Thanks for your reply André. As it happens the application's security
policy for authorization is defined in terms of the group assertions.
Dropping that would stop the functionality that protects the various users
from accessing functionality they should not be able to.
David
On Apr 1, 2014 6:23 AM, "André Warnier" <a...@ice-sa.com> wrote:
> Skylos wrote:
>
>> Trying to migrate an application to mod_perl under apache 2.2 but my
>> custom
>> auth handlers are blowing up on failure to understand '$r->requires'
>> method. The best I can make of it is that apache 2.2 revamped the auth
>> system requiring the definition of providers (like 'group' allowing the
>> 'Require group xxxx' directive in the config file.
>>
>> It seems then that I need to define my own authentication provider...
>> perl-group? mycustomauth-group, so i can say
>>
>> Require mycustomauthgroup admin
>>
>> Thus get the proper ->requires information during the authorization phase
>> for checking?
>>
>> David
>>
>> PS: I apologize for not being able to derive this answer from my search
>> and
>> browsing of the mailing list archives if the answer is in there. I found
>> some that seemed exactly related to this issue under topic mp 2.0.3 make
>> test fails against httpd trunk: Has authorisation changed since httpd 2.2
>> ? but
>> was unable to find anything about actually defining these authorization
>> providers...
>>
>>
> Hi.
> This is not really an answer to your question, but I felt it might help
> anyway, only to allow you to sleep better..
> I also wrote my own authentication framework for Apache/mod_perl (using
> Apache2::AuthCookie as base, many thanks to the author and maintainers),
> and I do not recall having had to do any major surgery to it between 2.0
> and 2.2 (2.4 may be another matter though).
> In any case, I am sure that the "group" aspect is not needed, because I
> don't do that at all and my stuff still works fine.
>
> So, while I'm not the ultimate expert, I would think that whatever you may
> have to do is probably less major than what you are hinting at above.
> HTH.
>
> P.S. check the code for Apache2::AuthCookie for many tips (sub
> authorize{}).
> I am using its get_statisfy() and satisfy_is_valid() subs.
> And I only use "require user xxx" or "require valid user" in the Apache
> config.
>
