httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Barry Scott <barry.sc...@onelan.co.uk>
Subject Re: mod_fcgid - cannot get authorizer process to be started
Date Tue, 29 Sep 2009 16:32:04 GMT
Jeff Trawick wrote:
> On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott 
> <barry.scott@onelan.co.uk <mailto:barry.scott@onelan.co.uk>> wrote:
>
>     Jeff Trawick wrote:
>
>         On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
>         <barry.scott@onelan.co.uk <mailto:barry.scott@onelan.co.uk>
>         <mailto:barry.scott@onelan.co.uk
>         <mailto:barry.scott@onelan.co.uk>>> wrote:
>
>            The mod_fcgid page says to ask on dev I assume that this is the
>            right place to ask.
>
>            I'm using mod_fcgid from svn with HTTPD 2.2.
>
>            I want to use a fast CGI authorizer to allow me to control
>         access
>            based on my rules.
>            The authorizer needs to be a long running process - never
>         exits.
>
>            I know that the fcgid code is noticing the directive
>         because I can
>            change the filename
>            and see the error message from the sources.
>
>            But I'm at a lose as to the required to get this
>         configuration to
>            actually call my code.
>            mod_fcgid is not starting up the authorizer process.
>
>            I have the following fcgid specific lines in my httpd.conf
>         file:
>
>            ---- httpd.conf ----
>            ...
>            LoadModule fcgid_module modules/mod_fcgid.so
>            ...
>
>            Listen *:9000
>            <VirtualHost *:9000>
>             <Location />
>                 Order allow,deny
>                 Allow from all
>                 AuthType Digest
>
>
>         Did you really mean Digest authentication instead of Basic
>         authentication?
>
>         mod_fcgid only supports Basic, AFAICT.
>
>            /* Get the user password */
>            if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
>                return res;
>
>
>     I don't want to be an authenticator, I want to be a authorizer.
>     Authorizer has no need of passwords right.
>
>
> whoops :(
>
> yes
>
> your "require valid-user" implies that you don't need authorization; 
> try "require valid-group" instead

I want the users password checked and to only proceed if it is valid.
I also want to run the fcgi Authorizer to check that the URL being
access is allowed according to the logic in my Authorizer code.

To that end I have the following:

    <Location />
        Order allow,deny
        Allow from all

        # Use digest auth to check the username/password pair
        AuthType Digest
        AuthName "Manager System"
        # no one gets in without a valid username/password pair
        Require valid-user

        # Use these files to find the passwd and group information
        AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
        AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd

        # Run the Authorizer.sh to veto URL based on the username
        FastCgiAuthorizer 
/home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh
    </Location>

What triggers HTTPD to call the Authorizer.sh code?
Surely not the commands that control authentication checks?

I cannot find Require valid-group defined in the 2.2 docs.

Do you mean I need to add:

              Require group nosuchgroup

And that will cause the mod_authn_user (or what ever module) to try
and match nosuchgroup. When it fails my Authenicator will be run
to see if it can handle that directive?

Isn't this module crying out for a directive like:

            Require fcgid-authenticater-user-is-valid

Barry


Mime
View raw message