httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sorin Manolache <sor...@gmail.com>
Subject Re: Using mod_rewrite in my authorization module. Need advice.
Date Wed, 03 Feb 2010 21:44:16 GMT
On Wed, Feb 3, 2010 at 22:24, Kevac Marko <marko@kevac.org> wrote:
> Hello.
>
> I am porting our authorization module to mpm_worker from mpm_prefork.
> This authorization module was using some ugly, but nevertheless
> working hack which messes with mod_rewrite configuration.
>
> This authorization module check user permissions for current url A and
> rewrites url to AA or AB according to permission check result. Because
> I didn't want to reimplement mod_rewrite and because mod_rewrite don't
> have any API for url rewriting, this ugly hack was made. I am changing
> mod_rewrite configuration on the fly, putting A->AA or A->AB
> RewriteRule to it.
>
> I hope you understood that. Ok. This works. But only in mpm_prefork,
> where only one execution thread exists in apache process.
>
> Now I need same functionality, but in mpm_worker. And I don't have
> idea how to do it easily.
>
> Only two ideas came into my mind:
> 1) Reimplement needed mod_rewrite functionality in out authorization module.
> 2) Patch or fork mod_rewrite module. Implement some API (like
> rewrite(from, to);) which could be used for url rewriting with full
> mod_rewrite power.
> 3) Patch mod_rewrite and enclose RewriteRules configuration with
> locks. Sick! Ugly!
>
> What do you think? I am looking forward for comments and advices. Thanks.
>

I think it would be clearer and we could help you better if you pasted
some snippets of your code and hack.

I didn't really understand what you wanted to do. And I don't really
understand why mono-threading would break your hack. Normally a
request is processed by a single thread anyway.

But look what you could do in your authentication module: You could
set an apache request note (or an environment variable) depending on
the authentication. And then call ap_run_translate_name that
re-invokes the rewrite rules.

Something like

determine if the user is priviledged or not
apr_table_set(r->notes, "auth_status", priviledged_user ? "yes" : "no");
ap_run_translate_name(r);
return OK;

and then in the configuration file you put

RewriteCond  %{ENV:auth_status} yes
RewriteRule url /destination_priviledged

RewriteCond  %{ENV:auth_status} no
RewriteRule url /destination_ordinary

The first time the translate_name is called, the auth_status note is
not defined. Thus no rewrite rule is applied and the URL is unchanged.
Next apache executes the request authentication hook from where you
invoke again the translate_name callback.

S

Mime
View raw message