Apache2::AuthCookie

[Michel Jansen]

Hi,

Since i understand that http-authentication is not used much and because
it is impossible to logout from an authenticated session without closing
the browser i am looking at Apache2::AuthCookie to replace
http-authentication. I installed the module but i need some more
examples to get things going. Can anyone help me out? Currently i get
the error "configuration error:  couldn't check user.  No user file?" in
the apache log but i cannot find the place where i should store the
passwd file?

Is it possible to connect AuthCookie to AuthDBI?

Hope someone can help me...

Kind Regards,


Michel Jansen

Apache2::AuthCookie

[Vladimir S. Tikhonjuk]

Hi all

I get the next error, when I'm trying to use AuthCookie:

failed to resolve handler Promtelecom::Authentication

I put Promtelecom/Authentication.pm into /usr/local/lib/site_perl, which
is in my @INC path list.

Here is my httpd.conf:

PerlModule Promtelecom::Authentication
PerlSetVar WhatEverLoginScript /promtelecomindex.html
PerlSetVar WhatEverSatisfy Any
PerlSetVar WhatEverCache 1
PerlSetVar WhatEverExpires +2h

  AuthType Promtelecom::Authentication
  AuthName "Promtelecom Database"
  PerlAuthenHandler Promtelecom::Authentication->authenticate
  PerlAuthzHandler Promtelecom::Authentication->authorize
  require valid-user



  AuthType Promtelecom::Authentication
  AuthName WhatEver
  SetHandler perl-script
  PerlResponseHandler Promtelecom::Authentication->login

Re: Apache2::AuthCookie

[Adam Prime]

Michel Jansen wrote:

Hi,

Since i understand that http-authentication is not used much and because
it is impossible to logout from an authenticated session without closing
the browser i am looking at Apache2::AuthCookie to replace
http-authentication. I installed the module but i need some more
examples to get things going. Can anyone help me out? Currently i get
the error "configuration error:  couldn't check user.  No user file?" in
the apache log but i cannot find the place where i should store the
passwd file?

Is it possible to connect AuthCookie to AuthDBI?


You might want to take a look at:

http://search.cpan.org/dist/Apache2-AuthCookieDBI/

Adam

Re: Apache2::AuthCookie

[Michael Schout]

On 05/10/2010 10:31 AM, Michel Jansen wrote:
> Is it possible to connect AuthCookie to AuthDBI?

I'm the Author of AuthCookie.

AuthCookie is a framework for creating authentication modules.  You
either have to implement your own auth module, using AuthCookie as the
base class, or use one of the many subclasses already on CPAN, as
suggested in the AuthCookie documentation.

I wrote Apache::AuthTicket which does ticket based auth using AuthCookie
and a DBI database store.

There are many others as well.

Regards,
Michael Schout

Re: Apache2::AuthCookie

[André Warnier]

Michael Schout wrote:

On 05/10/2010 10:31 AM, Michel Jansen wrote:

Is it possible to connect AuthCookie to AuthDBI?


I'm the Author of AuthCookie.


..
Michael,
I am using that module a lot, and have used it as a base for many 
variations of Apache AAA.
It may please you to know that derivates of that module are being used 
daily by thousands of people spread all over the world (although they do 
not always know this; the best things work quietly and reliably in the 
background).


Many, many thanks.
André

Re: Apache2::AuthCookie

[Michael Schout]

On 05/10/2010 01:59 PM, André Warnier wrote:

> Michael,
> I am using that module a lot, and have used it as a base for many
> variations of Apache AAA.
> It may please you to know that derivates of that module are being used
> daily by thousands of people spread all over the world (although they do
> not always know this; the best things work quietly and reliably in the
> background).

Thanks!  AuthCookie has been around for a very long time (first released
in 2000) so I suspect there are tons of sites that make use of it.  Its
hard to guage exactly how many though :).

Michael Schout

Re: Apache2::AuthCookie

[Philip M. Gollucci]

Vladimir S. Tikhonjuk wrote:
> Hi all
> 
> I get the next error, when I'm trying to use AuthCookie:
> 
> failed to resolve handler Promtelecom::Authentication
You're going to have to give more context to that for us to help.

> 
> I put Promtelecom/Authentication.pm into /usr/local/lib/site_perl, which
> is in my @INC path list.
You shouldn't put stuff in the "system perl" @INC. make your own directory and 
it to
the @INC path.

> 
> Here is my httpd.conf:
> 
> PerlModule Promtelecom::Authentication
> PerlSetVar WhatEverLoginScript /promtelecomindex.html
> PerlSetVar WhatEverSatisfy Any
> PerlSetVar WhatEverCache 1
> PerlSetVar WhatEverExpires +2h
> 
>   AuthType Promtelecom::Authentication
>   AuthName "Promtelecom Database"
>   PerlAuthenHandler Promtelecom::Authentication->authenticate
>   PerlAuthzHandler Promtelecom::Authentication->authorize
>   require valid-user
> 
> 
> 
>   AuthType Promtelecom::Authentication
>   AuthName WhatEver
>   SetHandler perl-script
>   PerlResponseHandler Promtelecom::Authentication->login
> 
Nothing jumped out at me.
Do you have another spot where you inadvertantely have just
 Perl*Handler Promtelecom::Authentication




-- 

Philip M. Gollucci ([EMAIL PROTECTED]) 323.219.4708
Consultant / http://p6m7g8.net/Resume/resume.shtml
Senior Software Engineer - TicketMaster - http://ticketmaster.com
1024D/A79997FA F357 0FDD 2301 6296 690F  6A47 D55A 7172 A799 97F

"In all that I've done wrong I know I must have done something right to
deserve a hug every morning and butterfly kisses at night."

Re: Apache2::AuthCookie

[Jonathan]

based on everything that philip mentioned, my guess is that the  
modules are not being imported correctly


personally, i solve lib issues in mod_perl as such: i have a 'use  
lib' line in startup.pl that calls in my handler lib, and various  
external libs



use lib qw(
/webserver/sites/FindMeOn.com/web-modperl/lib
		/webserver/sites/FindMeOn.com/web-modperl/lib-externals/Authen- 
PluggableCaptcha/lib/
		/webserver/sites/FindMeOn.com/web-modperl/lib-externals/Apache2- 
xForwardedFor/lib/

/webserver/sites/FindMeOn.com/web-modperl/lib-externals/P_2XLP
);


thats in the startup.pl file for my local machine.
my production box is freebsd, which has root in /usr/local/www/sites/ 
FindMeOn.com/web-modperl

problem with Apache2::AuthCookie

[Brian Clarkson]

I started having an odd problem with a simple subclass of
Apache2::AuthCookie after a mod_perl upgrade.  

