Hello, mod_perl users,

I have a cookies-based authentication similar to Apache2::AuthCookie,
and I have problem with setting up authentication with recognizing users
in PerlFixupHandler also for URLs accessible even without authentication
(similar to what Apache2::AuthCookie->recognize_user is supposed to do).
My httpd.conf contains something along these lines:

DocumentRoot /www

<Directory /www>
        <Files *.pl>
                SetHandler perl-script
                PerlFixupHandler My::Auth->recognize_user
                PerlResponseHandler My::Registry
        Order deny, allow
        allow from all
        DirectoryIndex index.pl

<Directory /www/auth>
        AuthName "PrivateArea"
        AuthType My::Auth
        PerlAuthenHandler My::Auth->authenticate
        require valid-user

        <Files *.pl>
                SetHandler perl-script
                PerlResponseHandler My::Registry

If I point my browser to https://my.server/auth/, the user authenticates,
and the auth info is stored in a cookie. In that case, I want subsequent
requests to Perl scripts with that cookie even outside the /auth/ area
to be recognized as authenticated, i.e. to have $r->user() nonempty.
This is what the PerlFixupHandler above is supposed to do.

It mostly works except when some URL rewriting happens:

https://my.server/index.pl works correctly (has non-empty $r->user), but
https://my.server/ without /index.pl suffix has empty $r->user, even though
I have verified that the PerlFixupHandler is also being executed and it sets
non-empty $r->user($user_from_cookie) correctly. After it returns
Apache2::Const::DECLINED, the My::Registry::handler() starts,
but it has empty $r->user, despite it being set to non-empty
in the PerlFixupHandler.

When I move the PerlFixupHandler directive outside the <Files *.pl> scope,
recognizing user works even for https://my.server/ without /index.pl, 
but then the PerlFixupHandler is unnecessarily executed even for
things like static (non-Perl) data: images, Javascript files, etc.

Why does the $r->user() value disappear between PerlFixupHandler
and PerlResponseHandler calls?



| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| http://www.fi.muni.cz/~kas/                         GPG: 4096R/A45477D5 |
> That's why this kind of vulnerability is a concern: deploying stuff is  <
> often about collecting an obscene number of .jar files and pushing them <
> up to the application server.                          --pboddie at LWN <

Reply via email to