On 16.10.2019 05:57, Randolf Richardson wrote:
Before upgrading from Apache HTTPd v2.2 to v2.4, I highly recommend
refreshing your familiarity with the Order, Allow, and Require
directives. Also, if you're doing any authentication customization,
you'll want to take extra care with testing this as I believe the
authentication modules may have changed quite a bit too.
+many.
The change is drastic. The best perl documentation resource in that respect may
be
https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod
In very short summary :
In Apache up to 2.2, there were 3 distinct and consecutive phases, and corresponding
mod_perl handlers :
- Access Control --> PerlAccessHandler
- Authentication --> PerlAuthenHandler
- Authorization --> PerlAuthzHandler
Since Apache 2.4, this is replaced by the following schema :
- the Access Control phase (and corresponding PerlAccessHandler handler) has disapparead,
and has been merged as just one specific case of the "Authorization" phase.
- the "Authorization" phase is always called first, and IF it determines that a user-id is
needed in order to authorize access, THEN (and only then) it calls the "Authentication"
module which is configured for this particular request (URL). (Thus the
"PerlAuthenHandler" directive and modules are still valid).
And then, the "Authorization" phase is called again, until it returns either "granted" or
"denied".
Finally, the "PerlAuthzHandler" directive has also disappeared, and one has to
use the
"PerlAddAuthzProvider" directive instead (depending on the "Require"'s).
Unfortunately, the on-line mod_perl documentation does not reflect this change, and is
still at the Apache 2.2 level for AAA.
Unfortunately also, I have not been able so far to locate any Apache httpd 2.4
documentation which explains this AAA change in any level of detail.
(This should exist somewhere, as all the providers of Apache AAA modules have had to adapt
their code to this new architecture, but i haven't found it yet).
