Mailing-List: contact modperl-help@perl.apache.org; run by ezmlm
Precedence: bulk
Received-SPF: pass (athena.apache.org: domain of aw@ice-sa.com designates
 212.85.38.228 as permitted sender)
Message-ID: <4D0F25DC.8000204@ice-sa.com>
Date: Mon, 20 Dec 2010 10:46:04 +0100
From: =?ISO-8859-1?Q?Andr=E9_Warnier?= <aw@ice-sa.com>
Reply-To: mod_perl list <modperl@perl.apache.org>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: mod_perl list <modperl@perl.apache.org>
Subject: Re: Set AuthName to prompt for sequential passwords
References: <AANLkTi=pczYDjL9hviCwO11Ov6mGO_zX2P0PWVVdT2SJ@mail.gmail.com>
In-Reply-To: <AANLkTi=pczYDjL9hviCwO11Ov6mGO_zX2P0PWVVdT2SJ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi.

Without going into the details of your code, I believe that what you are bumping against 
may be the very nature of HTTP.

In your scheme, you need 2 consecutive interactions with the user, and the second one 
needs to be able to "remember" what the first one was.
The basic logic of HTTP goes against that : each request/response cycle is totally 
independent of the others, and there is no "memory" kept between two transactions.
At least not by HTTP itself. Think that between your first interaction, and the second, 
there may have been 1000 other request/response cycles happening for other users.

So the only way to do this, is by super-imposing some kind of "session" mechanism, whereby 
the server can detect, on the second request, that there has been a first one, and what 
its results were.
There are various such schemes, but the simplest mechanism for doing that is probably via 
cookies.
Your first request/response should set a "step 1 cookie", which is detected and read by 
the second request/response cycle, which then modifies that cookie into a "step 2 cookie".
Your real application areas should then require the step 2 cookie for authenticating a 
user and granting the resource.

I think that trying to do this by playing with the "realm", which is intimately linked to 
the URL requested by the browser, is going to lead you into loops of logic.


Matt Puumala wrote:
> Greetings!
> 
> I am trying to make a two-factor authentication module, built on
> AuthType Basic. (google for Perfect Paper Passwords for the scheme I'm
> using).  To make it work, I need to be able to prompt the user to type
> in two passwords sequentially.
> 
> So, the user comes to the page, apache sends "401 AuthRequired" and
> the configured AuthName (this is prompt 1).
> 
> The user enters username and first password. The module verifies, and
> constructs the second prompt.
> 
> In my plan, I'd like to set the AuthName for that client, then send
> back "401 AuthRequired" again. The new AuthName realm is prompt 2,
> which is shown to the user.
> 
> However, I'm having problems changing the AuthName.
> 
> I'm starting with extremely simple test bed, using output files to
> dump data.
> 
> I expected the "Old Auth Name" to be "Testing the Thing", and the "New
> Auth Name" to be "Simple String". But the Auth Name doesn't change.
> 
> This is my first apache module. Is there something in the intricacies
> of the request cycle that I'm missing? Or is there some other obviously
> better way to prompt for passwords sequentially?
> 
> 
> Server: Windows XP running XAMPP.
> Server version: Apache/2.2.14 (Win32)
> Server built:   Nov 11 2009 14:29:03
> mod_perl/2.0.4 Perl/v5.10.1
> 
> ------- Auth Handler Skeleton ---------------
> package CustomAuth::AuthTwoPW;
> 
> use strict;
> use Apache2::Const qw(:common);
> use Apache2::Access ();
> 
> sub handler
> {
>   my $r = shift;
>   my($res, $sent_pw) = $r->get_basic_auth_pw;
> 
>   # debug output
>    my $FH;
>    open  $FH, ">", "/Documents and Settings/Matt/Desktop/stuff.txt";
>    my $stoij = "response is " . $res . "\nSent pw is " . $sent_pw . "\n";
>   print $FH $stoij;
> 
>   return $res if $res != OK;
> 
>   my $user = $r->connection->user;
>   unless($user eq "matt" and $sent_pw eq "pw1")
>   {
> 
>     print $FH "Didnt get good pw, returning AUTH_REQUIRED\n";
> 
>     $r->note_basic_auth_failure;
>     $r->log_error("Didn't get good first password",
> 		   $r->filename);
>     return AUTH_REQUIRED;
>   }
> 
>   # Got first username/pw combo. RESET, change prompts, and get next set
> 
>   # reset prompts
>   my $oldval = $r->auth_name("Simple String");
>   my $newval = $r->auth_name();
> 
>   print $FH "Old authname val is " . $oldval . "\n";
>   print $FH "New authname val is " . $newval . "\n";
> 
>   # Reset headers so client auth's again
>   $r->note_basic_auth_failure;
> 
>   # ask for second pw
>   return AUTH_REQUIRED;
> 
> 
> } # closes 'handler'
> 
> 1;
> ------- END Auth Handler Skeleton ---------------
> 
> ------- Debug File Output -----------------
> response is 0
> Sent pw is pw1
> Old authname val is Testing The Thing
> New authname val is Testing The Thing
> ------- END Debug File Output -----------------
> 
> 
> ------- ModPerl Config ----------------------
> LoadFile "C:/Documents and Settings/Matt/My
> Documents/xampp/perl/bin/perl510.dll"
> LoadModule perl_module modules/mod_perl.so
> LoadModule apreq_module modules/mod_apreq2.so
> 
> PerlSwitches -T
> PerlPostConfigRequire "C:/Documents and Settings/Matt/My
> Documents/xampp/apache/conf/extra/startup.pl"
> 
> 
> ...[ snip ]...
> 
> 
> <Directory "C:/Documents and Settings/Matt/My
> Documents/xampp/htdocs/authenticatedstuff">
>   SetHandler perl-script
>   AuthName "Testing The Thing"
>   AuthType Basic
>   PerlOptions +GlobalRequest
>   PerlAuthenHandler CustomAuth::AuthTwoPW
>   require valid-user
> </Directory>
> 
> 
> # ASP settings
> Include "conf/extra/asp.conf"
> ------- END ModPerl Config ----------------------
>