On Wednesday 04 September 2002 10:30, Mark A. Hershberger wrote:
> Is it possible that you could point me to a working set of
> examples? Something that covers authentication with Session? I
I use the following a lot, and this is the well-tested variant:
==== httpd.conf
PerlModule Apache::AxKit::Plugin::Session
AxAddXSPTaglib AxKit::XSP::Session
AxAddXSPTaglib AxKit::XSP::Auth
AxAddXSPTaglib AxKit::XSP::Global
# this shows the login page whenever a user accesses a page she has
# no privileges for - leave out to use a regular 403 page
ErrorDocument 403 /redirect?url=/login.xsp
<Location />
AuthType Apache::AxKit::Plugin::Session
AuthName AxKitSession
PerlAuthenHandler Apache::AxKit::Plugin::Session->authenticate
PerlAuthzHandler Apache::AxKit::Plugin::Session->authorize
require valid-user
</Location>
<Location /admin>
# for this to work, your login procedure must set group privileges on
# login, and those users being in the 'admin' group are allowed
require group admin
# This would simply allow anyone who has a valid account:
# require not user guest
</Location>
========== login.xsp
<?xml version="1.0" encoding="ISO-8859-1"?>
<xsp:page language="Perl"
xmlns:xsp="http://www.apache.org/1999/XSP/Core";
xmlns:session="http://www.apache.org/1999/XSP/Session";
xmlns:auth="http://www.creITve.de/2002/XSP/Auth";
xmlns:esql="http://apache.org/xsp/SQL/v2";
xmlns="http://www.w3.org/1999/xhtml";
>
<html>
<head>
<title>Login</title>
</head>
<body>
<xsp:logic>
if (<auth:is-logged-in/>) {
<h1>Welcome!</h1>
<p>You are logged in as: <auth:get-access type="user"/></p>
<p>Please choose:
<ul>
<xsp:logic>
if (<auth:has-permission target="/admin/"/>) {
<li><a href="admin/">Administration</a></li>
}
</xsp:logic>
<li><a href="/">Front page</a></li>
<li><a href="logout.xsp">Abmelden</a></li>
</ul>
</p>
} else {
<h1>Login</h1>
<xsp:logic>
if ($all_fields_filled_in) {
<esql:connection>
<esql:pool>default</esql:pool>
<esql:execute-query>
<esql:query>
SELECT login, password, groups, level
FROM user
WHERE login = <esql:parameter><xsp:expr>
$user_name </xsp:expr></esql:parameter>
</esql:query>
<esql:results>
<esql:row-results>
<xsp:logic>
if (<auth:password-matches>
<auth:clear>
<xsp:expr>$user_password</xsp:expr>
</auth:clear>
<auth:encrypted>
<esql:get-string column="password"/>
</auth:encrypted>
</auth:password-matches>) {
<auth:login>
<auth:access type="user">
<esql:get-string column="login"/>
</auth:access>
<auth:access type="level">
<esql:get-int column="level"/>
</auth:access>
<xsp:logic>
foreach my $group (split(/,/,
<esql:get-string column="groups"/>)) {
<auth:access type="group">
<xsp:expr>$group</xsp:expr>
</auth:access>
}
</xsp:logic>
</auth:login>
}
</xsp:logic>
</esql:row-results>
</esql:results>
</esql:execute-query>
</esql:connection>
<p><b><font color="red">User unknown or password
incorrect.</font></b></p>
}
my $reason = <auth:get-reason/>;
my $dest = <auth:get-location/>;
<auth:clear-reason/>
if ($reason) {
if ($reason ne 'no_session_provided'
and $reason ne 'bad_session_provided') {
<p><b>This area is available for registered users only.</b></p>
} else {
<p><b>Your session has expired. For security reasons,
you are logged out after a certain amount of idle time.</b></p>
}
}
show_login_form($dest);
}
</xsp:logic>
</body>
</html>
</xsp:page>
======================
This login.xsp uses all features provided for a good login experience. You
have to replace "show_login_form()" and "$all_fields_filled_in" with the
correct expressions depending on what method you use for managing your form.
to automatically redirect back to the inaccessible page, be sure to have a
hidden input field named "destination" and having the value of $dest.
> The docs, by the way are wrong here, as well:
Well, feel free to formulate them better. I seem to be a bit disabled when it
comes to documenting my own code :-) Any contributions are very welcome, the
HOWTO you described, too.
CU
J�rg
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
