Hi.
I am trying to figure out what Apache2::Const return codes /can/ be
returned by a mod_perl
/authentication/ method under Apache 2.4+, and what consequences each
of these return
codes has, in terms of what Apache does next.
(And also, where to find a commented list of the Apache "AHxxxx" error
messages)
Does anyone know where I could find this information, other than
perhaps the Apache httpd
source code ? (and if only there, where ?)
I have done multiple searches in Google, but nothing really relevant
shows up (lots of
"receipes" there for specific cases, but no general explanation).
I have also consulted :
- the cpan Apache2::Const documentation which lists all the return
codes, but without
comments as to what they're used for or where they are applicable.
- the mod_perl2 documentation
(http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlAuthenHandler)
/may/ be
somewhat outdated, as it is in other respects for the Apache 2.4 AAA API.
Thanks in advance
(long) Context:
With a lot of inspiration and cut-and-paste from Apache2::AuthCookie
(thanks Michael
Schout, also for the 2.4 doc add-on), I have written a mod_perl AAA
framework
(aka "PerlAddAuthzProvider xxx Our::Own::Module->authz_user" ),
adapted to the particular needs of our applications, and which
is/should be able to work
in conjunction with most built-in or third-party add-on Apache
authentication modules
(such as mod_authnz_ldap, mod_shib2, etc). (This because each of our
corporate customers
each have their own web-AAA infrastructure, and we need to be
compatible with all of them).
Now I have the case where the authentication method itself (aka
"PerlAuthenHandler
Our::Own::Module::XXX->authenticate") is one which we need to develop
ourselves, because
the customer's corporate framework is somewhat "non-standard" itself.
Thus, our authenticate() method calls the customer's back-end method,
and looks at what it
returns.
The back-end external framework can sometimes fail to authenticate a
user, and returns a
specific response in such a case. Our authenticate() method catches
this, and should then
itself return an appropriate return code, such that Apache 2.4 next
calls the (our)
authz_user() method again, which can then e.g. deny/allow access to
the resource.
If authenticate() returns Apache2::Const::HTTP_UNAUTHORIZED, then it
seems that Apache
immediately aborts the request and returns a 401 Unauthorised response
to the browser.
(In any case, it does /not/ call the perl AuthzProvider again).
(That is not really what I want; I'd like it to call authz_user()
anyway, and let
authz_user() decide what happens next).
If authenticate() returns Apache2::Const::OK, then there is no Apache
log message; but
when it calls authz_user() next, that authz_user() should be able to
find out that the
authentication failed.
Or should I just leave $r->user empty in that case and check on that ?
is that what the
other (standard) authentication modules do ?
If authenticate() returns Apache2::Const::DECLINE, Apache subsequently
prints a message in
the server error log, such as :
[Thu May 09 20:52:31.197841 2019] [authn_core:error] [pid 9139]
[client xxxx:4038]
AH01796: AuthType OUR::OWN::MOD configured without corresponding
module ..
(and it does not call the AuthzProvider again either).
(I think that I understand why it does that, since the only
authentication method
configured is mine, and it returns DECLINED)
Or else, what could authenticate() return ?
I can of course do several trials returning different things and see
what works, but I
would prefer to know the official do's and don'ts and the Apache 2.4
logic behind them.