When authorization fails, apache apparently returns a forbidden page to
the user (not just a forbidden status to the authentication hook) then
fails to redirect the user back to the login page.  The browser actually
displays the following:


ody> Forbidden You don't have permission to access /archive/
on this server. Additionally, a 200 OK error was encountered
while trying to use an ErrorDocument to handle the request. 
Apache Server at www.psychonomic.org Port 80
 HTTP/1.1 200 OK Date: Mon, 27 Jul 2009 19:54:27 GMT
Server: Apache Keep-Alive: timeout=15, max=88 Connection: Keep-Alive
Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 fd6

(The code can be seen in action at http://www.psychonomic.org/archive )

Authorization only seems to fail 1 out of 50 times.  A similar error
happens when the 'Continue' button on the page is pressed repeatedly (5+
times) without checking the 'I agree' checkbox.

I only need to make sure the user has checked a box agreeing to the
website's terms and conditions.  I don't use any kind of user/pass
combinations.  

perl 5.8.8
apache 2.2.11
mod_perl 2.0.4


My module code is:

package TermsAndConditions;
use strict;
use Apache2::compat;
use base qw! Apache2::AuthCookie !;

sub authen_cred ($$\@) {
   my $self = shift;  # Package name (same as AuthName directive)
   my $r= shift;  # Apache request object
   my @cred = @_; # Credentials from login form

   return ( $cred[0] ? "authorized" : undef );
}

sub authen_ses_key ($$$) {
   my ($self, $r, $session_key) = @_;
   return 1;
}

1;

The relevant httpd.conf directives are:


   
  SetHandler perl-script
  PerlHandler ModPerl::Registry
  Options +ExecCGI
  allow from all
  PerlSendHeader On
   




   SetHandler perl-script
   PerlHandler ModPerl::Registry
   Options +ExecCGI
   PerlSendHeader On


## These documents require user to be logged in.

Options +ExecCGI
AuthType TermsAndConditions
AuthName PsychoMembers
PerlAuthenHandler TermsAndConditions->authenticate
PerlAuthzHandler TermsAndConditions->authorize
require valid-user
#SetHandler perl-script
#PerlSendHeader On


##this is the action of the login.pl script above.

AuthType TermsAndConditions
AuthName PsychoMembers
SetHandler perl-script
PerlSendHeader On
PerlResponseHandler TermsAndConditions->login

Apache2:AuthCookie With httpd 2.4

[Scott Alexander]

HI,

Any idea what would cause in error_log

failed to resolve handler Sample::Apache2::AuthCookieHandler
failed to resolve handler Sample::Apache2::AuthCookieHandler
failed to resolve handler Sample::Apache2::AuthCookieHandler
failed to resolve handler Sample::Apache2::AuthCookieHandler
failed to resolve handler Sample::Apache2::AuthCookieHandler
failed to resolve handler Sample::Apache2::AuthCookieHandler
failed to resolve handler Sample::Apache2::AuthCookieHandler
failed to resolve handler Sample::Apache2::AuthCookieHandler
failed to resolve handler Sample::Apache2::AuthCookieHandler
failed to resolve handler Sample::Apache2::AuthCookieHandler

I've used Auth::Cookie before with httpd 2.2 and now I have a new Centos 7.7 
with httpd 2.4

I've included using 
https://manpages.debian.org/unstable/libapache2-authcookie-perl/Apache2_4::AuthCookie.3pm.en.html
 as an example


# In httpd.conf or .htaccess:
PerlModule Sample::Apache2::AuthCookieHandler
PerlSetVar WhatEverPath / .

to my ssl.conf file

No changes made to httpd.conf or ssl.conf.

When trying to access the page I get the errors above.

I've read this 
https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod
which unfortunately doesn't make sense to me.

Does someone have a smple working example?


Terveisin/Regards

Scott Alexander

Tel. +358 (0)50 411 9556

scott.alexan...@humak.fi

Apache2::AuthCookie - semantics of WhatEverPath parameter?

[Jim Garrison]

Every example for Apache2::AuthCookie shows

...
WhatEverPath /
...

but I can find nothing that explains what the value "/" represents.
Is it a URI?  Later in the sample configs we see URIs to which
protection applies are defined by  or  tags,

How does the value of this parameter affect the behavior of AuthCookie,
and under what circumstances would its value not be "/"?

Thanks

-- 
Jim Garrison (j...@acm.org)
PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88

Re: Apache2:AuthCookie With httpd 2.4

[Edward J. Sabol]

On May 11, 2020, at 8:58 AM, Scott Alexander  wrote:
> I've included using 
> https://manpages.debian.org/unstable/libapache2-authcookie-perl/Apache2_4::AuthCookie.3pm.en.html
>  as an example 
> 
> # In httpd.conf or .htaccess:
> PerlModule Sample::Apache2::AuthCookieHandler
> PerlSetVar WhatEverPath / . 
> 
> to my ssl.conf file
> 
> No changes made to httpd.conf or ssl.conf.

Those two statements seem to be conflicting? I keep my 
authentication/authorization information in httpd.conf, personally.

> When trying to access the page I get the errors above. 

That sample configuration from the POD assumes that you are subclassing 
Apache2::AuthCookie and that the name of your subclass is 
Sample::Apache2::AuthCookieHandler. It's meant to be illustrative. I'm guessing 
you don't actually have such a subclass. Try just removing the "Sample::" part. 
You can probably also find working examples in the tests in the "t" 
subdirectory.

> I've read this 
> https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod
> which unfortunately doesn't make sense to me. 

