Geoffrey, André,
Thank you for your answer.
Conclusion: I will have to:
. write my own PerlAuthzHandler
. define a new directive to define my group
Thanks again
2008/6/19 André Warnier [EMAIL PROTECTED]:
Hi.
I believe that the issue below is more in the way of thinking about this,
than a real technical issue.
You don't need to involve Apache in the group part.
I don't think that Apache, per se, even has a field group in his internal
Request structure.
That is probably why you do not find any API to set or read it.
Let my explain how I understand it :
Authentication consists of finding out who the user is.
To simplify, we could say that this consists of getting and verifying his
user-id.
But, at the same time, we could collect some additional attributes about
him, like his email address, or a list of groups of which he is a member.
The application /may/ want to authenticate users in order to (later) also
authorise them or not to do something. But not necessarily; it could also
be only for the purpose of logging who accessed the page.
Anyway, now your Authentication module has done it's job, it has
authenticated the user and saved his user-id. It does not really care what
this user-id will be used for, that is not it's job.
The module returns OK, and Apache continues.
- end of authentication
some time passes
- start of authorization ---
This consists of verifying if this resource that is requested can be
returned, depending on some criteria.
Usually, it will depend on the userid, or some characteristic of the user.
But not necessarily : it could also depend on a secret key that is included
in a cookie, for example (if the key is there, the resource is granted, and
otherwise not).
If this check is succesful, the authorization returns OK. If it is not, it
returns not-OK.
end of authorization ---
Apache checks the return code. If it is OK, Apache serves the page. If it
is not-OK, Apache returns a forbidden page.
--- end of request ---
Now, in your case, you want
a) to authenticate the user
b) later, to authorize access to a resource, in function of some
characteristic of that user (is he member of one of the authorized groups)
You have already done (a), with a PerlAuthenHandler, and you have stored
the user-id in the request, so you can get at it later.
If you add a PerlAuthzHandler for authorization, then what your handler has
to do is :
1. find out which groups are authorized to access this resource.
That could be by getting the contents of the require clause of the Apache
configuration, or by getting the value of some PerlSetVar in the same
section (e.g. PerlSetVar AuthorizedGroups group1,group2)
(in your module, you would get this value as
$OKgroups = $r-dir_config(AuthorizedGroups);
2. find out if this userid (stored in the request) is a member of one of
these groups.
For that, you need some additional information about the user, not just his
user-id. This you could do using a group file, like Apache does in it's
Basic authentication scheme (AuthGroupFile ), and read it and parse it
when you need to, and then compare the result to $OKgroups.
But that would be inefficient.
Since in (a) you are already accessing some information about the user (to
verify his userid), I would at the same time collect information about which
groups he belongs to, and save that somewhere in the Request object, for
example with something like
$r-pnotes('groups' = $groups);
Then later, your module (b) can get it back, with
$groups = $r-pnotes('groups');
and compare this to the authorized groups.
I hope this helps.
André
titetluc titetluc wrote:
Hello all,
I am writing a mod_perl authentication module (My::Auth).
This module sets the user using the Apache2::RequestRec::user method.
package My::Auth;
sub {
$r-user('getting the user in my module internal structure');
return OK;
}
In the Apache configuration file, I can use the configuration
Location /test_user
PerlAuthHandler My::Auth
Require user user1
/Location
I would like to use my module in another configuration where group is
checked
Location /test_group
PerlAuthHandler My::Auth
Require group group1
/Location
I can not find any mod_perl API method (Apache2::RequestRec::group ?) to
set
the group. I only found Apache2::RequestRec::require method, but this
method
only read the require configuration.
One way to solve the problem is the modify the My::Auth::handler method :
package My::Auth;
sub {
$r-user('getting the user in my module internal structure');
my $requires = $r-requires;
# here the code to verify authorization
return OK;
}
but I think this is a workaround:
. My::Auth::handler is an AUTHENTICATION handler
. the code to verify the AUTHORIZATION should have to be executed by the
httpd core.
How can I manage authorization in this case ?
Thanks