Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm
Precedence: bulk
Received-SPF: pass (asf.osuosl.org: local policy)
Message-ID: <4414E7EC.10807@extracktor.com>
Date: Mon, 13 Mar 2006 11:33:00 +0800
From: Foo Ji-Haw <jhfoo-ml@extracktor.com>
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
To: Fred Moyer <fred@redhotpenguin.com>
CC: Fred Moyer <fred@taperfriendlymusic.org>,
 yperl <yperl@club-internet.fr>,
 Frank Wiles <frank@wiles.org>,  modperl@perl.apache.org
Subject: Re: Modperl2 + PerlAccessHandler + Sending Cookie
References: <mnet2.1142011907.16960.yperl@club-internet.fr>
 <44122AFC.3000704@club-internet.fr> <20060310200644.5873ea9f.frank@wiles.org>
 <44128F95.5000603@club-internet.fr> <44129C62.7080400@taperfriendlymusic.org>
 <4414D684.4060508@extracktor.com>
 <Pine.LNX.4.64.0603121823570.23730@app.redhotpenguin.com>
In-Reply-To: <Pine.LNX.4.64.0603121823570.23730@app.redhotpenguin.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hello Fred,

Ok, the 12 layers of Apache is as cool as the OSI layers. Let's say that 
in my PerlAuthzHandler I verified the user via a cookie (given to the 
client during login). It sounds like double work to retrieve the user 
details again during the PerlResponseHandler phase (I have to do that to 
process the page based on the user). Following the mailing list thread, 
is the only/ preferred way to use the bucket brigade?

Fred Moyer wrote:
> On Mon, 13 Mar 2006, Foo Ji-Haw wrote:
>> Wow, a little tangent to the topic here: I didn't know that you can 
>> do this
>> PerlResponseHandler Apache2::Const::OK
>> Is that 'legal'? It's interesting to know, but I wouldn't know of a 
>> practical use for this trick.
>
> Specifying a return code for a handler phase is perfectly legal.  I 
> first saw this technique used in 'PerlMapToStorageHandler 
> Apache2::Const::OK' to skip the request phase which maps the uri to a 
> location on disk, but you can use it with any phase.
>
>> Last question: is it a best practice to do the user and access 
>> authentication check at the PerlAccessHandler level? I like the idea 
>> (obviously I've not been trying this way). A single authentication 
>> module that can be used across various PerlResponseHandler. Easy to 
>> maintain and propogate.
>
> The PerlAccessHandler phase runs in the same phase of the request 
> cycle as Apache's mod_access module, and is meant to handle the 
> request based on IP and domain information.  In httpd.conf, you can 
> say 'Order Allow, Deny',
> 'Deny from 123.456.789.012', or you can use the PerlAccessHandler 
> phase and
> examine the request IP and accomplish the same functionality ( see
> http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlAccessHandler). 
> It is best practice to do access checks.
>
> Best practice for user authentication is to use PerlAuthenHandler, and 
> best practice for user authorization is the PerlAuthzHandler.  This 
> way, you can modify the request, and return DECLINED, and Apaches 
> authen and authz modules can do additional checks on those phases of 
> the request.  Or you can do authen/authz only in the mod_perl phases 
> and return OK or UNAUTHORIZED and skip Apache's auth/authz modules.
>
> Each phase in this diagram - 
> http://perl.apache.org/docs/2.0/user/handlers/http.html#HTTP_Request_Cycle_Phases 
>
> - has a corresponding hook in Apache which runs after mod_perl if 
> DECLINED is returned.  This is one of mod_perl's greatest strengths.