That POD is meant for people developing (or porting from Apache 2.2.x) their 
own Perl modules for doing authentication and authorization under Apache 2.4.x. 
AuthCookie already handles all of this for you, assuming you only need or use 
AuthCookie. It might apply if you are subclassing from AuthCookie and you get 
into the gritty details, such as implementing your own AuthzProvider. Check out 
Apache2_4::AuthCookieDBI for an example of that.

https://metacpan.org/pod/Apache2_4::AuthCookieDBI

Regards,
Ed

Re: Apache2:AuthCookie With httpd 2.4

[Scott Alexander]

Hi,

Thanks for your answer, but for me this is confusing.

I have

Apache2_4::AuthCookie is up to date. (3.30)
Apache2::AuthCookie is up to date. (3.30)
Server version: Apache/2.4.6 (CentOS)
Server built:   Apr  2 2020 13:13:23

at the end of /etc/httpd/conf.d/ssl.conf there is include 
/systems/achilles/config/mine_auth_cookie_mod_perl_server_apache2.conf

my @inc has /systems/achilles/lib
and I have /systems/achilles/lib/Apache2/AuthCookieHandler.pm
and /systems/achilles/lib/Apache2_4/AuthCookieHandler.pm

in both AuthCookieHandler.pm I've renamed the package line to eg
package Apache2_4::AuthCookieHandler;


In the directory I want to protect should I have

AuthType Apache2::AuthCookieHandler
AuthName WhatEver
PerlAuthenHandler Apache2::AuthCookieHandler->authenticate
Require valid-user

or

AuthType Apache2_4::AuthCookieHandler
AuthName WhatEver
PerlAuthenHandler Apache2_4::AuthCookieHandler->authenticate
Require valid-user

And then what subs/methods I need to add into which AuthCookieHandler.pm ?

in startup.pl should I have both or just one?

use Apache2::AuthCookie ;
use Apache2_4::AuthCookie ;

I am not porting from 2.2. I have used Shibboleth until now to protect 
directories but this project I can not use Shibboleth.



Terveisin/Regards

Scott Alexander

scott.alexan...@humak.fi<mailto:scott.alexan...@humak.fi>


From: Edward J. Sabol 
Sent: 12 May 2020 00:58
To: Scott Alexander 
Cc: mod_perl list 
Subject: Re: Apache2:AuthCookie With httpd 2.4

On May 11, 2020, at 8:58 AM, Scott Alexander  wrote:
> I've included using 
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmanpages.debian.org%2Funstable%2Flibapache2-authcookie-perl%2FApache2_4%3A%3AAuthCookie.3pm.en.html&data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&sdata=XwSR%2FO7jCwZrZLuYRSWWhp%2Fwz7tCtWkCzjs0fTRTIDk%3D&reserved=0
>  as an example
>
> # In httpd.conf or .htaccess:
> PerlModule Sample::Apache2::AuthCookieHandler
> PerlSetVar WhatEverPath / .
>
> to my ssl.conf file
>
> No changes made to httpd.conf or ssl.conf.

Those two statements seem to be conflicting? I keep my 
authentication/authorization information in httpd.conf, personally.

> When trying to access the page I get the errors above.

That sample configuration from the POD assumes that you are subclassing 
Apache2::AuthCookie and that the name of your subclass is 
Sample::Apache2::AuthCookieHandler. It's meant to be illustrative. I'm guessing 
you don't actually have such a subclass. Try just removing the "Sample::" part. 
You can probably also find working examples in the tests in the "t" 
subdirectory.

> I've read this 
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmetacpan.org%2Fpod%2Fdistribution%2FApache-AuthCookie%2FREADME.apache-2.4.pod&data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&sdata=SyqV%2FQzJyud4W6ENIgEY9nk%2F9uBzBGf7p6gmShAqivc%3D&reserved=0
> which unfortunately doesn't make sense to me.

That POD is meant for people developing (or porting from Apache 2.2.x) their 
own Perl modules for doing authentication and authorization under Apache 2.4.x. 
AuthCookie already handles all of this for you, assuming you only need or use 
AuthCookie. It might apply if you are subclassing from AuthCookie and you get 
into the gritty details, such as implementing your own AuthzProvider. Check out 
Apache2_4::AuthCookieDBI for an example of that.

https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmetacpan.org%2Fpod%2FApache2_4%3A%3AAuthCookieDBI&data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&sdata=ew5g7VpZFmfs%2FHN9NAdA9YqHtLY11o36UBl9ljp0zN0%3D&reserved=0

Regards,
Ed

Re: Apache2:AuthCookie With httpd 2.4

[tomcat/perl]

Hi.
Just some tips, to simplify the issue, below in the text :


On 14.05.2020 06:09, Scott Alexander wrote:

Hi,

Thanks for your answer, but for me this is confusing.

I have

Apache2_4::AuthCookie is up to date. (3.30)
Apache2::AuthCookie is up to date. (3.30)   <--- you do not need this with 
Apache 2.4
Server version: Apache/2.4.6 (CentOS)
Server built:   Apr  2 2020 13:13:23

at the end of /etc/httpd/conf.d/ssl.conf there is include 
/systems/achilles/config/mine_auth_cookie_mod_perl_server_apache2.conf


my @inc has /systems/achilles/lib
and I have /systems/achilles/lib/Apache2/AuthCookieHandler.pm
and /systems/achilles/lib/Apache2_4/AuthCookieHandler.pm

in both AuthCookieHandler.pm I've renamed the package line to eg
package Apache2_4::AuthCookieHandler;


In the directory I want to protect should I have



Not with Apache 2.4 :


AuthType Apache2::AuthCookieHandler
AuthName WhatEver
PerlAuthenHandler Apache2::AuthCookieHandler->authenticate
Require valid-user

or



this is what you need with Apache 2.4 :


AuthType Apache2_4::AuthCookieHandler
AuthName WhatEver
PerlAuthenHandler Apache2_4::AuthCookieHandler->authenticate
Require valid-user

And then what subs/methods I need to add into which AuthCookieHandler.pm ?

in startup.pl should I have both or just one?




use Apache2::AuthCookie ;  <-- you do not need this
use Apache2_4::AuthCookie ; <-- this is correct for Apache 2.4



I am not porting from 2.2. I have used Shibboleth until now to protect directories but 
this project I can not use Shibboleth.




And how exactly do you want the user to authenticate ? via a login page where they enter 
their id and password ?

