Re: [OTish] Version Control?

[Ken Miller]

 Hey Jim --

  Also, Randal Schwartz wrote about cvs is a slightly more general
setting:
 
  http://www.linux-mag.com/2002-07/perl_01.html


 The system we use goes a bit beyond even what Randal describes (although,
he
 is on a similar track).

 In a nutshell, the Apache httpd.conf file is templatized to replace
 elements such as the IP address, host name and path names with variables.
 To start the server for a particular environment the developer runs a Perl
 program which creates a custom httpd.conf

This is so close to what I recently put together one would have to worry
about plagarism :-)

I took it one step further, in that my setup script will configure not only
the base http config files (for both proxy and app server), but also all the
database configuration scripts, and application configurations.  I did an
install for a fellow developer today in about 5 minutes - complete proxy/app
server config, build and populate database tables.  I had to edit one file,
which in turn was used to create the customized configuration files.

I don't keep the base config files in CVS - yet.  All source is in CVS, but
I haven't got around to moving the config into CVS.

Regarding deployment, I wrote a tool which goes into CVS and extracts tagged
modules.  The extracted code is placed into a tar archive with a few other
files which indicate where the code is to be installed, plus a few other
goodies.  I can then give this deployment archive to our sysadmin who can
simply type

deploy --install the-file.dar

and the code gets installed.  We have separate deployment files for the perl
libs, the Mason components, images, and a few other odds and ends.  It works
well, and it's very easy.

Why a custom deploy tool?  I didn't like the idea of using CVS on the
production server, which is in a very tightly controlled environment. I
doubt if I could have enticed the network folks to open the firewall to let
CVS traffic through in any case

Cheers!

-klm.

Prototypes and $r

[Ken Miller]

Got a phone call yesterday from a user who was complaining that every few
times a link was clicked on they were getting an Internal Server Error.
They could click back, try again, and be successful.  Further investigation
led me to find that one of the instances of my back end server was always
generating an error.

Restarts would not fix the problem - one or two of the app servers would
always throw errors

The error was this:

[Mon Sep 23 19:12:21 2002] [error] Can't call method dir_config on an
undefined value at /webroot/lib/Husky/Web/Apache
/MasonHandler.pm line 68.

The line in question is this:

my $appl_id = $r-dir_config( 'ApplID' );

So, you can see that '$r' was undefined.

The interesting thing is that the handler that's invoked for this request
has a prototype:

sub handler( $$ ) { my $class = shift; my $r = shift; ... }

and the handler is either invoked by Apache directly, or from internal logic
when a request is passed off.  The handler is invoked in one of two ways:

  __PACKAGE__-a_method_name( $r );

or

Foo::Bar::Bah-a_method_name( $r );

Now, it appears that every now and then the class reference is NOT being
sent; hence, $class actually contains $r, and $r is undefined.  This is
obviously bad, since $r-dir_config dies a horrible death.

Has anyone had a problem with this?  Is there something that might give me a
clue as to why this is failing?  In the meantime, I've when back to
referencing the sub directly, as opposed to going through the class.  It
works, but it's not as nice as a class method...

Cheers!

-klm.

+-+-+
| Kenneth (Ken) L. Miller | There are 10 kinds of people in the |
| Shetland Software Services Inc. | world: Those who understand binary, |
| [EMAIL PROTECTED]| and those who don't. (unknown)  |
+-+-+

When is Apache-server-log_error available?

[Ken Miller]

I'd like to write some status messages to the error_log during server
startup.  So, I tried

Apache-server-log_error( ... )

but it doesn't work. This works fine in the child processes.  Is the log
file not ready to write to during server startup?  Printing to STDERR does
not work either.

It's not that important, but I'd like to know regardless.

Cheers!

-klm.

+-+-+
| Kenneth L. Miller   | There are 10 kinds of people in the |
| Shetland Software Services Inc. | world: Those who understand binary, |
| [EMAIL PROTECTED]| and those who don't. (unknown)  |
+-+-+

Apache::Reload -- can't locate main.pm?

[Ken Miller]

I've been successfully using Apache::Reload for a few weeks now.  However, I
installed it on my home development system, and I'm getting this error when
accessing a module that contains 'use Apache::Reload':

[Mon Aug 26 09:59:12 2002] [error] Can't locate main.pm in INC (INC
contains: ... at /home/miller/lib/perl5/site_perl/5.6.1/Apache/Reload.pm
line 132.

(yes, I install some modules under my own root tree - it keeps the base
distribution nice and clean)

What's main.pm, and why can't Apache::Reload find it?  I've searched the
archives, but have had little success in finding anything interesting.

Apache1.3.26, mod_perl 1.26.

Cheers!

   -klm.

