perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Prime <>
Subject Re: Apache 2.4 Authentication/Authorization
Date Thu, 16 May 2019 13:35:45 GMT
Honestly, the best, and possibly only, source for the information you're 
after is probably the httpd source code. Unless there is some high level 
documentation that has more details than this does:

There's also this, which is supposed to be the documentation for  the C 
API that mod_perl is built on, but it has a gaping hole where the 
information about AAA should be

You might be able to get some help from people on the httpd list as well.


On 2019-05-16 5:43 a.m., André Warnier (tomcat) wrote:
> Additional info, from the mod_perl 2 documentation and elsewhere :
> 1) mod_perl :
> says that this phase is of type RUN_FIRST,
> and
> says "If the return value is Apache2::Const::DECLINED, the next handler 
> in the chain will be run. If the return value is Apache2::Const::OK the 
> next phase will start. In all other cases the execution will be aborted."
> /If that information is still valid for Apache 2.4/, then it seems that 
> the only way to achieve what I want (and which in my views matches the 
> 2.4 general AAA logic), would be to let the authentication method return 
> Apache2::Const::OK, /even if the user is not authenticated/ by the 
> configured authentication method.
> 2) from 
> (the httpd.conf section)
> This may well be the most explicit information readily available, about 
> how the Apache 2.4 authentication/authorization logic really works 
> "underneath".  At any rate, I have not been able to find a better 
> documentation anywhere.
> On 15.05.2019 15:42, André Warnier (tomcat) wrote:
>> Hi.
>> I am trying to figure out what Apache2::Const return codes /can/ be 
>> returned by a mod_perl
>> /authentication/ method under Apache 2.4+, and what consequences each 
>> of these return
>> codes has, in terms of what Apache does next.
>> (And also, where to find a commented list of the Apache "AHxxxx" error 
>> messages)
>> Does anyone know where I could find this information, other than 
>> perhaps the Apache httpd
>> source code ? (and if only there, where ?)
>> I have done multiple searches in Google, but nothing really relevant 
>> shows up (lots of
>> "receipes" there for specific cases, but no general explanation).
>> I have also consulted :
>> - the cpan Apache2::Const documentation which lists all the return 
>> codes, but without
>> comments as to what they're used for or where they are applicable.
>> - the mod_perl2 documentation
>> ( 
>> /may/ be
>> somewhat outdated, as it is in other respects for the Apache 2.4 AAA API.
>> Thanks in advance
>> (long) Context:
>> With a lot of inspiration and cut-and-paste from Apache2::AuthCookie 
>> (thanks Michael
>> Schout, also for the 2.4 doc add-on), I have written a mod_perl AAA 
>> framework
>> (aka "PerlAddAuthzProvider xxx Our::Own::Module->authz_user" ),
>> adapted to the particular needs of our applications, and which 
>> is/should be able to work
>> in conjunction with most built-in or third-party add-on Apache 
>> authentication modules
>> (such as mod_authnz_ldap, mod_shib2, etc). (This because each of our 
>> corporate customers
>> each have their own web-AAA infrastructure, and we need to be 
>> compatible with all of them).
>> Now I have the case where the authentication method itself (aka 
>> "PerlAuthenHandler
>> Our::Own::Module::XXX->authenticate") is one which we need to develop 
>> ourselves, because
>> the customer's corporate framework is somewhat "non-standard" itself.
>> Thus, our authenticate() method calls the customer's back-end method, 
>> and looks at what it
>> returns.
>> The back-end external framework can sometimes fail to authenticate a 
>> user, and returns a
>> specific response in such a case. Our authenticate() method catches 
>> this, and should then
>> itself return an appropriate return code, such that Apache 2.4 next 
>> calls the (our)
>> authz_user() method again, which can then e.g. deny/allow access to 
>> the resource.
>> If authenticate() returns Apache2::Const::HTTP_UNAUTHORIZED, then it 
>> seems that Apache
>> immediately aborts the request and returns a 401 Unauthorised response 
>> to the browser.
>> (In any case, it does /not/ call the perl AuthzProvider again).
>> (That is not really what I want; I'd like it to call authz_user() 
>> anyway, and let
>> authz_user() decide what happens next).
>> If authenticate() returns Apache2::Const::OK, then there is no Apache 
>> log message; but
>> when it calls authz_user() next, that authz_user() should be able to 
>> find out that the
>> authentication failed.
>> Or should I just leave $r->user empty in that case and check on that ? 
>> is that what the
>> other (standard) authentication modules do ?
>> If authenticate() returns Apache2::Const::DECLINE, Apache subsequently 
>> prints a message in
>> the server error log, such as :
>> [Thu May 09 20:52:31.197841 2019] [authn_core:error] [pid 9139] 
>> [client xxxx:4038]
>> AH01796: AuthType OUR::OWN::MOD configured without corresponding 
>> module ..
>> (and it does not call the AuthzProvider again either).
>> (I think that I understand why it does that, since the only 
>> authentication method
>> configured is mine, and it returns DECLINED)
>> Or else, what could authenticate() return ?
>> I can of course do several trials returning different things and see 
>> what works, but I
>> would prefer to know the official do's and don'ts and the Apache 2.4 
>> logic behind them.

View raw message