perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ihnen, David" <dih...@amazon.com>
Subject RE: Use form instead of AuthType Basic (pop-up windows)
Date Thu, 21 Jan 2010 18:35:50 GMT
I suppose it is not obvious that when using login page authentication that you are responsible
for the creation of the mechanism by which you identify the user?

I could point out that merely the fact you are utilizing a login form does not mean you HAVE
to use cookies - it just has less ramifications than other possibilities.

That is, whether the request is

GET /index.html HTTP/1.1
Host: myserver.com
Cookie: AuthTicket=username-ABCDEFGHIJKLM

Or the request is

GET /username-ABCDEFGHIJKLM/index.html HTTP/1.1
Host: myserver.com

Your authorization handler can get the string 'username-ABCDEFGHIJKLM' and use it for the
purposes of authentication/authorization.  Just in the latter case, you'll be adding a PerlMapToStorageHandler
to map around the extra auth information in the url and still access the file!

(I've used this strategy of embedding auth tickets in urls for download and media links handled
by external programs that won't have the cookie)

David


From: Juan Manuel Parrilla Gutiérrez [mailto:joanmanel@gmail.com]
Sent: Thursday, January 21, 2010 10:21 AM
To: Ihnen, David
Cc: mod_perl list
Subject: Re: Use form instead of AuthType Basic (pop-up windows)

Thank you for the information. I didnt know that what login and logout scripts were doing
was setting/clearing the cookie.

Juan Manuel Parrilla
El 21 de enero de 2010 19:15, Ihnen, David <dihnen@amazon.com<mailto:dihnen@amazon.com>>
escribió:
I happen to have just finished debugging my latest authen/authz cookie-based authentication
module last night, so this is *really* fresh in my head.

So right now you're using AuthType basic.  Change that to something else specific to your
module.  The basic auth will no longer respond.

Program an authentication handler (point to with PerlAuthenHandler directive).  It returns
Apache2::Const::DECLINED if the ->auth_type doesn't match your custom type.  Authen handlers
set the ->user of the requestrec object (probably by reading and validating a cookie in
this case).  If authorization is required for the request and you didn't set a username, you
should probably return Apache2::Const::FORBIDDEN.  If it succeeded or it doesn't matter, you
can return Apache2::Const::OK;

Program an authorization handler.  (point to with PerlAuthzHandler directive).  This use the
Apache2::Access::requires method to get a list of your authentication requirements from the
auth config in apache's config file (like Require valid-user).  And Apache2::Access::satisfies
to determine how you  interpret the list of requirements.

If you want to use a straight login page, If Authorization fails, set error header 'Location'
to the location of your login script and return Apache2::Const::REDIRECT from the handler.

If you want to use an error document, If Authorization fails, return Apache2::Const::AUTH_REQUIRED
or Apache2::Const::FORBIDDEN from the handler.  (configure ErrorDocument 401 or 403 respectively)

If authorization succeeds, simply return Apache2::Const::OK.

I also have handlers functions for LOGIN and LOGOUT which set and clear the auth cookie. 
That's different though - Authen/Authz is the part where you decide if the user is recognized
and is allowed to access, which is what you asked about.

David



From: Juan Manuel Parrilla Gutiérrez [mailto:joanmanel@gmail.com<mailto:joanmanel@gmail.com>]
Sent: Thursday, January 21, 2010 9:26 AM
To: mod_perl list
Subject: Re: Use form instead of AuthType Basic (pop-up windows)

Hello, I am sorry if I didnt explain me properly.
What I want to know is understand how use a formulary instead of AuthType Basic. I know there
are several modules that are doing this, but it is not about using one, it is about understanding
how.

I am doing my own Auth module (just to learn about it and mod_perl) and I would like to use
a form instead of pop up window, and using CGI is not an option because I want to use Authz
and Authen handlers.

What I need are the basic steps to move from AuthType Basic to use a form.

Thank you very much for all your answers,
Juan Manuel Parrilla Gutierrez
2010/1/21 André Warnier <aw@ice-sa.com<mailto:aw@ice-sa.com>>
Juan Manuel Parrilla Gutiérrez wrote:
Hello, this is my first message to this list and I am also a bit new to
mod_perl.
My question is simple, in all the documentation I have found about mod_perl
and auth (like practical mod perl, or writing apache modules in perl and c)
they are always using AuthType Basic, so when the users tries to acess some
protected content, a pop up windows will appear to ask for name/pass.

What I want to do is to use a formulary instead of that pop-up window. As
far as I know looking at AuthCookie, for example, there they define
"AuthType Sample::AuthCookie" and they also define a login.pl<http://login.pl> and different
configs in the conf files.

I want to know the different steps to define and use a form instead of
AuthType Basic.
Have a look here :
http://cpan.uwinnipeg.ca/htdocs/Apache-AuthCookie/Apache2/AuthCookie.html
and scroll to the section
THE LOGIN SCRIPT

If you install that module, it comes along with examples.
AAA is tricky, and maybe not the easiest way to start playing with mod_perl.  But this documentation
is well-done, and should get you started, if you follow it carefully.



Mime
View raw message