httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: mod_fcgid - cannot get authorizer process to be started
Date Wed, 30 Sep 2009 16:11:06 GMT
On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott <barry.scott@onelan.co.uk>wrote:

> At this point let me ask this:
>
> Is it possible with the current code to ever have the fcgid Authorizer
> called?
>

yes

This works for me, though it uses the unfortunate valid-group hack with
httpd 2.2 so that no authorizers running before fcgid think they should
evaluate:

<Location /docs>
  <IfVersion >= 2.2>
  AuthBasicAuthoritative Off
# AuthBasicProvider foo
  </IfVersion>

  # work around problem with AAA in mod_fcgid (it can't track more than
  # one AAA script per URL, and even then the URL can't be handled by a
  # FastCGI app)
  #
  # FastCgiAccessChecker %%MYHG%%/apache/fastcgi/apps/access_check.pl
  # FastCgiAuthenticator %%MYHG%%/apache/fastcgi/apps/authenticate.pl
  # FastCgiAuthorizer    %%MYHG%%/apache/fastcgi/apps/authorize.pl

  FastCgiAccessChecker %%MYHG%%/apache/fcgid/apps/aaa.pl
  FastCgiAuthenticator %%MYHG%%/apache/fcgid/apps/aaa.pl
  FastCgiAuthorizer    %%MYHG%%/apache/fcgid/apps/aaa.pl

  FastCgiAccessCheckerAuthoritative On
  FastCgiAuthenticatorAuthoritative On
  FastCgiAuthorizerAuthoritative    On

  AuthType Basic
  AuthName "foo"

  <IfVersion < 2.3>

  <IfVersion < 2.2>
    Require group foo
  </IfVersion>

  <IfVersion >= 2.2>
    Require valid-group
  </IfVersion>

    Order allow,deny
    Allow from all
  </IfVersion>

  <IfVersion >= 2.3>
    Require group foo
  </IfVersion>

</Location>



>
> If it is not possible I'm willing to try and code the missing pieces, with
> a little
> help being pointed in the right direction.
>

I hope some "require" experts could jump in ;)

A good solution might be to associate a script with a particular
require-ment so that mod_fcgid can check the Require for any require-ments
implemented by a FastCGI script.

[too] simple example:

FCGIDRequire mydb-user /path/to/my/authorizer.sh

<Location /foo>
  Require mydb-user
  SetEnv whatever-needed-by-authorizer.sh
</Location>

Mime
View raw message