servlet container could require another authentication mechanism) Apache would act as a front-end and would . manage authentication against the client . manage session tracking with cookies . simulate the client authentication against the application (servlet or PHP) by sending basic authentication to the servlet or PHP applications (or any other mechanism, depending on the application authentication mechanism) I will write a session tracking module (using the PerlAuthenHandler handler). This module will manage: . a cookie for session tracking . the client simulation (using basic authentication or any other mechanism) against the back-end (PHP/Servlet) My requirement: this module has to be usable with any existing client authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO mod_auth_ntlm, ...) For example, . a client (a web services based client) uses basic authentication for the first request then a cookie is used for the next requests . a client (a browser) uses FORM authentication for the first request then a cookie is used for the next requests. . a client uses NTLM authentication . a client uses digest authentication I would imagine the Apache configuration as below Location /docs_protected_access_basic AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie /Location This would mean that : . MySessionModuleVerifyCookie would be first called, verifying if the cookie is present and correct . If no cookie, then basic authent is requested . if basic authent ok, then MySessionModuleGenerateCookie generates a valid cookie Another example, Location /docs_protected_access_ntlm AuthType MySessionModuleVerifyCookie ntlm MySessionModuleGenerateCookie /Location I searched for Apache modules fitting my needs. The Internet community proposes a lot of modules but all of these modules mix the different phases I described above (authentication between client and Apache, credentials verifications, session creation) For example, . mod_auth_pam: The PAM authentication module implements Basic authentication on top of the Pluggable Authentication Module library. This means that the module implements basic authentication with PAM to verify credentials but without cookie session tracking . mod_auth_cookie_mysql: implements only FORM authentication with SQL to verify credentials with cookie session tracking . Apache::AuthTicket: implements only FORM authentication with any credentials mechanism (the module is extensible) with cookie session tracking . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but does not manage digest or form authentication My question: is it possible to serialize authentication modules in the AuthType Apache directive ? If so, how these modules interact each others. Another way to ask the question: is it possible to use already existing Apache module (basic, ntlm, digest, ...) to be included in a more global authentication/session framework ? Advantage of such a solution is that I can reuse the existing Apache modules (basic, ntlm, digest, ...), concentrating on my session tracking module. (I read the mod_perl2 documentation and mod_perl2 offers only Basic and Digest authentication. It does not offer NTLM authentication). Last but not least, my session tracking module has to be developed in Perl ! Thanks Gaetan