And what is the way in which you are going to check that these id and password 
are correct ?
(in other words : where are the user ids and passwords stored ?)
And how many different users are you planning to have ?





Terveisin/Regards
**
*Scott Alexander*

scott.alexan...@humak.fi <mailto:scott.alexan...@humak.fi>

--
*From:* Edward J. Sabol 
*Sent:* 12 May 2020 00:58
*To:* Scott Alexander 
*Cc:* mod_perl list 
*Subject:* Re: Apache2:AuthCookie With httpd 2.4
On May 11, 2020, at 8:58 AM, Scott Alexander  wrote:
I've included using https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmanpages.debian.org%2Funstable%2Flibapache2-authcookie-perl%2FApache2_4%3A%3AAuthCookie.3pm.en.html&data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&sdata=XwSR%2FO7jCwZrZLuYRSWWhp%2Fwz7tCtWkCzjs0fTRTIDk%3D&reserved=0 

as an example


# In httpd.conf or .htaccess:
PerlModule Sample::Apache2::AuthCookieHandler
PerlSetVar WhatEverPath / . 


to my ssl.conf file

No changes made to httpd.conf or ssl.conf.


Those two statements seem to be conflicting? I keep my authentication/authorization 
information in httpd.conf, personally.


When trying to access the page I get the errors above. 


That sample configuration from the POD assumes that you are subclassing 
Apache2::AuthCookie and that the name of your subclass is 
Sample::Apache2::AuthCookieHandler. It's meant to be illustrative. I'm guessing you don't 
actually have such a subclass. Try just removing the "Sample::" part. You can probably 
also find working examples in the tests in the "t" subdirectory.



I've read this 
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmetacpan.org%2Fpod%2Fdistribution%2FApache-AuthCookie%2FREADME.apache-2.4.pod&data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&sdata=SyqV%2FQzJyud4W6ENIgEY9nk%2F9uBzBGf7p6gmShAqivc%3D&reserved=0
which unfortunately doesn't make sense to me. 


That POD is meant for people developing (or porting from Apache 2.2.x) their own Perl 
modules for doing authentication and authorization under Apache 2.4.x. AuthCookie already 
handles all of this for you, assuming you only need or use AuthCookie. It might apply if 
you are subclassing from AuthCookie and you get into the gritty details, such as 
implementing your own AuthzProvider. Check out Apache2_4::AuthCookieDBI for an example of 
that.


https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmetacpan.org%2Fpod%2FApache2_4%3A%3AAuthCookieDBI&data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&sdata=ew5g7VpZFmfs%2FHN9NAdA9YqHtLY11o36UBl9ljp0zN0%3D&reserved=0

Regards,
Ed

Re: Apache2:AuthCookie With httpd 2.4

[Scott Alexander]

HI,

Users will login via a form.

Users and their passwords are saved to a mysql database. Getting a hadle to teh 
db and checking is fine.

Expected users about 500.

I understand I must make a

sub authen_cred which creates a session key

and

sub authen_ses_key to find user from session and return it.

is the sub authenticate what looks for a user and if no user returns what?


Then in /systems/achilles/lib/Apache2_4/AuthCookieHandler.pm

I have a sub authenticate but what should I return now in ssl_error_log I get 
"No authentication done but request not allowed without authentication for "

If I remove sub authenticate then I get a 403 forbidden and none of the other 
subs get called.

package Apache2_4::AuthCookieHandler;

use strict;
use Apache2::AuthCookieHandler;
use Apache2::Const qw(AUTHZ_DENIED_NO_USER);
use Apache2::RequestRec;
use Apache::AuthCookie::Util qw(is_blank);
use vars qw(@ISA);

@ISA = qw(Apache2::AuthCookieHandler);

my %Dwarves = map { $_ => 1 }
qw(bashful doc dopey grumpy happy sleepy sneezy programmer);

# authz under apache 2.4 is very different from previous versions
sub dwarf {
my ($self, $r) = @_;

$r->server->log_error("dwarf entry");
my $user = $r->user;
if (is_blank($user)) {
$r->server->log_error("No user authenticted yet");
return Apache2::Const::AUTHZ_DENIED_NO_USER;
}
elsif (defined $Dwarves{$user}) {
$r->server->log_error("$user is a dwarf");
return Apache2::Const::AUTHZ_GRANTED;
}
else {
$r->server->log_error("$user is not a dwarf");
return Apache2::Const::AUTHZ_DENIED;
}
}

sub authenticate {
my $self = shift;
my $r = shift;

$r->server->log_error("LINE 42 2.4");


return WHAT HERE ?
}

sub login {
my $self = shift;
my $r = shift;

$r->server->log_error("LINE 53 2.4");

}

1;


Terveisin/Regards

Scott Alexander


scott.alexan...@humak.fi<mailto:scott.alexan...@humak.fi>

____
From: André Warnier (tomcat/perl) 
Sent: 14 May 2020 14:40
To: modperl@perl.apache.org 
Subject: Re: Apache2:AuthCookie With httpd 2.4

Hi.
Just some tips, to simplify the issue, below in the text :


On 14.05.2020 06:09, Scott Alexander wrote:
> Hi,
>
> Thanks for your answer, but for me this is confusing.
>
> I have
>
> Apache2_4::AuthCookie is up to date. (3.30)
> Apache2::AuthCookie is up to date. (3.30)   <--- you do not need this with 
> Apache 2.4
> Server version: Apache/2.4.6 (CentOS)
> Server built:   Apr  2 2020 13:13:23
>
> at the end of /etc/httpd/conf.d/ssl.conf there is include
> /systems/achilles/config/mine_auth_cookie_mod_perl_server_apache2.conf
>
> my @inc has /systems/achilles/lib
> and I have /systems/achilles/lib/Apache2/AuthCookieHandler.pm
> and /systems/achilles/lib/Apache2_4/AuthCookieHandler.pm
>
> in both AuthCookieHandler.pm I've renamed the package line to eg
> package Apache2_4::AuthCookieHandler;
>
>
> In the directory I want to protect should I have
>

Not with Apache 2.4 :

> AuthType Apache2::AuthCookieHandler
> AuthName WhatEver
> PerlAuthenHandler Apache2::AuthCookieHandler->authenticate
> Require valid-user
>
> or
>

this is what you need with Apache 2.4 :

> AuthType Apache2_4::AuthCookieHandler
> AuthName WhatEver
> PerlAuthenHandler Apache2_4::AuthCookieHandler->authenticate
> Require valid-user
>
> And then what subs/methods I need to add into which AuthCookieHandler.pm ?
>
> in startup.pl should I have both or just one?
>

> use Apache2::AuthCookie ;  <-- you do not need this
> use Apache2_4::AuthCookie ; <-- this is correct for Apache 2.4
>

> I am not porting from 2.2. I have used Shibboleth until now to protect 
> directories but
> this project I can not use Shibboleth.
>

And how exactly do you want the user to authenticate ? via a login page where 
they enter
their id and password ?
And what is the way in which you are going to check that these id and password 
are correct ?
(in other words : where are the user ids and passwords stored ?)
And how many different users are you planning to have ?


