Re: [Catalyst] Catalyst with HTTP authentication
On 25 Mar 2013, at 11:54, Robert Rothenberg rob...@gmail.com wrote: I'd suggest updating the documentation for A::C::Remote accordingly. (I can do this if you point me in the direction of the git repo) git://git.shadowcat.co.uk/catagits/Catalyst-Plugin-Authentication.git is the read only repository URI (as per META.yml) Cheers t0m ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 22 Mar 2013, at 13:34, Robert Rothenberg rob...@gmail.com wrote:
I'm unsure what to do here. Should I write a Plack::Middleware plugin that
translates the X-Proxy-REMOTE_USER header to an env-{REMOTE_USER}?
That's exactly what's needed here :)
Cheers
t0m
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 25/03/13 14:08 Tomas Doran wrote:
On 22 Mar 2013, at 13:34, Robert Rothenberg rob...@gmail.com wrote:
I'm unsure what to do here. Should I write a Plack::Middleware plugin that
translates the X-Proxy-REMOTE_USER header to an env-{REMOTE_USER}?
That's exactly what's needed here :)
Ok. After faffing about, I've figured it out. I've created a module
package Plack::Middleware::MyRemote;
use parent qw( Plack::Middleware );
use Plack::Util;
sub call {
my ($self, $env) = @_;
$env-{REMOTE_USER} = $env-{HTTP_X_PROXY_REMOTE_USER}
if ($env-{HTTP_X_PROXY_REMOTE_USER});
my $res = $self-app-($env);
return $res;
}
1;
and modified myapp.psgi to
use strict;
use warnings;
use MyApp;
use Plack::Builder;
my $app = Drain-apply_default_middlewares(Drain-psgi_app);
builder {
enable Plack::Middleware::MyRemote;
$app;
};
that seems to work now.
In the Apache configuration, I need to add:
RequestHeader unset X-Proxy-REMOTE_USER
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Proxy-REMOTE_USER %{RU}e
along with the requirement to log in for the specific directory.
I'd suggest updating the documentation for A::C::Remote accordingly. (I can
do this if you point me in the direction of the git repo)
This seems to work properly.
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 14/03/13 08:51 Tomas Doran wrote:
On 12 Mar 2013, at 17:10, Robert Rothenberg rob...@gmail.com wrote:
(Unless you mean you want to do the authentication on the proxy,
rather than the app servers).
I want to do the latter.
You should still be able to use Authentication::Credential::Remote,
you'll just need to re-configure your web server and proxy to do the
right thing with headers (i.e. the proxy needs to send the username along
in a header, and then the web server needs to pass that down into the
environment.
Have a go and post some configs for your proxy / web server if it isn't
working for you.
I understand how to have an Apache reverse proxy send the REMOTE_USER as a
header, with something like
RequestHeader set X-Proxy-REMOTE-USER %{REMOTE_USER}
but how to I get Authentication::Credential::Remote to use the header
instead of the environment variable? Do I need an auto method in Root.pm
that checks for the header and sets $c-req-remote_user()?
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 22/03/13 11:46 Robert Rothenberg wrote:
I understand how to have an Apache reverse proxy send the REMOTE_USER as a
header, with something like
RequestHeader set X-Proxy-REMOTE-USER %{REMOTE_USER}
but how to I get Authentication::Credential::Remote to use the header
instead of the environment variable? Do I need an auto method in Root.pm
that checks for the header and sets $c-req-remote_user()?
I have code such as
if (my $user = $c-req-header('X-Proxy-REMOTE-USER')) {
$c-engine-env({ REMOTE_USER = $user });
$c-authenticate({});
}
which works, but I get a warning env as a writer is deprecated, you
probably need to upgrade Catalyst::Engine::PSGI.
I'm unsure what to do here. Should I write a Plack::Middleware plugin that
translates the X-Proxy-REMOTE_USER header to an env-{REMOTE_USER}?
