httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevac Marko <ma...@kevac.org>
Subject Re: Using mod_rewrite in my authorization module. Need advice.
Date Thu, 04 Feb 2010 07:32:06 GMT
On Thu, Feb 4, 2010 at 1:12 AM, Ray Morris <support@bettercgi.com> wrote:
>  That's three ideas. :)  Seriously, I suggest you back up
> a step or three.  You said "Reimplement needed mod_rewrite
> functionality in out authorization module.".  98% of mod_rewrite
> consists of handling it's very flexible configuration
> syntax. It sounds like you're not making use of any of that.
> You simply want to rewrite (or redirect) the URL based on
> some condition.  Either of those can be done with exactly
> TWO lines of code in your own module - no need to hijack
> another module and muck around where you have no business
> mucking around.
>
>   To REDIRECT to another URL:
>
> apr_table_setn(r->headers_out, "Location", r->filename);
> return HTTP_MOVED_TEMPORARILY;
>
>   To REWRITE the URL so some other URL:
>
> r->uri = apr_pstrdup(r->pool, newurl);
> return DECLINED;
>
>    That's probably all of the "re-implementing" you'd
> need - two lines of code.

Well, pretty much you are right, but it's not that simple. We need
some of the things that are put in square brackets in RewriteRule
configuration.
Probably re-implementing only needed functionality will be easier, yes...

>
>   That's backing up a step or two, but really it probably
> makes sense to back up another level:
>
>> This authorization module check user permissions for current
>> url A and rewrites url to AA or AB according to permission
>> check result.
>
>   You don't see "ErrorDocument 401" implemented in any
> of the standard authorization modules for a reason - because
> an authorization module is not the right place to do that.
> An authorization module should do one thing - authorization.
> Were to send them if they aren't authorized is set very nicely
> with "ErrorDocument 401".  That reduces your entire "ugly, but
> nevertheless (use to be) working hack which messes with mod_rewrite
> configuration" to exactly one line:
>
> return HTTP_UNAUTHORIZED;
>
>  You'll notice that's what all of the authorization modules
> written by the experts do when the client is not authorized -
> they return UNAUTHORIZED.  That then let's all of the other
> modules, the clients, and the monitoring systems do the right
> thing.  For example, the request will be correctly logged as
> unauthorized.  If your module incorrectly changes it to a 200
> code and displays a different page, it's then incorrectly logged
> as a succesful, fully authorized request.  Logging is one example -
> there are a thousand different things which may break when one
> module does the wrong thing and lies to everyone else about what's
> really going on.  As another example consider a security module
> or external system which watches for a large number of unauthorized
> responses to a single IP - detecting a brute force attack.
> By behaving correctly and simply returning HTTP_UNAUTHORIZED,
> your module is perfectly compatible with any other systems
> like that.
>
>   I understand that I've challenged some basic design decisions
> while attempting to be helpful to you.  Good programmers are almost
> always arrogant - arrogance seems to make us better programmers,
> so we tend to get defensive when someone suggests we look at something
> froma different perspective.  Still, I encourage you to consider how
> many times you've seen someone ask "what is the right way to do (the
> wrong thing)".   We all do that sometimes, so I would encourage you
> to consider taking a different perpective.

Maybe after reading my previous email with slightly detailed
description, you will understand why I have done all this non standard
things.

UNAUTHORIZED in our architecture is not so strict. Unauthorized user
sometimes can get same data, but slightly delayed version of them. So,
instead of 401 or 403, he will get 200 with delayed data. Sometimes
(for example when delayed data doesn't have sense), he must get 403,
sometimes he must get 401. It must be configurable.

-- 
Marko Kevac
Sent from Moscow, Mow, Russia

Mime
View raw message