httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <kai...@kaigai.gr.jp>
Subject Re: User/Realm order in AuthDBDUserRealmQuery (mod_authn_dbd)
Date Fri, 15 May 2009 22:47:03 GMT
Chris Darroch wrote:
> KaiGai Kohei wrote:
> 
>> But, I would like to set up the query as follows:
>>   AuthDBDUserRealmQuery \
>>       "SELECT md5(uname || ':' || %s || ':' || upass) FROM uaccount 
>> WHERE uname = %s"
>>                                   ^^... to be realm                to 
>> be user ... ^^
>>
>> It seems to me we have no way to put the replacement of the given
>> realm prior to username. Am I missing anything?
> 
>   I don't think so ... unless there's some way to rewrite the query
> so the username is the first parameter, I don't see any option with
> the existing code.

Hmm...
In this case, the realm is only used in md5(), not appeared in WHERE
clause, so it is hard to reorder them.

>> If we have no reasonable workaround, I would like to suggest a new
>> directive: AuthDBDRealmUserQuery which specifies a query for digest
>> authentication with realm and user parameters in this order?
>>
>> What's your opinion?
>>
>> # This is an aside. I would like to include a few additional conditions
>> # in the query, such as remote address and so on.
>> # For example, we can consider a web-user who can access via a certain
>> # network address (like, 192.168.1.0/24), described as:
>> #
>> # SELECT md5(password) FROM uaccount \
>> #     WHERE uname = %s AND unetwork >>= %s::inet;
> 
>   I wonder if we could keep the existing config directives but
> allow them to access an optional additional parameter (or set of
> parameters).  You could then write:
> 
> AuthDBDUserRealmQuery \
>    "SELECT %s FROM uaccount WHERE uname = %s AND foo = %s" \
>    R,u,a
> 
> where R,u,a meant realm, user, and remote IP address parameters
> were to be passed in that order.  (We'd likely want to follow
> http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
> as much as possible for the available parameters.)  Just an idea
> at the moment ... alas, no matching implementation.  Sigh.  :-/

I think a new directive with formats support is preferable to
keep compatibility with existing directives.

For example:
   AuthDBDUserRealmQueryFmt \
       "SELECT md5(uname || ':' || %R || ':' || upass) FROM uaccount \
            WHERE uname = %u AND uaddr >>= %a::inet"

When the directive is given, mod_authn_dbd can register the type and
order of the charater to be replaced. Then it can set up as a paramter
list on query execution phase.

Should I submit a patch to support the feature?

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

Mime
View raw message