modperl-flexible_auth_process

This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.



To: "J. Zobel" <nc-zobeljo@netcologne.de>
From: Eric Cholet <cholet@logilune.com>
Subject: RE: Auth Handlers
Date: Wed, 12 Dec 2001 13:53:15 +0100

"J. Zobel" <nc-zobeljo@netcologne.de> wrote:

> On Tue, 2001-12-11 at 21:00, Stathy Touloumis wrote:
>> Actually, I DON'T want the browser to prompt for a username/pass.  I saw
>> the examples in the eagle book and they all seem to use Authz, with Auth
>> handlers using the example you showed.
>> Perhaps I need to modify the headers so that the prompt does not occur?
>
> I have the exact same problem. I want my AuthenHandler to decide if the
> user is prompted for a password. Unfortunately "the book" tells me:
>
> "By the time the handler is called, Apache will have done most of the
> work in negotiating the HTTP Basic authentication protocol. It will have
> alerted the browser that authentication is required to access the page,
> and the browser will have prompted the user to enter his name and
> password."
>
> Has anybody got an idea how to let a handler decide, if autthen. is
> required?

You could use a PerlAccessHandler, if you figure authentication isn't 
required
you run
   $r->set_handlers(PerlAuthenHandler => [\&OK]);

===
To: "J. Zobel" <nc-zobeljo@netcologne.de>
From: "Stathy Touloumis" <stathy.touloumis@edventions.com>
Subject: RE: Auth Handlers
Date: Wed, 12 Dec 2001 10:28:13 -0600

What I have down is moved out specific auth handler down the chain into the
'fixup' state but it would be much nicer (and ituitive) to place it in the
appropriate position.

===

To: <modperl@apache.org>
From: "Stathy Touloumis" <stathy.touloumis@edventions.com>
Subject: RE: Auth Handlers
Date: Wed, 12 Dec 2001 10:31:37 -0600

Right, this is fairly obvious but we are trying to prevent apache from
sending the 'login' headers if successful authorization does not occur.  It
seems to me that to do this the handler will need to be moved up or down the
chain which can be unintuitive.

===

To: modperl@apache.org
From: lembark@wrkhors.com
Subject: RE: Auth Handlers
Date: Wed, 12 Dec 2001 13:07:18 -0600

Stathy Touloumis <stathy.touloumis@edventions.com> on 12/12/01 10:31:37 -0600

> Right, this is fairly obvious but we are trying to prevent apache from
> sending the 'login' headers if successful authorization does not occur.  It
> seems to me that to do this the handler will need to be moved up or down the
> chain which can be unintuitive.

Other approach is to use a separate "login" site and 
redirect people there if they don't meet the auth.
criteria to begin with. This way you don't have to send
AUTH_REQUIRED, just a redirect (or internal redirect).


===

To: Stathy Touloumis <stathy.touloumis@edventions.com>
From: Ged Haywood <ged@www2.jubileegroup.co.uk>
Subject: RE: Auth Handlers
Date: Thu, 13 Dec 2001 11:56:07 +0000 (GMT)

Hi there,

On Tue, 11 Dec 2001, Stathy Touloumis wrote:

> : )  No problem,  I guess I am unsure if this is the proper way to setup an
> Access, Authen, Authz handler.  When I use this configuration my 'handler()'
> method does not get called and I get an error in the logs:
> [Mon Dec 10 13:13:03 2001] [crit] [client 192.168.0.1] configuration error:
> couldn't check user.  No user file?: /index.html

I think Apache is looking for the wrong file.  Check the
config for AuthUserFile.  Did you use htpasswd to create it?

> I tried moving it down to be an Authz handler but the same error occurs.
> However, if I push this package as a FixupHandler it works fine and the
> 'handler()' method gets called.

You mean you want to do authorization in a FixupHandler??

If you like I can let you have some scripts which will show you one way of
checking for authorization without a second request for a username/password,
assuming that at some stage in the browser session one was already supplied.
Is that what you meant?

===

To: "Ged Haywood" <ged@www2.jubileegroup.co.uk>
From: "Stathy Touloumis" <stathy.touloumis@edventions.com>
Subject: RE: Auth Handlers
Date: Thu, 13 Dec 2001 09:34:08 -0600

He he : )  I think this discussion is being miscommunicated (if that is a
relevant word).  I do not want authorization to be performed in the typical
manner.  Perhaps I want the information from a form submit or a cookie.  I
understand how the Apache authentication configuration works but I want to
strictly use mod_perl to modify the authentication mechanisms without the
standard Apache intervention.

> You mean you want to do authorization in a FixupHandler??
No, this is what I currently have to do to avoid Apache from sending the
'auth request' headers to the browser and still perform custom
authentication via a form submit, cookie, etc.

Thanks,

===

the rest of The Pile (a partial mailing list archive)

doom@kzsu.stanford.edu