perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoffrey Young <ge...@modperlcookbook.org>
Subject Re: apache2 does not deny acces though PerlAuthenHandler returns HTTP_UNAUTHORIZED
Date Tue, 15 May 2007 15:19:02 GMT
Michael Peters wrote:
> Moritz Maisel wrote:
> 
>>Hi List,
>>
>>I wrote a PerlAuthenHandler to authenticate users that access a
>>webservice. I supposed that by returning either "OK" or
>>"HTTP_UNAUTHORIZED" back to apache2 it will allow or deny acces due to
>>the "require valid-user" directive that I set.
>>My problem is, that apache executes my handler, but it does not take
>>care of my return-values. Instead it always serves the request and
>>grants access.
> 
> 
> The HTTP codes are HTTP return codes, not handler return codes.

actually, that's not really correct...

a handler is expected to return one of

  o apache handler code (OK, DECLINE, DONE)
  o apache _error_ code (SERVER_ERROR, FORBIDDEN, etc)

the confusion is generally when someone assumes OK (0) is the same as
HTTP_OK (200).

so, it's always proper to return an HTTP code in the case of "errors"
where "error" in apache-speak is anything other than 200.

> Use FORBIDDEN instead.

actually HTTP_UNAUTHORIZED (401, aka AUTH_REQUIRED) is more proper than
FORBIDDEN (403) for basic auth, though either should prevent the content
handler from running.

offhand I can't see anything in your code that looks wrong - ordinarily,
of mod_perl authen doesn't do it's job properly you'll see core errors
due to missing AuthUserFile, etc directive that don't really matter if
your custom authen is functional.

if I had to guess I'd say that something else in your httpd.conf is
interfering with your authen setup.  the first thing that comes to mind
is making sure you have 'Satisfy All' and not 'Satisfy Any'

HTH

--Geoff

Mime
View raw message