Apache::AuthCookie weirdness

[Ken Miller]

I'm experiencing a really strange problem with Apache::AuthCookie and
Internet Explorer.  Every now and then when I try and access a protected
URL, I never see the login page.

If I close the window, and open a new one, it works just fine.  This is the
case even if there are other windows open.  In otherwords, I don't have to
close all the IE windows to get in.

I do not know if this same error occurs with Mozilla.

If I inspect the logs, I see this: (with Apache::AuthCookie debugging turned
on):

(Application Server Error Log)

[Thu Jul 11 09:06:51 2002] [error] auth_type Foo::Apache::AuthCookieHandler
[Thu Jul 11 09:06:51 2002] [error] auth_name Bar
[Thu Jul 11 09:06:51 2002] [error] ses_key_cookie
[Thu Jul 11 09:06:51 2002] [error] uri /rc/
[Thu Jul 11 09:06:51 2002] [error] auth_type Foo::Apache::AuthCookieHandler
[Thu Jul 11 09:06:51 2002] [error] auth_name Bar
[Thu Jul 11 09:06:51 2002] [error] ses_key_cookie
[Thu Jul 11 09:06:51 2002] [error] uri /rc/
[Thu Jul 11 09:06:51 2002] [error] auth_type Foo::Apache::AuthCookieHandler
[Thu Jul 11 09:06:51 2002] [error] auth_name Bar
[Thu Jul 11 09:06:51 2002] [error] ses_key_cookie
[Thu Jul 11 09:06:51 2002] [error] uri /rc/
[Thu Jul 11 09:06:51 2002] [error] auth_type Foo::Apache::AuthCookieHandler
[Thu Jul 11 09:06:51 2002] [error] auth_name Bar
[Thu Jul 11 09:06:51 2002] [error] ses_key_cookie
[Thu Jul 11 09:06:51 2002] [error] uri /rc/

(Application Server Access Log)

127.0.0.1 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.0 403 1542
127.0.0.1 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.0 403 1542
127.0.0.1 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.0 403 1542
127.0.0.1 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.0 403 1542
127.0.0.1 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.0 403 1542
127.0.0.1 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.0 403 1542
127.0.0.1 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.0 403 1542
127.0.0.1 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.0 403 1542

The browser and the server are locked in this conversation where the browser
continually requests the protected URI.  If I look in the access logs, I see
this:

(Front-end light Proxy Logs)

xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /styles.css HTTP/1.1
200 3495
xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.1 200 1542
xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /styles.css HTTP/1.1
200 3495
xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.1 200 1542
xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /styles.css HTTP/1.1
200 3495
xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.1 200 1542
xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /styles.css HTTP/1.1
200 3495
xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.1 200 1542
xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /styles.css HTTP/1.1
200 3495
xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.1 200 1542
xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /styles.css HTTP/1.1
200 3495
xxx.10.67.255 - - [11/Jul/2002:09:06:51 -0600] GET /rc/ HTTP/1.1 200 1542

Any ideas what's going on?  It almost seems like AuthCookie is getting
confused and not redirecting the user to the correct URL - instead of the
login page, it get's redirected back to the initial url, which is protected,
and thus starts the entire cycle over again.

Proxy: Apache/1.3.23 (Unix) mod_gzip/1.3.19.1a mod_ssl/2.8.7 OpenSSL/0.9.6c
  App: Apache/1.3.23 (Unix) mod_perl/1.26
 Perl: 5.6.1
 Apache::AuthCookie: 3.02

-klm.

Re: mod_perl help

[Ken Miller]

I had this same problem with installing some precompiled packages from
sunfreeware, such as libdb.  My only recommendation is to scrap the
installed packages for anything related to perl, including perl itself.
And note that even though it says that Perl was compiled with GCC, the
options selected may be generally incompatibile with how perl works with
dynamically loaded modules.  This was the conclusion that I same to,
anyways...

Build the stuff yourself.  You'll save yourself a lot of headaches.

BTW, when compiling perl for Solaris 8, you'll need to do this:

/Configure -Dcc='gcc -B/usr/ccs/bin/'

If you don't have the GNU linker/assember installed, then you can skip
the -Dcc option.

Once I built everything myself, I had NO problems.

-klm.

- Original Message -
From: Ryan Hairyes [EMAIL PROTECTED]
To: Peter Werner [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, July 11, 2002 9:45 AM
Subject: RE: mod_perl help


 Thanks for the reply.  Actually ... according to sunfreeware perl5.6.1 was
 compiled with gcc.  Anything else you can think of?

 Thanks again.


