Re: [users@httpd] use cookie value as auth username
For the archives, should someone comes across this, the solution I found was to use mod_auth_env, which worked to set REMOTE_USER from a cookie value so AuthzDBDQuery could use that in the query. From my previous contrived example, it would look like: SetEnvIf Cookie "PHPSESSID=([^ ;]+)" phpsessid=$1 AuthType Env AuthEnvUser phpsessid < /IfModule> Require env phpsessid Require dbd-group foo # this now works, to set %s from PHPSESSID cookie: AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = %s" On Mon, 2018-10-01 at 18:10 -0600, Jesse Norell wrote: > I'm still interested in any ideas to try to set REMOTE_USER from a > cookie value. > > > AuthBasicFake sounds like it would work, but when I use it authz_dbd > still complains: > >AH00027: No authentication done but request not allowed without >authentication for /whatever/file.txt. Authentication not >configured? > > Does that sound like a bug/deficiency in AuthBasicFake? Ie. it > appears it didn't 'fake' authentication enough for an authorization > module to think that it had been configured. > > > mod_auth_env looks like it would work, but isn't packaged for debian > so doesn't work well for my needs (creating a tutorial for users to > follow after they've installed apache & modules from debian > packages). > > This patch looks like just the ticket, but isn't included upstream so > of course the same source/packaging issue as with mod_auth_env: > https://github.com/jkbzh/apache2_mod_authz_dbd > > If I can't find any other way I might have to just use mod_auth_env > (assuming it will work) and provide instructions for how to build and > install the .deb file, but I'd sure rather use stock modules. > > Thanks! > Jesse > > > On Tue, 2018-09-25 at 14:54 -0600, Jesse Norell wrote: > > Hello, > > > > I'm trying to use an authz_dbd query to authorize based on the > > value > > of a cookie (ie. if PHPSESSID cookie is set, a db query can test if > > it > > should be authorized). It seems the only parameter AUTHzDBDQuery > > will > > supply to the sql query is the username in place of %s; this could > > work > > if I could set what REMOTE_USER should be prior to the query > > running, > > but I haven't found a way to do so. Eg. here the username for the > > query is from the auth provider (anon), the SetEnv doesn't the > > query: > > > > > > AuthName "Name" > > AuthType Basic > > AuthBasicProvider anon > > > > Anonymous_NoUserID on > > Anonymous_MustGiveEmail off > > Anonymous anonymous "*" > > > > SetEnvIf Cookie "PHPSESSID=([^ ]+)" REMOTE_USER=$1 > > > > Require dbd-group foo > > > > # this will work, for any username entered in the browser: > > #AuthzDBDQuery "SELECT 'foo' FROM sys_session" > > > > # this does not work to obtain %s from PHPSESSID: > > AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = > > %s" > > > > > > > > I'm pretty sure I must convince apache to set a new REMOTE_USER > > (or > > httpd_username?) internal variable, not an environment variable, > > but > > I > > don't see how. If I don't specify any AuthType, or set it to None, > > the > > AuthzDBDQuery never runs and the error.log says it requires > > authentication but authentication is not set up. Any ideas are > > appreciated - thanks! > > > > I'm running 2.4.25-3+deb9u5 from debian stretch. > > > > Thanks, > > Jesse Norell > > -- Jesse Norell Kentec Communications, Inc. 970-522-8107 - www.kci.net - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] use cookie value as auth username
I'm still interested in any ideas to try to set REMOTE_USER from a cookie value. AuthBasicFake sounds like it would work, but when I use it authz_dbd still complains: AH00027: No authentication done but request not allowed without authentication for /whatever/file.txt. Authentication not configured? Does that sound like a bug/deficiency in AuthBasicFake? Ie. it appears it didn't 'fake' authentication enough for an authorization module to think that it had been configured. mod_auth_env looks like it would work, but isn't packaged for debian so doesn't work well for my needs (creating a tutorial for users to follow after they've installed apache & modules from debian packages). This patch looks like just the ticket, but isn't included upstream so of course the same source/packaging issue as with mod_auth_env: https://github.com/jkbzh/apache2_mod_authz_dbd If I can't find any other way I might have to just use mod_auth_env (assuming it will work) and provide instructions for how to build and install the .deb file, but I'd sure rather use stock modules. Thanks! Jesse On Tue, 2018-09-25 at 14:54 -0600, Jesse Norell wrote: > Hello, > > I'm trying to use an authz_dbd query to authorize based on the > value > of a cookie (ie. if PHPSESSID cookie is set, a db query can test if > it > should be authorized). It seems the only parameter AUTHzDBDQuery > will > supply to the sql query is the username in place of %s; this could > work > if I could set what REMOTE_USER should be prior to the query running, > but I haven't found a way to do so. Eg. here the username for the > query is from the auth provider (anon), the SetEnv doesn't the query: > > > AuthName "Name" > AuthType Basic > AuthBasicProvider anon > > Anonymous_NoUserID on > Anonymous_MustGiveEmail off > Anonymous anonymous "*" > > SetEnvIf Cookie "PHPSESSID=([^ ]+)" REMOTE_USER=$1 > > Require dbd-group foo > > # this will work, for any username entered in the browser: > #AuthzDBDQuery "SELECT 'foo' FROM sys_session" > > # this does not work to obtain %s from PHPSESSID: > AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = %s" > > > > I'm pretty sure I must convince apache to set a new REMOTE_USER (or > httpd_username?) internal variable, not an environment variable, but > I > don't see how. If I don't specify any AuthType, or set it to None, > the > AuthzDBDQuery never runs and the error.log says it requires > authentication but authentication is not set up. Any ideas are > appreciated - thanks! > > I'm running 2.4.25-3+deb9u5 from debian stretch. > > Thanks, > Jesse Norell > -- Jesse Norell Kentec Communications, Inc. 970-522-8107 - www.kci.net - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] use cookie value as auth username
Hello, I'm trying to use an authz_dbd query to authorize based on the value of a cookie (ie. if PHPSESSID cookie is set, a db query can test if it should be authorized). It seems the only parameter AUTHzDBDQuery will supply to the sql query is the username in place of %s; this could work if I could set what REMOTE_USER should be prior to the query running, but I haven't found a way to do so. Eg. here the username for the query is from the auth provider (anon), the SetEnv doesn't the query: AuthName "Name" AuthType Basic AuthBasicProvider anon Anonymous_NoUserID on Anonymous_MustGiveEmail off Anonymous anonymous "*" SetEnvIf Cookie "PHPSESSID=([^ ]+)" REMOTE_USER=$1 Require dbd-group foo # this will work, for any username entered in the browser: #AuthzDBDQuery "SELECT 'foo' FROM sys_session" # this does not work to obtain %s from PHPSESSID: AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = %s" I'm pretty sure I must convince apache to set a new REMOTE_USER (or httpd_username?) internal variable, not an environment variable, but I don't see how. If I don't specify any AuthType, or set it to None, the AuthzDBDQuery never runs and the error.log says it requires authentication but authentication is not set up. Any ideas are appreciated - thanks! I'm running 2.4.25-3+deb9u5 from debian stretch. Thanks, Jesse Norell -- Jesse Norell Kentec Communications, Inc. 970-522-8107 - www.kci.net - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
