httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <>
Subject Re: User/Realm order in AuthDBDUserRealmQuery (mod_authn_dbd)
Date Sun, 17 May 2009 06:13:44 GMT
Chris Darroch wrote:
> KaiGai Kohei wrote:
>> I think a new directive with formats support is preferable to
>> keep compatibility with existing directives.
>   We definitely need compatibility with existing directives.
> That's why I figured the extra parameter would be optional --
> if you only provided one parameter, the query, it would be handled
> as it is now (i.e., user and realm interpolated, in that order).

Indeed, apache/httpd allows us to handle an extra parameter easily.
The reason why I wondered the extra parameter approch was that I think
the custom log format caracters (like %a, %u) should be included within
the query string. But it is not a fundamental thing. :-)

>> For example:
>>    AuthDBDUserRealmQueryFmt \
>>        "SELECT md5(uname || ':' || %R || ':' || upass) FROM uaccount \
>>             WHERE uname = %u AND uaddr >>= %a::inet"
>> When the directive is given, mod_authn_dbd can register the type and
>> order of the charater to be replaced. Then it can set up as a paramter
>> list on query execution phase.
>   I think you'll find that trying to change the format specifiers
> (e.g., "%u", "%a::inet", etc.) is not the way to go.  These are
> handled by APR-util, not mod_authn_dbd.  At least in APR trunk,
> there's a large set of format specifiers supported and these were
> hashed through some time ago (e.g., "%pa" for date/timestamps, etc.)
> on the APR lists.  I don't think it's a good idea to start adding
> more DB query format specifier parsing in httpd.

I din't have a plan to add support for whole of custom log format
and all mod_authn_dbd should do is replacing them to '%s' and register
the appeared order. However, it is not a fundamental thing.

>   That's why I figured you might stick with APR-util's specifiers
> in the query itself, but then provide a comma-delimited list of
> specifiers in the optional argument to the AuthDBD* directives.
> These would be follow mod_log_config and would represent the various
> request-related data one could interpolate into the query.
> (E.g., "u" for user, "H" for protocol, "a" for remote address, etc.)
> That would provide a vast number of possibilities (more, certainly,
> than anyone really needs) but would at least stick to existing
> format specifiers as defined for both APR-util DBD and httpd now.
>> Should I submit a patch to support the feature?
>   Patches are always welcome (although I'm the first to admit
> that I'm too slow at reviewing and committing them).

The attached patch is a proof of the concept.
It allows to specify the order of parameters, as follows:

   AuthDBDUserRealmQuery \
       "SELECT md5(uname || ':' || %s || ':' || upass) FROM uaccount \
        WHERE uname = %s"  "realm,user"
The second argument is optional. If nothing was given, mod_authn_dbd
considers the parameter should be extracted with the default order
("user" for basic authentication, and "user,realm" for digest one).

Currently, it only supports "user", "password", "realm" and "remote_addr".
Its coverage is now far from custom log format, and I'm not clear whether
different stuffs should have similar configuration (may be confusable?),
so this patches uses different token.

Any comments please.
KaiGai Kohei <>

View raw message