perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Set AuthName to prompt for sequential passwords
Date Mon, 20 Dec 2010 09:46:04 GMT
Hi.

Without going into the details of your code, I believe that what you are bumping against 
may be the very nature of HTTP.

In your scheme, you need 2 consecutive interactions with the user, and the second one 
needs to be able to "remember" what the first one was.
The basic logic of HTTP goes against that : each request/response cycle is totally 
independent of the others, and there is no "memory" kept between two transactions.
At least not by HTTP itself. Think that between your first interaction, and the second, 
there may have been 1000 other request/response cycles happening for other users.

So the only way to do this, is by super-imposing some kind of "session" mechanism, whereby

the server can detect, on the second request, that there has been a first one, and what 
its results were.
There are various such schemes, but the simplest mechanism for doing that is probably via

cookies.
Your first request/response should set a "step 1 cookie", which is detected and read by 
the second request/response cycle, which then modifies that cookie into a "step 2 cookie".
Your real application areas should then require the step 2 cookie for authenticating a 
user and granting the resource.

I think that trying to do this by playing with the "realm", which is intimately linked to

the URL requested by the browser, is going to lead you into loops of logic.



Matt Puumala wrote:
> Greetings!
> 
> I am trying to make a two-factor authentication module, built on
> AuthType Basic. (google for Perfect Paper Passwords for the scheme I'm
> using).  To make it work, I need to be able to prompt the user to type
> in two passwords sequentially.
> 
> So, the user comes to the page, apache sends "401 AuthRequired" and
> the configured AuthName (this is prompt 1).
> 
> The user enters username and first password. The module verifies, and
> constructs the second prompt.
> 
> In my plan, I'd like to set the AuthName for that client, then send
> back "401 AuthRequired" again. The new AuthName realm is prompt 2,
> which is shown to the user.
> 
> However, I'm having problems changing the AuthName.
> 
> I'm starting with extremely simple test bed, using output files to
> dump data.
> 
> I expected the "Old Auth Name" to be "Testing the Thing", and the "New
> Auth Name" to be "Simple String". But the Auth Name doesn't change.
> 
> This is my first apache module. Is there something in the intricacies
> of the request cycle that I'm missing? Or is there some other obviously
> better way to prompt for passwords sequentially?
> 
> 
> Server: Windows XP running XAMPP.
> Server version: Apache/2.2.14 (Win32)
> Server built:   Nov 11 2009 14:29:03
> mod_perl/2.0.4 Perl/v5.10.1
> 
> ------- Auth Handler Skeleton ---------------
> package CustomAuth::AuthTwoPW;
> 
> use strict;
> use Apache2::Const qw(:common);
> use Apache2::Access ();
> 
> sub handler
> {
>   my $r = shift;
>   my($res, $sent_pw) = $r->get_basic_auth_pw;
> 
>   # debug output
>    my $FH;
>    open  $FH, ">", "/Documents and Settings/Matt/Desktop/stuff.txt";
>    my $stoij = "response is " . $res . "\nSent pw is " . $sent_pw . "\n";
>   print $FH $stoij;
> 
>   return $res if $res != OK;
> 
>   my $user = $r->connection->user;
>   unless($user eq "matt" and $sent_pw eq "pw1")
>   {
> 
>     print $FH "Didnt get good pw, returning AUTH_REQUIRED\n";
> 
>     $r->note_basic_auth_failure;
>     $r->log_error("Didn't get good first password",
> 		   $r->filename);
>     return AUTH_REQUIRED;
>   }
> 
>   # Got first username/pw combo. RESET, change prompts, and get next set
> 
>   # reset prompts
>   my $oldval = $r->auth_name("Simple String");
>   my $newval = $r->auth_name();
> 
>   print $FH "Old authname val is " . $oldval . "\n";
>   print $FH "New authname val is " . $newval . "\n";
> 
>   # Reset headers so client auth's again
>   $r->note_basic_auth_failure;
> 
>   # ask for second pw
>   return AUTH_REQUIRED;
> 
> 
> } # closes 'handler'
> 
> 1;
> ------- END Auth Handler Skeleton ---------------
> 
> ------- Debug File Output -----------------
> response is 0
> Sent pw is pw1
> Old authname val is Testing The Thing
> New authname val is Testing The Thing
> ------- END Debug File Output -----------------
> 
> 
> ------- ModPerl Config ----------------------
> LoadFile "C:/Documents and Settings/Matt/My
> Documents/xampp/perl/bin/perl510.dll"
> LoadModule perl_module modules/mod_perl.so
> LoadModule apreq_module modules/mod_apreq2.so
> 
> PerlSwitches -T
> PerlPostConfigRequire "C:/Documents and Settings/Matt/My
> Documents/xampp/apache/conf/extra/startup.pl"
> 
> 
> ...[ snip ]...
> 
> 
> <Directory "C:/Documents and Settings/Matt/My
> Documents/xampp/htdocs/authenticatedstuff">
>   SetHandler perl-script
>   AuthName "Testing The Thing"
>   AuthType Basic
>   PerlOptions +GlobalRequest
>   PerlAuthenHandler CustomAuth::AuthTwoPW
>   require valid-user
> </Directory>
> 
> 
> # ASP settings
> Include "conf/extra/asp.conf"
> ------- END ModPerl Config ----------------------
> 


Mime
View raw message