httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <kai...@ak.jp.nec.com>
Subject Re: User/Realm order in AuthDBDUserRealmQuery (mod_authn_dbd)
Date Tue, 02 Jun 2009 06:29:18 GMT
I filed the patch as:
  https://issues.apache.org/bugzilla/show_bug.cgi?id=47295

Similar implementation shall also be possible on mod_dbd_session.
If necessary, I'll implement it next to the mod_authn_dbd.

--------
This patch adds a two new directives (AuthDBDUserPWQueryFmt,
AuthDBDUserRealmQueryFmt) on mod_authn_dbd.

These options allow to deploy various kind of query parameters (not only
username, password and realm) in discretionary order.
Needless to say, you can use the existing directives, if here is no concerns.

This patch enables to apply mod_authn_dbd on the following cases also.

1. Hardwired parameter order is not suitable for the database.

SELECT md5(uname || ':' || %s || ':' upass) FROM uaccount WHERE uname = %s;

If we want to execute the query (the 1st %s should be realm, and the 2nd %s
should be username) for digest authentication, the hardwired parameter order
is not suitable for the current AuthDBDUserRealmQuery option.

The new AuthDBDUserRealmQueryFmt allows to specify the order as follows:

AuthDBDUserRealmQueryFmt \
    "SELECT md5(uname || ':' || $(realm) || ':' upass) \
         FROM uaccount WHERE uname = $(username)"

2. Additional conditions more than username/password.

When we want to restrict available users depending on remote address or
other factors, the current directive does not support it.

This patch allows to put $(remote_addr) other than username, password and
realm, as a proof of the concept. It can be used to implement a user who
is available only from local networks, for example.

Thanks,

KaiGai Kohei wrote:
> KaiGai Kohei wrote:
>> I'm now trying to set up mod_authn_dbb for authentication purpose.
>> However, I faced to a concern for AuthDBDUserRealmQuery directive.
>>
>> The example shows the query:
>>   AuthDBDUserRealmQuery \
>>       "SELECT password FROM authn WHERE user = %s AND realm = %s"
>>
>> But, I would like to set up the query as follows:
>>   AuthDBDUserRealmQuery \
>>       "SELECT md5(uname || ':' || %s || ':' || upass) FROM uaccount WHERE uname =
%s"
>>                                   ^^... to be realm                to be user ...
^^
>>
>> It seems to me we have no way to put the replacement of the given
>> realm prior to username. Am I missing anything?
> 
> Here, I could find a short hack.
> 
>   AuthDBDUserRealmQuery \
>       "SELECT md5(uname || ':' || $2 || ':' || upass), udomain, %s=%s AS dummy \
>            FROM uaccount WHERE uname = $1"
> 
> The first %s is replaced to '$1' as username, and the second %s is replaced
> to '$2' as a realm, but $n is not touched by mod_dbd.
> The dummy field is just put to consume the parameters in correct order, and
> it refers meaningful parameters with $n.
> 
> However, I don't think it is a straightforward approach. :-(
> 
> Chris Darroch suggested me to add an optional second argument to suggest
> the order of parameters, like:
> 
>   AuthDBDUserRealmQuery \
>     "SELECT md5(uname || ':' || %s || ':' || upass) FROM uaccount \
>          WHERE uname = %s" "realm,username"
> 
> However, my preference is still an inline replacement approach, like:
> 
>   AuthDBDUserRealmQueryFmt \
>     "SELECT md5(uname || ':' || $(realm) || ':' || upass) FROM uaccount \
>          WHERE uname = $(username) and unetwork >>= $(remote_host)::inet"
> 
> Needless to say, the current behavior of AuthDBDUserRealmQuery should be
> kept as is. The new directive only suggest an another way to set up the
> query.
> 
> Chris also mentioned we should use the custome log format as much as possible.
>   http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
> 
> However, Tom Donovan mentioned that the upcoming mod_session_dbd module also
> applies hardwired parameters, and it requires to replace session keys and
> so on. But we could not find these parameters in the formats.
> 
> Therefore, it seems to me these identical marks should be defined independent
> from the custom log format.
> 
> Examples:
>  -- mod_auth_dbd --
>  $(username) ... replaced by %s as the given authenticated username
>  $(password) ... replaced by %s as the given authenticated password
>  $(realm)    ... replaced by %s as the realm string
>  $(remote_addr) ... replaced by %s as the remote address
>  -- mod_session_dbd --
>  $(key)      ... replaced by %s as the session key
>  $(value)    ... replaced by %s as the session value
>  $(expiry)   ... replaced by %lld as the session expity
> 
> Thanks,


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Mime
View raw message