 Quoting Peter Werner [EMAIL PROTECTED]:

 : you will have to compile perl from scratch as the sunfreeware perl is
 : compiled with suns compiler not gcc and this causes problems. poke
around
 : sunfreeware.com for the instructions he used to build perl, it is quite
 : simple.
 :
 : -pete
 :
 : -Original Message-
 : From: Ryan Hairyes [mailto:[EMAIL PROTECTED]]
 : Sent: Thursday, July 11, 2002 4:34 PM
 : To: [EMAIL PROTECTED]
 : Subject: mod_perl help
 :
 :
 : Hello all,
 :
 : I just compiled mod_perl 1.27 with apache 1.3 for Solaris 8.  I used
perl
 : 5.6.1 and gcc from www.sunfreeware.com.  After I compiled everything and
 : tried
 : to load the perl module (with LoadModule) I receive the following error:
 :
 :
 : Cannot load /usr/local/apache/libexec/libperl.so into server: ld.so.1:
 : /usr/local/apache/sbin/httpd: fatal: relocation error: file
 : /usr/local/apache/libexec/libperl.so: symbol main: referenced symbol not
 : found
 :
 :
 : Any idea on what I did wrong?  Thanks.
 :
 : Ryan
 :


 --
 Ryan Hairyes
 Network/System Administration
 Lee County School System
 Phone:919.774.6226 x 1252
 Voicemail:x 2361

Re: Can't set multiple cookies?

[Ken Miller]

Last confirmation: 1.3.25-dev does indeed work fine.

I've got cookies flying everywhere!

Thanks guys!

-klm.

- Original Message -
From: Ken Miller [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 07, 2002 3:45 PM
Subject: RE: Can't set multiple cookies?


 Yup, just confirmed it.  1.3.20 works fine, but .24 is busted.

 I'll try the latest CVS version.

 Thanks guys!

 -klm.

 -Original Message-
 From: Balazs Rauznitz [mailto:[EMAIL PROTECTED]]
 Sent: Friday, June 07, 2002 2:48 PM
 To: Dave Rolsky
 Cc: Ken Miller; [EMAIL PROTECTED]
 Subject: Re: Can't set multiple cookies?


 On Fri, Jun 07, 2002 at 12:32:56PM -0500, Dave Rolsky wrote:
  On Fri, 7 Jun 2002, Ken Miller wrote:
 
   Ok, so continuing down the path of a single sign-on system, I've
 completed a
   rough framework, and it works fine.  However, I thought it might be
nice
 to
   segregate the various bits of information into different cookies.
   Unfortunately, setting multiple cookies doesn't seem to be working.
 Here
   are the outbound headers obtained via $r-as_string:
  
   Set-Cookie: ACS_UID=miller; path=/
   Set-Cookie: ACS_Test=blah; path=/
   Set-Cookie: ACS_Ticket=stuff; path=/
  
   on the next request, here's the Cookie header:
  
   Cookie: ACS_Ticket=stuff; RC_Creds=miller%2C
 
  I suspect you're using a 2-tier Apache setup with Apache 1.3.23 on the
  frontend, right?
 
  This is a bug in mod_proxy with 1.3.23.  I _think_ its fixed in 1.3.24.
  If you're using 1.3.24 try reverting to 1.3.22 (which I know works) and
  see if that fixes it.

 1.3.24 is broken in more than one way; I am using the latest CVS version
 without problems.

 Balazs

Can't set multiple cookies?

[Ken Miller]

Ok, so continuing down the path of a single sign-on system, I've completed a
rough framework, and it works fine.  However, I thought it might be nice to
segregate the various bits of information into different cookies.
Unfortunately, setting multiple cookies doesn't seem to be working.  Here
are the outbound headers obtained via $r-as_string:

Set-Cookie: ACS_UID=miller; path=/
Set-Cookie: ACS_Test=blah; path=/
Set-Cookie: ACS_Ticket=stuff; path=/

on the next request, here's the Cookie header:

Cookie: ACS_Ticket=stuff; RC_Creds=miller%2C

The RC_Creds cookie is set in a callback handler.  So, where are the other
two cookies?

I've tried the following incantations:

foreach( [ $cookie_a, $cookie_b, ... ] ) {
$r-err_headers_out-add( 'Set-Cookie', $_ );
}

or

$r-err_header_out( 'Set-Cookie' = $cookie_a );
$r-err_headers_out-add( 'Set-Cookie' = $cookie_b );

or

$r-err_headers_out-add( 'Set-Cookie' = [ $cookie_a, $cookie_b ] );

The outbound headers all look the same, but in each case, only the last
cookie is set.  This happens with both Netscape and IE.

The really annoying thing is that this was working at one point: I would set
multiple cookies in one go, and all the cookies would be sent back to the
server on the next invocation.

I've searched the Guide and online, but I've not found any clues as to why
the multiple cookies are NOT being set.

Brain cramp, or something more serious?

-klm.

RE: Can't set multiple cookies?