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 14/03/13 08:51 Tomas Doran wrote: On 12 Mar 2013, at 17:10, Robert Rothenberg rob...@gmail.com wrote: (Unless you mean you want to do the authentication on the proxy, rather than the app servers). I want to do the latter. You should still be able to use Authentication::Credential::Remote, you'll just need to re-configure your web server and proxy to do the right thing with headers (i.e. the proxy needs to send the username along in a header, and then the web server needs to pass that down into the environment. Have a go and post some configs for your proxy / web server if it isn't working for you. I haven't found any decent documentation on that, so gave up and just used to HTTP authentication plugin, which appears to be working. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 12 Mar 2013, at 17:10, Robert Rothenberg rob...@gmail.com wrote: (Unless you mean you want to do the authentication on the proxy, rather than the app servers). I want to do the latter. You should still be able to use Authentication::Credential::Remote, you'll just need to re-configure your web server and proxy to do the right thing with headers (i.e. the proxy needs to send the username along in a header, and then the web server needs to pass that down into the environment. Have a go and post some configs for your proxy / web server if it isn't working for you. Cheers t0m ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
Thanks. That worked, but I'll take a look at Catalyst::Authentication::Credential::Remote ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 2013-03-11 16:37, Lukas Thiemeier wrote: From reading the docs, I don't see why Catalyst::Authentication::Store::Htpasswd and Catalyst::Authentication::Credential::HTTP do not work together, but I have not used any of them. I am using Catalyst::Authentication::Credential::Remote in a current project. It lets the webserver do all the authentication. You can use any authentication method and storage which is supported by your webserver, including htpasswd files. Having the webserver do the authentication means you are depending on it to support the type of authentication you want to use. I'd prefer having the authentication in the app with the exact same code for production and testing over ::Remote. I am using Catalyst::Authentication::Credential::Testing for authentication when the webserver is not available (when running the catalyst test-server during development). Maybe this is an option for you... cheers, Lukas On 03/11/2013 03:10 PM, Robert Rothenberg wrote: I have a project that requires using HTTP authentication. There is a Catalyst::Authentication::Credential::HTTP module, but from the documentation, it does not seem to support using htpasswd files, which I need, because a separate web site will be using that file. There is Catalyst::Authentication::Store::Htpasswd, but it does not work with Catalyst::Authentication::Credential::HTTP. I'm not clear on how to do this, without having to write my own handlers for HTTP authentication. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 11/03/13 15:37 Lukas Thiemeier wrote: I am using Catalyst::Authentication::Credential::Remote in a current project. It lets the webserver do all the authentication. You can use any authentication method and storage which is supported by your webserver, including htpasswd files. How do you pass the remote user in a reverse proxy? ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 12 Mar 2013, at 13:20, Robert Rothenberg rob...@gmail.com wrote: On 11/03/13 15:37 Lukas Thiemeier wrote: I am using Catalyst::Authentication::Credential::Remote in a current project. It lets the webserver do all the authentication. You can use any authentication method and storage which is supported by your webserver, including htpasswd files. How do you pass the remote user in a reverse proxy? It's just http headers, it'll just transparently pass through the proxy. (Unless you mean you want to do the authentication on the proxy, rather than the app servers). Cheers t0m ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 12/03/13 15:36 Tomas Doran wrote: On 12 Mar 2013, at 13:20, Robert Rothenberg rob...@gmail.com wrote: On 11/03/13 15:37 Lukas Thiemeier wrote: I am using Catalyst::Authentication::Credential::Remote in a current project. It lets the webserver do all the authentication. You can use any authentication method and storage which is supported by your webserver, including htpasswd files. How do you pass the remote user in a reverse proxy? It's just http headers, it'll just transparently pass through the proxy. (Unless you mean you want to do the authentication on the proxy, rather than the app servers). I want to do the latter. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 03/12/2013 01:07 PM, Alexander Hartmaier wrote: Having the webserver do the authentication means you are depending on it to support the type of authentication you want to use. I'd prefer having the authentication in the app with the exact same code for production and testing over ::Remote. Everything has its pros and cons. If you do all your authentication in your app, you depend on existing modules for the desired authentication method, or you have to write your own authentication code. I prefer using stable and tested mechanisms over writing my own code (if possible). And if a tool lacks some features which I need, I just use something else (again, if possible). I guess 90% of all webservers support most common authentication methods. Until now, I used DBIC based authentication within my app, and ::Remote for everything else. But until now everything else is just one project which requires digest, certificates and kerberos authentication. I guess there is no better in this case. Its a matter of personal preferences and use case. Concerning the differing code for testing and production: I agree. This truly is a disadvantage when using ::Remote cheers, Lukas ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
[Catalyst] Catalyst with HTTP authentication