>
>
> Terveisin/Regards
> **
> *Scott Alexander*
>
> scott.alexan...@humak.fi <mailto:scott.alexan...@humak.fi>
>
> --
> *From:* Edward J. Sabol 
> *Sent:* 12 May 2020 00:58
> *To:* Scott Alexander 
> *Cc:* mod_perl list 
> *Subject:* Re: Apache2:AuthCookie With httpd 2.4
> On May 11, 2020, at 8:58 AM, Scott Alexander  wrote:
>> I've included using 
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmanpages.debian.org%2Funstable%2Flibapache2-authcookie-perl%2F

ANNOUNCE: Apache::AuthCookie, Apache2::AuthCookie 3.11

[Michael Schout]

The uploaded file

Apache-AuthCookie-3.11.tar.gz

has entered CPAN as

  file: $CPAN/authors/id/M/MS/MSCHOUT/Apache-AuthCookie-3.11.tar.gz
  size: 35827 bytes
   md5: 536ad77c61eaafe1ef152ccdfcdbdbd2

Changes:

Version: 3.11
   - Fix tiny pod doc error.
   - Escape CR and LF in 'destination' field to prevent possible XSS
 attack [Steffen Schwigon]

Re: Apache2::AuthCookie - semantics of WhatEverPath parameter?

[Jim Garrison]

On 7/27/2015 10:30 AM, Jim Garrison wrote:
> Every example for Apache2::AuthCookie shows
> 
> ...
> WhatEverPath /
> ...
> 

That should of course be

PerlSetVar WhatEverPath /

-- 
Jim Garrison (j...@acm.org)
PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88

Re: Apache2::AuthCookie - semantics of WhatEverPath parameter?

[Steve van der Burg]

It is the path part of a URL.  The HTML Cookie specification defines it, and 
this is AuthCookie's way of letting you set it.

If the request domain + path doesn't match those set in the cookie, then the 
browser won't send the cookie to the server.

When using cookies for non-auth purposes, there are lots of cases where you 
would want something more specific than / (to set a preference specific to an 
add at some.web.site/some/app, for example).  You're right that, for auth, it's 
hard to imagine when you wouldn't want to just leave it as /.

...Steve


-- 
Steve van der Burg
Information Technology Services
London Health Sciences Centre
& St. Joseph's Health Care London
(519) 685-8500 ext 35559
steve.vanderb...@lhsc.on.ca

Jim Garrison  wrote:
> Every example for Apache2::AuthCookie shows
> 
> ...
> WhatEverPath /
> ...
> 
> but I can find nothing that explains what the value "/" represents.
> Is it a URI?  Later in the sample configs we see URIs to which
> protection applies are defined by  or  tags,
> 
> How does the value of this parameter affect the behavior of AuthCookie,
> and under what circumstances would its value not be "/"?
> 
> Thanks
> 
> -- 
> Jim Garrison (j...@acm.org)
> PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88

 

This information is directed in confidence solely to the person named above and 
may contain confidential and/or privileged material. This information may not 
otherwise be distributed, copied or disclosed. If you have received this e-mail 
in error, please notify the sender immediately via a return e-mail and destroy 
original message. Thank you for your cooperation.

Re: Apache2::AuthCookie - semantics of WhatEverPath parameter?

[Vincent Veyron]

On Mon, 27 Jul 2015 10:30:11 -0700
Jim Garrison  wrote:

> Every example for Apache2::AuthCookie shows
> 
> ...
> WhatEverPath /
> ...
> 
> but I can find nothing that explains what the value "/" represents.
> Is it a URI?  Later in the sample configs we see URIs to which
> protection applies are defined by  or  tags,
> 
> How does the value of this parameter affect the behavior of AuthCookie,
> and under what circumstances would its value not be "/"?
> 

It's a path; see :

https://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path


-- 
Salutations, Vincent Veyron 

https://legalcase.libremen.com/ 
Legal case, contract and insurance claim management software

Re: Apache2::AuthCookie - semantics of WhatEverPath parameter?

[Michael Schout]

On 7/27/15 12:30 PM, Jim Garrison wrote:
> Every example for Apache2::AuthCookie shows
> 
> ...
> WhatEverPath /
> ...

AuthCookie maintainer here.

Its the path that will be sent in the HTTP Cookie.

As already mentioned by others is the path component of the cookie.

If you set a cookie with path=/foo for example, that cookie is only
supposed to be sent by the client for urls that begin with /foo.

For example if you have a directory called /secure, and you only require
AuthCookie authentication to access urls under this directory, you might
set the path to /secure

Regards,
Michael Schout

Information on using Apache2::AuthCookie with httpd 2.4

[Scott Alexander]

Hi,


I'm moving from Centos 6 to Centos 7, httpd is 2.4.6


Trying to get

Apache2::AuthCookie to work with my module for authentication.


I've seen one message about useful information in the debian file

/usr/share/doc/libapache2-authcookie-perl/README.apache-2.4


Does anyone have that? Any other pointers would be greatly appreciated.


I'm getting in my error log file


No authentication done but request not allowed without authentication for 
loginscript Authentication not configured?


