httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ray Morris <supp...@bettercgi.com>
Subject Re: Using mod_rewrite in my authorization module. Need advice.
Date Wed, 03 Feb 2010 22:12:31 GMT
> Only two ideas came into my mind:
> 1) Reimplement needed mod_rewrite functionality in out authorization  
> module.
> 2) Patch or fork mod_rewrite module. Implement some API (like
> rewrite(from, to);) which could be used for url rewriting with full
> mod_rewrite power.
> 3) Patch mod_rewrite and enclose RewriteRules configuration with
> locks. Sick! Ugly!

   That's three ideas. :)  Seriously, I suggest you back up
a step or three.  You said "Reimplement needed mod_rewrite
functionality in out authorization module.".  98% of mod_rewrite
consists of handling it's very flexible configuration
syntax. It sounds like you're not making use of any of that.
You simply want to rewrite (or redirect) the URL based on
some condition.  Either of those can be done with exactly
TWO lines of code in your own module - no need to hijack
another module and muck around where you have no business
mucking around.

    To REDIRECT to another URL:

apr_table_setn(r->headers_out, "Location", r->filename);
return HTTP_MOVED_TEMPORARILY;

    To REWRITE the URL so some other URL:

r->uri = apr_pstrdup(r->pool, newurl);
return DECLINED;

     That's probably all of the "re-implementing" you'd
need - two lines of code.

    That's backing up a step or two, but really it probably
makes sense to back up another level:

> This authorization module check user permissions for current
> url A and rewrites url to AA or AB according to permission
> check result.

    You don't see "ErrorDocument 401" implemented in any
of the standard authorization modules for a reason - because
an authorization module is not the right place to do that.
An authorization module should do one thing - authorization.
Were to send them if they aren't authorized is set very nicely
with "ErrorDocument 401".  That reduces your entire "ugly, but
nevertheless (use to be) working hack which messes with mod_rewrite
configuration" to exactly one line:

return HTTP_UNAUTHORIZED;

   You'll notice that's what all of the authorization modules
written by the experts do when the client is not authorized -
they return UNAUTHORIZED.  That then let's all of the other
modules, the clients, and the monitoring systems do the right
thing.  For example, the request will be correctly logged as
unauthorized.  If your module incorrectly changes it to a 200
code and displays a different page, it's then incorrectly logged
as a succesful, fully authorized request.  Logging is one example -
there are a thousand different things which may break when one
module does the wrong thing and lies to everyone else about what's
really going on.  As another example consider a security module
or external system which watches for a large number of unauthorized
responses to a single IP - detecting a brute force attack.
By behaving correctly and simply returning HTTP_UNAUTHORIZED,
your module is perfectly compatible with any other systems
like that.

    I understand that I've challenged some basic design decisions
while attempting to be helpful to you.  Good programmers are almost
always arrogant - arrogance seems to make us better programmers,
so we tend to get defensive when someone suggests we look at something
froma different perspective.  Still, I encourage you to consider how
many times you've seen someone ask "what is the right way to do (the
wrong thing)".   We all do that sometimes, so I would encourage you
to consider taking a different perpective.
--
Ray Morris
support@bettercgi.com

Strongbox - The next generation in site security:
http://www.bettercgi.com/strongbox/

Throttlebox - Intelligent Bandwidth Control
http://www.bettercgi.com/throttlebox/

Strongbox / Throttlebox affiliate program:
http://www.bettercgi.com/affiliates/user/register.php


On 02/03/2010 03:24:32 PM, Kevac Marko wrote:
> Hello.
> 
> I am porting our authorization module to mpm_worker from mpm_prefork.
> This authorization module was using some ugly, but nevertheless
> working hack which messes with mod_rewrite configuration.
> 
> This authorization module check user permissions for current url A and
> rewrites url to AA or AB according to permission check result. Because
> I didn't want to reimplement mod_rewrite and because mod_rewrite don't
> have any API for url rewriting, this ugly hack was made. I am changing
> mod_rewrite configuration on the fly, putting A->AA or A->AB
> RewriteRule to it.
> 
> I hope you understood that. Ok. This works. But only in mpm_prefork,
> where only one execution thread exists in apache process.
> 
> Now I need same functionality, but in mpm_worker. And I don't have
> idea how to do it easily.
> 
> Only two ideas came into my mind:
> 1) Reimplement needed mod_rewrite functionality in out authorization  
> module.
> 2) Patch or fork mod_rewrite module. Implement some API (like
> rewrite(from, to);) which could be used for url rewriting with full
> mod_rewrite power.
> 3) Patch mod_rewrite and enclose RewriteRules configuration with
> locks. Sick! Ugly!
> 
> What do you think? I am looking forward for comments and advices.  
> Thanks.
> 
> --
> Marko Kevac
> Sent from Moscow, Mow, Russia
> 
> 


Mime
View raw message