Re: [a bit OT] AuthCookieDBI and Apache 2.4
On 21.02.2019 00:01, Paul B. Henson wrote: On Wed, Feb 20, 2019 at 05:56:48PM -0500, Edward J. Sabol wrote: Any pointers to a working AuthzProvider written in Perl (like for the "species" one) in your examples? It's not perfectly clear to me how to go about that. I wrote one for CAS auth a while back: https://github.com/pbhenson/Apache2-AuthCASpbh/blob/master/lib/Apache2/AuthCASpbh/Authz.pm Nice example. What I found a bit "jarring" when I ported my own auth/authz modules (*) to Apache 2.4, is this : with Apache 2.4, 1) the "authz" function is now called *first* (before any authentication module has been called - even non-perl add-on ones), and 2) it *can* be called 2 or more times during the same request cycle and 3) the "authz" function, in Apache 2.4, is much more "at the mercy" of whatever Authentication module is being called, and what it does precisely (e.g. /if/ and /when/ it sets $r->user) and 4) the precise formulation (and imbrication) of the sections and directives is very important and 5) there seems to be no real mod_perl-level (or even Apache-httpd-level) documentation available, which explains the above in a general context, rather than for any specific perl module. A good explanation is provided by Michael Schout in https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod, and this should be "required reading" for anyone playing with AAA under Apache 2.4; but it is still somewhat oriented to the specific (and otherwise excellent, I never tire of repeating that) Apache2::AuthCookie module. It would be good to integrate some version of this directly in the on-line mod_perl documentation, but it is a bit obscure how to go about that. (*) sorry, not really in a shape or style where I would be willing to share them universally; but on a one-to-one base, I would not mind if anyone is interested.
Re: AuthCookieDBI and Apache 2.4
On Wed, 20 Feb 2019 10:28:35 -0600 Michael Schout wrote: > On 2/12/19 1:25 PM, Edward J. Sabol wrote: >> I know AuthCookie has been updated by the magnificient Michael Schout to > > Thanks for the kind compliments Ed :). > > As for AuthCookieDBI, you may not even need to change it to use > Apache2_4::AuthCookie base, as eventually I managed to get all of the > changes needed to work togehter in Apache2::AuthCookie. I left > Apache2_4::AuthCookie for historical reasons, and in case further issues > came up that would require more changes that were 2.4 exclusive. I registered a ticket against Apache2-AuthCookieDBI regarding this issue a long time ago: https://rt.cpan.org/Public/Bug/Display.html?id=106663 We do not use this any longer. But, given that the ticket is still open, I wonder if this ticket could be closed, or at least commented upon. -- - Vegard V -
Re: [a bit OT] AuthCookieDBI and Apache 2.4
On 2/21/19 3:41 AM, André Warnier (tomcat) wrote: > 1) the "authz" function is now called *first* (before any authentication > module has been called - even non-perl add-on ones), > and > 2) it *can* be called 2 or more times during the same request cycle > and Yes, and this allows you to do "Anonymous" authorization. If you don't want to do that, you simply do return Apache2::Const::AUTHZ_DENIED_NO_USER unless defined $r->user at the top of your Authz provider. The second time the handler is called, $r->user will be set so that you can authorize "authenticated" users. But this is indeed one of the major things that confuses people when moving to 2.4. Another common thing I've seen people do is return an invalid Apache2::Const value from an Authz provider. You must return one of a very specific list of values from the provider (See the README.apache-2.4 in AuthCookie which discusses this). > 5) there seems to be no real mod_perl-level (or even Apache-httpd-level) > documentation available, which explains the above in a general context, > rather than for any specific perl module. > A good explanation is provided by Michael Schout in > https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod, I pieced this together, if my memory is correct, from apache mailing list posts, as well as reading the source code of apache itself. I'm not sure I found any definitive guide on the changes when I did this, and it involved a good deal of research at the time. I had hoped to see all of this codified into some kind of general mod_perl migration guide for Apache 2.4, similar to what happened when we all had to migrate from Apache 1.3 to Apache 2. Something similar to what is on perl.apache.org [1]. But I am unsure if that site is even maintained any longer. Anyway, another example of an authz provider is in AuthCookie [2], where I re-implemented apache's core authz provider, before realizing it was not needed. 1: https://perl.apache.org/docs/2.0/user/porting/compat.html 2: https://github.com/mschout/apache-authcookie/blob/master/lib/Apache2_4/AuthCookie.pm#L18 Regards, Michael Schout
Re: [a bit OT] AuthCookieDBI and Apache 2.4
On 2/21/2019 9:46 AM, Michael Schout wrote: Another common thing I've seen people do is return an invalid Apache2::Const value from an Authz provider. You must return one of a Yup, been there done that :). I pieced this together, if my memory is correct, from apache mailing list posts, as well as reading the source code of apache itself. I'm not sure I found any definitive guide on the changes when I did this, and it involved a good deal of research at the time. Thanks much for putting that together, I found it an invaluable (and unique) resource in figuring out how that black box worked 8-/.
Re: AuthCookieDBI and Apache 2.4
On Feb 21, 2019, at 5:22 AM, Vegard Vesterheim wrote: > I registered a ticket against Apache2-AuthCookieDBI regarding this issue > a long time ago: > > https://rt.cpan.org/Public/Bug/Display.html?id=106663 > > We do not use this any longer. But, given that the ticket is still open, > I wonder if this ticket could be closed, or at least commented upon. I don't think it should be closed until the issue is resolved. I've personally also filed an issue on the author's GitHub for this: https://github.com/matisse/Apache-AuthCookieDBI/issues/2 The author did respond recently to that issue, but doesn't seem to be terribly interested in fixing it. If anyone wants to help collaborate on a pull request, however, maybe we can actually help resolve this. Regards, Ed
