perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "titetluc titetluc" <titet...@gmail.com>
Subject Re: [MP2]: setting group for a request (require group ...)
Date Mon, 23 Jun 2008 07:25:59 GMT
Geoffrey, André,
Thank you for your answer.

Conclusion: I will have to:
 . write my own PerlAuthzHandler
 . define a new directive to define my group

Thanks again


2008/6/19 André Warnier <aw@ice-sa.com>:

> Hi.
>
> I believe that the issue below is more in the way of thinking about this,
> than a real technical issue.
>
> You don't need to involve Apache in the group part.
> I don't think that Apache, per se, even has a field "group" in his internal
> Request structure.
> That is probably why you do not find any API to set or read it.
>
> Let my explain how I understand it :
>
> Authentication consists of finding out who the user is.
> To simplify, we could say that this consists of getting and verifying his
> user-id.
> But, at the same time, we could collect some additional attributes about
> him, like his email address, or a list of groups of which he is a member.
> The application /may/ want to authenticate users in order to (later) also
> authorise them or not to do something.  But not necessarily; it could also
> be only for the purpose of logging who accessed the page.
>
> Anyway, now your Authentication module has done it's job, it has
> authenticated the user and saved his user-id. It does not really care what
> this user-id will be used for, that is not it's job.
>
> The module returns OK, and Apache continues.
>
> ----- end of authentication ----
>
> .... some time passes
>
> ----- start of authorization ---
>
> This consists of verifying if this resource that is requested can be
> returned, depending on some criteria.
> Usually, it will depend on the userid, or some characteristic of the user.
>  But not necessarily : it could also depend on a secret key that is included
> in a cookie, for example (if the key is there, the resource is granted, and
> otherwise not).
> If this check is succesful, the authorization returns OK.  If it is not, it
> returns not-OK.
>
> ---- end of authorization ---
>
> Apache checks the return code.  If it is OK, Apache serves the page.  If it
> is not-OK, Apache returns a "forbidden" page.
>
> --- end of request ---
>
> Now, in your case, you want
> a) to authenticate the user
> b) later, to authorize access to a resource, in function of some
> characteristic of that user (is he member of one of the authorized groups)
>
> You have already done (a), with a PerlAuthenHandler, and you have stored
> the user-id in the request, so you can get at it later.
>
> If you add a PerlAuthzHandler for authorization, then what your handler has
> to do is :
>
> 1. find out which groups are authorized to access this resource.
> That could be by getting the contents of the "require" clause of the Apache
> configuration, or by getting the value of some "PerlSetVar" in the same
> section (e.g. PerlSetVar AuthorizedGroups "group1,group2")
> (in your module, you would get this value as
> $OKgroups = $r->dir_config("AuthorizedGroups");
>
> 2. find out if this userid (stored in the request) is a member of one of
> these groups.
> For that, you need some additional information about the user, not just his
> user-id.  This you could do using a "group" file, like Apache does in it's
> Basic authentication scheme (AuthGroupFile xxxx), and read it and parse it
> when you need to, and then compare the result to $OKgroups.
> But that would be inefficient.
>
> Since in (a) you are already accessing some information about the user (to
> verify his userid), I would at the same time collect information about which
> groups he belongs to, and save that somewhere in the Request object, for
> example with something like
> $r->pnotes('groups' => $groups);
>
> Then later, your module (b) can get it back, with
> $groups = $r->pnotes('groups');
> and compare this to the authorized groups.
>
> I hope this helps.
> André
>
>
>
> titetluc titetluc wrote:
>
>> Hello all,
>>
>> I am writing a mod_perl authentication module (My::Auth).
>>
>> This module sets the user using the Apache2::RequestRec::user method.
>>
>> package My::Auth;
>> sub {
>>  ....
>>  $r->user('getting the user in my module internal structure');
>>  return OK;
>> }
>>
>> In the Apache configuration file, I can use the configuration
>>
>> <Location /test_user>
>> PerlAuthHandler  My::Auth
>> Require user user1
>> ....
>> </Location>
>>
>> I would like to use my module in another configuration where group is
>> checked
>>
>> <Location /test_group>
>> PerlAuthHandler  My::Auth
>> Require group group1
>> ....
>> </Location>
>>
>> I can not find any mod_perl API method (Apache2::RequestRec::group ?) to
>> set
>> the group. I only found Apache2::RequestRec::require method, but this
>> method
>> only read the require configuration.
>>
>> One way to solve the problem is the modify the My::Auth::handler method :
>>
>> package My::Auth;
>> sub {
>>  ....
>>  $r->user('getting the user in my module internal structure');
>>  my $requires = $r->requires;
>>
>>  # here the code to verify authorization
>>
>>  return OK;
>> }
>>
>> but I think this is a workaround:
>>  . My::Auth::handler is an AUTHENTICATION handler
>>  . the code to verify the AUTHORIZATION should have to be executed by the
>> httpd core.
>>
>> How can I manage authorization in this case ?
>>
>> Thanks
>>
>>

Mime
View raw message