Terveisin/Regards

Scott Alexander
Järjestelmäasiantuntija  Systems Specialist

HUMAK
Humanistinen ammattikorkeakoulu
University of Applied Sciences
www.humak.fi<http://www.humak.fi/>

Tel. +358 (0)50 411 9556
scott.alexan...@humak.fi<mailto:scott.alexan...@humak.fi>

Apache2::AuthCookie, $r->prev not defined in subrequests

[Vegard Vesterheim]

I have encountered a problem with Apache2::AuthCookie (version
3.10). I have created a module which inherits from
Apache2::AuthCookie, and configured a PerlAuthenHandler and a
PerlAuthzHandler for a given Location.

File requests works ok, but not directory requests, I suspect this is
related to apache issuing subrequests. (When a client visits
directories, mod_dir kicks in to resolve this, (using DirectoryIndex)
into a suitable index file (typically index.html)).

The problem I encounter is that the authenticated user is not
propagated into to the subrequest, so my auth-handler can not do its
job. The following code is from Apache2::AuthCookie.pm:

unless ($r->is_initial_req) {
if (defined $r->prev) {
# we are in a subrequest.  Just copy user from previous request.
$r->user( $r->prev->user );

I observe that $r->is_initial_req is false (as it should be), but
$r->prev is undefined, so the authenticated user is not copied into
the request record. I have verified that the authenticated username
is available via $r->main->user. 

Why does $r->prev return undef in this case?

Would it be ok to copy the autenticated username from $r->main->user
instead here?

 - Vegard -

Re: Information on using Apache2::AuthCookie with httpd 2.4

[Lathan Bidwell]

On Tue, Oct 21, 2014 at 2:37 AM, Scott Alexander 
wrote:

>  Hi,
>
>
>  I'm moving from Centos 6 to Centos 7, httpd is 2.4.6
>
>
>  Trying to get
>
> Apache2::AuthCookie to work with my module for authentication.
>
>
> Hello Scott,

You are not alone. with 2.4, you have to relearn all the quirks in the
configuration from when you first started using mod perl v2.


>  I've seen one message about useful information in the debian file
>
> /usr/share/doc/libapache2-authcookie-perl/*README.apache-2.4*
>
>
>  Does anyone have that? Any other pointers would be greatly appreciated.
>
Did you install it via a package manager or download source from the
AuthCookie github?

You can find that file here:
https://github.com/mschout/apache-authcookie/tree/httpd24


>
>  I'm getting in my error log file
>
>
>  No authentication done but request not allowed without authentication
> for loginscript Authentication not configured?
>
>
> Yah, the configuration is quite tricky.

Basically, this error is saying that the authentication is required, but
the handlers didn't run properly, or weren't configured properly .

Here is an example that I have:

PerlAddAuthzProvider user Apache2::AuthCookie24->authz_handler

  PerlAuthenHandler Apache2::AuthCookie24->authenticate
  AuthName LDAPLogin
  AuthType Apache2::AuthCookie24
  require group admins

  set perl handler 



   Terveisin/Regards
>
> *Scott Alexander*
> Järjestelmäasiantuntija  Systems Specialist
>
> HUMAK
> Humanistinen ammattikorkeakoulu
> University of Applied Sciences
> www.humak.fi
>
> Tel. +358 (0)50 411 9556
> scott.alexan...@humak.fi
>

Re: Information on using Apache2::AuthCookie with httpd 2.4

[Scott Alexander]

HI,


Okay thanks for your help. In the end I decided to remove centos 7.0 and go for 
6.5.


6.5 has httpd 2.2.


Regards
 Scott
<mailto:scott.alexan...@humak.fi>

From: Lathan Bidwell 
Sent: 21 October 2014 18:21
To: mod_perl list
Subject: Re: Information on using Apache2::AuthCookie with httpd 2.4

On Tue, Oct 21, 2014 at 2:37 AM, Scott Alexander 
mailto:scott.alexan...@humak.fi>> wrote:

Hi,


I'm moving from Centos 6 to Centos 7, httpd is 2.4.6


Trying to get

Apache2::AuthCookie to work with my module for authentication.


Hello Scott,

You are not alone. with 2.4, you have to relearn all the quirks in the 
configuration from when you first started using mod perl v2.


I've seen one message about useful information in the debian file

/usr/share/doc/libapache2-authcookie-perl/README.apache-2.4


Does anyone have that? Any other pointers would be greatly appreciated.

Did you install it via a package manager or download source from the AuthCookie 
github?

You can find that file here:
https://github.com/mschout/apache-authcookie/tree/httpd24



I'm getting in my error log file


No authentication done but request not allowed without authentication for 
loginscript Authentication not configured?


Yah, the configuration is quite tricky.

Basically, this error is saying that the authentication is required, but the 
handlers didn't run properly, or weren't configured properly .

Here is an example that I have:

PerlAddAuthzProvider user Apache2::AuthCookie24->authz_handler

  PerlAuthenHandler Apache2::AuthCookie24->authenticate
  AuthName LDAPLogin
  AuthType Apache2::AuthCookie24
  require group admins

  set perl handler 


Terveisin/Regards

Scott Alexander
Järjestelmäasiantuntija  Systems Specialist

HUMAK
Humanistinen ammattikorkeakoulu
University of Applied Sciences
www.humak.fi<http://www.humak.fi/>

Tel. +358 (0)50 411 9556
scott.alexan...@humak.fi<mailto:scott.alexan...@humak.fi>

Re: Information on using Apache2::AuthCookie with httpd 2.4

[Michael Schout]

Hi,

AuthCookie maintainer here.

Basically I wouldn't advise deploying mod_perl against httpd 2.4 at this
time.  There is still no official mod_perl release that supports apache
2.4.  In addition, the authorization API has been completely rewritten
in apache 2.4, which means that all of your authcookie subclasses will
need to be updated as well.

As Lathan has already mentioned, there is alpha support for this
available in the git tree if you really want to try, but if I were you,
I'd still with apache 2.2 at least until there is a stable mod_perl
available for apache 2.4.

Regards,
Michael Schout

[Rusonyx #1409052]: Re: Apache2::AuthCookie - semantics of WhatEverPath parameter?

[Rusonyx Support Team]

Michael Schout,

Вы написали в компанию Русоникс и это письмо является автоматическим
подтверждением того, что Ваша заявка поступила в очередь на обработку.
Мы ответим на Ваш запрос по возможности максимально быстро.