I have a project that requires using HTTP authentication. There is a Catalyst::Authentication::Credential::HTTP module, but from the documentation, it does not seem to support using htpasswd files, which I need, because a separate web site will be using that file. There is Catalyst::Authentication::Store::Htpasswd, but it does not work with Catalyst::Authentication::Credential::HTTP. I'm not clear on how to do this, without having to write my own handlers for HTTP authentication. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
On 11 Mar 2013, at 14:10, Robert Rothenberg rob...@gmail.com wrote: There is Catalyst::Authentication::Store::Htpasswd, but it does not work with Catalyst::Authentication::Credential::HTTP. Why? How? Cheers t0m ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
Ditto. I am also using Catalyst::Authentication::Credential::Remote, and it is working just fine. -Tim On Mon, Mar 11, 2013 at 9:37 AM, Lukas Thiemeier spamcatc...@thiemeier.netwrote: From reading the docs, I don't see why Catalyst::Authentication::Store::Htpasswd and Catalyst::Authentication::Credential::HTTP do not work together, but I have not used any of them. I am using Catalyst::Authentication::Credential::Remote in a current project. It lets the webserver do all the authentication. You can use any authentication method and storage which is supported by your webserver, including htpasswd files. I am using Catalyst::Authentication::Credential::Testing for authentication when the webserver is not available (when running the catalyst test-server during development). Maybe this is an option for you... cheers, Lukas On 03/11/2013 03:10 PM, Robert Rothenberg wrote: I have a project that requires using HTTP authentication. There is a Catalyst::Authentication::Credential::HTTP module, but from the documentation, it does not seem to support using htpasswd files, which I need, because a separate web site will be using that file. There is Catalyst::Authentication::Store::Htpasswd, but it does not work with Catalyst::Authentication::Credential::HTTP. I'm not clear on how to do this, without having to write my own handlers for HTTP authentication. ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/ ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
Hi,
I just had some time to try it: C::Authentication::Credential::HTTP and
C::Authentication::Store::Htpasswd work together just fine. Here is my
setup:
in TestApp.pm:
use Catalyst qw/
ConfigLoader
Authentication
/;
__PACKAGE__-config(
Plugin::Authentication = {
realms = {
default = {
credential = {
class = 'HTTP',
type = basic,
password_field = 'check_password',
password_type = 'self_check',
},
store = {
class = 'Htpasswd',
file = /tmp/htpasswd,
},
},
},
},
);
and in Controller/Root.pm (or wherever you need it):
sub index :Path :Args(0) {
my ( $self, $c ) = @_;
$c-authenticate;
if($c-user_exists){
$c-res-body(logged in);
}
}
The tricky part is that you have to set password_field and
password_type correctly, which is not documented. (You have to know
how Catalyst Authentication works and read the docs for Authen::Htpasswd
to find out)
I still recommend to use C::A::Credential::Remote. Let the server do the
job, and keep your application small and simple.
Plus: You can add digest authentication, certificate authentication,
kerberos authentication and whatever your server supports without
modifying your application.
Lukas
On 03/11/2013 03:10 PM, Robert Rothenberg wrote:
I have a project that requires using HTTP authentication.
There is a Catalyst::Authentication::Credential::HTTP module, but from the
documentation, it does not seem to support using htpasswd files, which I
need, because a separate web site will be using that file.
There is Catalyst::Authentication::Store::Htpasswd, but it does not work
with Catalyst::Authentication::Credential::HTTP.
I'm not clear on how to do this, without having to write my own handlers for
HTTP authentication.
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Catalyst with HTTP authentication
I realized that you don't even have to set password_field correctly.
Something was going terribly wrong in my head, sorry for that.
Only password_type has to be set to self_check, but this is documented.
This means that there is no tricky part at all. Just configure both
modules as described in their documentation.
Lukas
On 03/11/2013 07:54 PM, Lukas Thiemeier wrote:
Hi,
I just had some time to try it: C::Authentication::Credential::HTTP and
C::Authentication::Store::Htpasswd work together just fine. Here is my
setup:
in TestApp.pm:
use Catalyst qw/
ConfigLoader
Authentication
/;
__PACKAGE__-config(
Plugin::Authentication = {
realms = {
default = {
credential = {
class = 'HTTP',
type = basic,
password_field = 'check_password',
password_type = 'self_check',
},
store = {
class = 'Htpasswd',
file = /tmp/htpasswd,
},
},
},
},
);
and in Controller/Root.pm (or wherever you need it):
sub index :Path :Args(0) {
my ( $self, $c ) = @_;
$c-authenticate;
if($c-user_exists){
$c-res-body(logged in);
}
}
The tricky part is that you have to set password_field and
password_type correctly, which is not documented. (You have to know
how Catalyst Authentication works and read the docs for Authen::Htpasswd
to find out)
I still recommend to use C::A::Credential::Remote. Let the server do the
job, and keep your application small and simple.
Plus: You can add digest authentication, certificate authentication,
kerberos authentication and whatever your server supports without
modifying your application.
Lukas
On 03/11/2013 03:10 PM, Robert Rothenberg wrote:
I have a project that requires using HTTP authentication.
There is a Catalyst::Authentication::Credential::HTTP module, but from the
documentation, it does not seem to support using htpasswd files, which I
need, because a separate web site will be using that file.
There is Catalyst::Authentication::Store::Htpasswd, but it does not work
with Catalyst::Authentication::Credential::HTTP.
I'm not clear on how to do this, without having to write my own handlers for
HTTP authentication.
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
___
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
