perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Odysseas Pentakalos, Ph.D." <>
Subject Authorization module is not working
Date Wed, 07 Jan 2009 23:21:14 GMT

I am trying to accomplish authorization of users using client certificates
for authenticating users and a database of valid DN's for authorization. As
a first step the only thing I am trying to do is verify that my
authorization module has been correctly installed. So, before I attempt to
write the database code to verify if a given certificate has access to the
web content, I am returning for all requests the constant FORBIDDEN. The
problem I am having is that regardless of what the module returns, the user
is still presented with the page. I know that the handler is invoked because
I see the logged statements in the log file for the requested page.

I am really not sure what else to try. The fact that the user is allowed to
access the page despite the fact that the module returns FORBIDDEN indicates
that another module is approving the request but I have minimized the
configuration file down to the bare minimum to make sure that nothing else
is interfering. Any help with this would be very much appreciated.


I have configured the module as follows:

<Location />
    AuthName "Certificate Authentication"
    AuthType Basic
    SSLVerifyClient require
    PerlAuthenHandler Apache::OK
    PerlAuthzHandler Apache::CertAuthz
    require valid-user

And the module CertAuthz looks like the following:

package Apache::CertAuthz;
# use strict;
use mod_perl ();
use Apache::Log ();
use Apache::URI ();

$Apache::CertAuthz::VERSION = '0.01';

my %is_installed = ();
my $Is_Win32 = ($^O eq "MSWin32");
    local $SIG{__DIE__};
    %is_installed = map {
	$_, (eval("require $_") || 0);
    } qw (Data::Dumper Devel::Symdump B Apache::Request Apache::Peek

use vars qw($newQ);

if ($is_installed{"Apache::Request"}) {
    $newQ ||= sub { Apache::Request->new(@_) };
else {
    $is_installed{"CGI"} = eval("require CGI") || 0;
    $newQ ||= sub { CGI->new; };

sub handler {
    my($r) = @_;

    my $log = $r->log;
    return FORBIDDEN unless $r->is_main;

    my $subr = $r->lookup_uri($r->uri);
    my $dn = $subr->subprocess_env('SSL_CLIENT_S_DN');

    $r->log_reason("In CertAuthz a certificate must be provided with a DN of
$dn.", $r->filename);
    return FORBIDDEN;



View raw message