ID Заявки: 1409052
Тема: Re: Apache2::AuthCookie - semantics of WhatEverPath parameter?
Отдел: Support
Тип: Issue
Статус: Open
Приоритет: Medium
С уважением
ООО Русоникс
www.rusonyx.ru 

Rusonyx


--
Портал технической поддержки: https://support.rusonyx.ru/index.php?

Re: Apache2::AuthCookie, $r->prev not defined in subrequests

[Torsten Foertsch]

On Thu 10 Jan 2008, Vegard Vesterheim wrote:
> The problem I encounter is that the authenticated user is not
> propagated into to the subrequest, so my auth-handler can not do its
> job. The following code is from Apache2::AuthCookie.pm:
>
>     unless ($r->is_initial_req) {
>         if (defined $r->prev) {
>             # we are in a subrequest.  Just copy user from previous
> request.     $r->user( $r->prev->user );
>
> I observe that $r->is_initial_req is false (as it should be), but
> $r->prev is undefined, so the authenticated user is not copied into
> the request record. I have verified that the authenticated username
> is available via $r->main->user.
>
> Why does $r->prev return undef in this case?
>
> Would it be ok to copy the autenticated username from $r->main->user
> instead here?

yes.

is_initial_req() is literally the same as (!$r->main and !$r->prev), see 
server/request.c (httpd-source).

If $r->main is set the current req is a subrequest generated by lookup_uri() 
or lookup_file(). If $r->prev is set it is an internal redirect generated by 
internal_redirect() & co.

Torsten

Re: Apache2::AuthCookie, $r->prev not defined in subrequests

[Vegard Vesterheim]

On Thu, 10 Jan 2008 13:48:26 +0100 Torsten Foertsch <[EMAIL PROTECTED]> wrote:

> On Thu 10 Jan 2008, Vegard Vesterheim wrote:
>> The problem I encounter is that the authenticated user is not
>> propagated into to the subrequest, so my auth-handler can not do its
>> job. The following code is from Apache2::AuthCookie.pm:
>>
>>     unless ($r->is_initial_req) {
>>         if (defined $r->prev) {
>>             # we are in a subrequest.  Just copy user from previous
>> request.     $r->user( $r->prev->user );
>>
>> I observe that $r->is_initial_req is false (as it should be), but
>> $r->prev is undefined, so the authenticated user is not copied into
>> the request record. I have verified that the authenticated username
>> is available via $r->main->user.
>>
>> Why does $r->prev return undef in this case?
>>
>> Would it be ok to copy the autenticated username from $r->main->user
>> instead here?
>
> yes.
>
> is_initial_req() is literally the same as (!$r->main and !$r->prev), see 
> server/request.c (httpd-source).
>
> If $r->main is set the current req is a subrequest generated by lookup_uri() 
> or lookup_file(). If $r->prev is set it is an internal redirect generated by 
> internal_redirect() & co.

I see, so an internal redirect is a special case of a subrequest. I
have fixed my code to explicitly check for
$r->main->user and propagate the username into the running 
subrequest. My problem is now solved. Thank you.

Whether a similar change should be made in modules like
Apache2::AuthCookie is still unclear to me. Is this to be considered a
bug? I guess the behaviour could be made configurable.

BTW, I find it useful to have auth-handlers also run during
subrequests, because I can use this to filter the display of links. If
a logged-in user will be refused access to a URL, I can suppress the
link in the first place. I can do this by calling lookup_uri behind
the scenes and checking the status code.

 - Vegard V -

Problem with Apache2::AuthCookie and Apache 2.4: "failed to resolve handler"

[Brian Candler]

I have code which works with apache 2.2 but not apache 2.4, and I have 
boiled this down to a simple reproducing test case.


It works with: Ubuntu 12.04 (apache 2.2.22, mod_perl 2.0.5, 
Apache2::AuthCookie 3.18)
It does not work with: Ubuntu 14.04 (apache 2.4.7, mod_perl 2.0.8, 
Apache2::AuthCookie 3.20)


The second setup gives the following in the error log:

failed to resolve handler Example::AuthHandler

when trying to access a page under /testsite/protected/ *after* you have 
successfully logged in. If you go to /testsite/logout.html to clear the 
cookie, and then to /testsite/protected/, it still displays the 
login page successfully.


The test case is so small that I've reproduced it entirely inline below. 
You can also get it as a 1.5KB tar bundle from 
https://osl.uoregon.edu/redmine/attachments/download/155/authcookiesite.tgz


I see some fairly old reports here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666837
https://rt.cpan.org/Public/Bug/Display.html?id=85832

however from the first link, it *looks* like all this should be working 
with Debian (and hence Ubuntu 14.04 recently derived from it).


I notice that there is a newer version of Apache2::AuthCookie (3.22) 
available, so I installed that from CPAN. But this changes the error to:


[Wed Jun 25 13:35:26.054231 2014] [perl:error] [pid 17668] [client 
10.0.2.2:50801] Can't locate object method "requires" via package 
"Apache2::RequestRec" at 
/usr/local/share/perl/5.18.2/Apache2/AuthCookie.pm line 388.\n, referer: 
http://localhost:8013/testsite/protected/example.html


and indeed, I see no 'requires' member in 
http://perl.apache.org/docs/2.0/api/Apache2/RequestRec.html


Does anybody have any clues they can pass on?

Many thanks,

Brian Candler.

(Code assumes it's unpacked under /var/tmp; if it's somewhere else then 
change the first line of testsite.conf and setup.pl as appropriate)


==> testsite.conf <==
PerlRequire /var/tmp/setup.pl
PerlModule Example::TestSite
PerlModule Example::AuthHandler
PerlSetVar TestAuthPath /testsite
PerlSetVar TestAuthLoginScript /testsite/login.html


  ### To recognize logged-in users even outside of protected area:
  #AuthType Example::AuthHandler
  #AuthName TestAuth
  SetHandler perl-script
  PerlResponseHandler Example::TestSite



  AuthType Example::AuthHandler
  AuthName TestAuth
  PerlAuthenHandler Example::AuthHandler->authenticate
  PerlAuthzHandler Example::AuthHandler->authorize
  Require valid-user



  AuthType Example::AuthHandler
  AuthName TestAuth
  PerlResponseHandler Example::AuthHandler->login



  AuthType Example::AuthHandler
  AuthName TestAuth



==> setup.pl <==
use lib qw(/var/tmp);
1;

==> Example/TestSite.pm <==
package Example::TestSite;
use strict;
use warnings;

use Apache2::RequestRec ();
use Apache2::RequestIO ();
use Apache2::Const -compile => qw(OK);
use Example::AuthHandler ();

sub handler {
  my $r = shift;
  $r->content_type('text/html');
  $r->status(200);
  $r->print(<

General |
Protected |
Logout

EOS
  if ($r->uri() eq '/testsite/login.html') {
$r->print(<Please login:




value="/testsite/protected/success.html" />



EOS
  }
  elsif ($r->uri() eq '/testsite/logout.html') {
$r->auth_type->logout($r);
$r->print("You are logged out, goodbye");
  }
  else {
$r->print("Hello, uri is " . $r->uri() . "\n"); # FIXME: 
escape html

if ($r->user) {
  $r->print("You are logged in as " . $r->user . "\n");
}
else {
  Example::AuthHandler->recognize_user($r);
  if ($r->user) {
    $r->print("(Not protected but I recognize you as ". $r->user 
. ")\n");

  }
}
  }
  $r->print(<
EOS
  return Apache2::Const::OK;
}

1;

==> Example/AuthHandler.pm <==
package Example::AuthHandler;
use base qw(Apache2::AuthCookie);

sub authen_cred ($$\@) {
  my $self = shift;  # Package name (same as AuthName directive)
  my $r= shift;  # Apache request object
  my @cred = @_; # Credentials from login form

  if ($cred[0] eq 'foo' && $cred[1] eq 'bar') {
return 'abcd1234';
  }
  return undef;
}

sub authen_ses_key ($$$) {
  my ($self, $r, $session_key) = @_;
  if ($session_key eq 'abcd1234') {
return 'foo';
  }
  return undef;
}

1;

Re: Problem with Apache2::AuthCookie and Apache 2.4: "failed to resolve handler"

[Brian Candler]

On 25/06/2014 13:41, Brian Candler wrote:
I notice that there is a newer version of Apache2::AuthCookie (3.22) 
available, so I installed that from CPAN. But this changes the error to:


[Wed Jun 25 13:35:26.054231 2014] [perl:error] [pid 17668] [client 
10.0.2.2:50801] Can't locate object method "requires" via package 
"Apache2::RequestRec" at 
/usr/local/share/perl/5.18.2/Apache2/AuthCookie.pm line 388.\n, 
referer: http://localhost:8013/testsite/protected/example.html


and indeed, I see no 'requires' member in 
http://perl.apache.org/docs/2.0/api/Apache2/RequestRec.html



Based on git://github.com/mschout/apache-authcookie.git
and "git diff v3.20 v3.22" I'd say that that 3.22 was little more than 
reverting 3.21


The CPAN and github versions of 3.22 are very similar (minor differences 
in POD sections)


but diff -u /usr/share/perl5/Apache2/AuthCookie.pm 
/usr/local/share/perl/5.18.2/Apache2/AuthCookie.pm

shows that Ubuntu's version is very different to the CPAN/github one.

I'm stumped now.

Re: Problem with Apache2::AuthCookie and Apache 2.4: "failed to resolve handler"

[Brian Candler]

OK I have it. The Debian-supplied version of Apache2::AuthCookie *does* 
have the patches from the httpd24 branch of authcookie, and the 
documentation for how to use it is in 
/usr/share/doc/libapache2-authcookie-perl/README.apache-2.4


My testsite can be made to work like this:

--- testsite.conf.orig2014-06-25 14:16:51.365038932 +0100
+++ testsite.conf2014-06-25 14:20:29.974486565 +0100
@@ -3,6 +3,7 @@
 PerlModule Example::AuthHandler
 PerlSetVar TestAuthPath /testsite
 PerlSetVar TestAuthLoginScript /testsite/login.html
+PerlAddAuthzProvider user Example::AuthHandler->authz_handler

 
   ### To recognize logged-in users even outside of protected area:
@@ -16,7 +17,6 @@
   AuthType Example::AuthHandler
   AuthName TestAuth
   PerlAuthenHandler Example::AuthHandler->authenticate
-  PerlAuthzHandler Example::AuthHandler->authorize
   Require valid-user
 

Unfortunately I'm now battling with Apache2::SiteControl, but that's a 
different ball game.


Sorry for the noise, but hopefully somebody finds this useful.

Regards,

Brian.

Re: Problem with Apache2::AuthCookie and Apache 2.4: "failed to resolve handler"

[André Warnier]

Brian Candler wrote:
OK I have it. The Debian-supplied version of Apache2::AuthCookie *does* 
have the patches from the httpd24 branch of authcookie, and the 
documentation for how to use it is in 
/usr/share/doc/libapache2-authcookie-perl/README.apache-2.4


Very useful information, thanks for sharing it.



My testsite can be made to work like this:

--- testsite.conf.orig2014-06-25 14:16:51.365038932 +0100
+++ testsite.conf2014-06-25 14:20:29.974486565 +0100
@@ -3,6 +3,7 @@
 PerlModule Example::AuthHandler
 PerlSetVar TestAuthPath /testsite
 PerlSetVar TestAuthLoginScript /testsite/login.html
+PerlAddAuthzProvider user Example::AuthHandler->authz_handler

 
   ### To recognize logged-in users even outside of protected area:
@@ -16,7 +17,6 @@
   AuthType Example::AuthHandler
   AuthName TestAuth
   PerlAuthenHandler Example::AuthHandler->authenticate
-  PerlAuthzHandler Example::AuthHandler->authorize
   Require valid-user
 

Unfortunately I'm now battling with Apache2::SiteControl, but that's a 
different ball game.


Sorry for the noise, but hopefully somebody finds this useful.


Extremely.  I created a very specifc Auth/Authz module for Apache2.0/2.2, on the base of 
copying Apache2::AuthCookie instead of subclassing it (bad me, but the changes were so 
extensive that I was kinda forced to).  Your commented struggles - and their eventual 
solution - will definetely help me when the time comes to update this for 2.4.


Thanks for sharing.
André.