[Ken Miller]

Yup, just confirmed it.  1.3.20 works fine, but .24 is busted.

I'll try the latest CVS version.

Thanks guys!

-klm.

-Original Message-
From: Balazs Rauznitz [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 07, 2002 2:48 PM
To: Dave Rolsky
Cc: Ken Miller; [EMAIL PROTECTED]
Subject: Re: Can't set multiple cookies?


On Fri, Jun 07, 2002 at 12:32:56PM -0500, Dave Rolsky wrote:
 On Fri, 7 Jun 2002, Ken Miller wrote:

  Ok, so continuing down the path of a single sign-on system, I've
completed a
  rough framework, and it works fine.  However, I thought it might be nice
to
  segregate the various bits of information into different cookies.
  Unfortunately, setting multiple cookies doesn't seem to be working.
Here
  are the outbound headers obtained via $r-as_string:
 
  Set-Cookie: ACS_UID=miller; path=/
  Set-Cookie: ACS_Test=blah; path=/
  Set-Cookie: ACS_Ticket=stuff; path=/
 
  on the next request, here's the Cookie header:
 
  Cookie: ACS_Ticket=stuff; RC_Creds=miller%2C

 I suspect you're using a 2-tier Apache setup with Apache 1.3.23 on the
 frontend, right?

 This is a bug in mod_proxy with 1.3.23.  I _think_ its fixed in 1.3.24.
 If you're using 1.3.24 try reverting to 1.3.22 (which I know works) and
 see if that fixes it.

1.3.24 is broken in more than one way; I am using the latest CVS version
without problems.

Balazs

RE: Doing security for backend applications

[Ken Miller]

Thanks the for info!

Where my design was coming from was trying to enforce access control
completely outside of application - if a request made it to an application,
then the application could be assure that the user was allowed to be there.
But I think implementing this would be rather difficult.

The solution you suggest is not one I had thought of; I guess letting the
application worry about invoking access/authen/authz control is much easier
than trying to enforce it at a higher level.  All I'll have to do is provide
the service (ala Passport) that implements the functionality.

Cheers!

-klm.

-Original Message-
From: Ask Bjoern Hansen [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 05, 2002 4:18 PM
To: Ken Miller
Cc: Modperl
Subject: Re: Doing security for backend applications


On Tue, 4 Jun 2002, Ken Miller wrote:

[...]
 So, php application requests would bounce from the proxy server to the mod
 perl server to the php server.

You could also make it so it's only when requests needs to be
authenticated they go to the mod_perl server.

Something like having the php server forward authentication requests
to the mod_perl server; but support the same cookie format would be
relatively simple.

 This is all related to a single sign-on environment - once the user has
 signed on an encrypted cookie will contain the application security
 information used to authorize the user int the various applications.

at perl.org we have made it so authentication requests gets
forwarded, and then we have an internal interface for the various
servers can validate and migrate authentication cookies.

You should be able to find documentation on how passport.com does
it; if nothing else then on the pages where it's described why their
implementation was insecure at some point. ;-)

 - ask

--
ask bjoern hansen, http://ask.netcetera.dk/   !try; do();

Using apache for access control for third party web apps

[Ken Miller]

The saga continues...

I've been tasked with developing a single-signon environment for a suite of
web applications, some developed in house, and others obtained from third
parties; others are still waiting to be developed.  The framework I'm
developing will, when a user signs in, end up setting a cookie which
contains security credentials that will allow access to various parts of the
system.  The cookie will be encrypted, or perhaps just contain a session id.

I currently use a proxy/app server configuration, with the app server
running (what else) mod_perl.  I will be adding additional servers to host
third party applications, which may or may not be running mod_perl.  In one
case, I know for sure that one of the additional servers will be running
PHP.

The framework I'm developing will *only* perform application access control,
based on an application tree structure.  The access control handler will
take the cookie and the security requirements for the portion of the
application tree being accessed and determine if access is allowed or not.
It's up to the application itself to perform authorization (authentication
has already been done if the cookie is present).

Since access control is performed in mod_perl, I need the proxy to forward
all requests to the mod_perl server.  For applications hosted on the same
mod_perl instance, access control is easy, since the request will naturally
flow from handler to handler.  Where I'm having difficulty is figuring out
how the mod_perl server will perform access control for third party
applications that reside on different servers.

I guess what I'm asking is this:

How can I configure an apache instance to perform access control, and
proxying of the request to another server if the access control says the
request is ok?  From my reading, mod_proxy will only allow top-level
configuration, not Location configuration.  Ditto for mod_rewrite.  Do I
have to implement my own proxying?

I would like the end result to be something like this:

proxy server -- access control server - application servers

where the access control server is a mod_perl server, and an application
server is one of either mod_perl or PHP or whatever.

Is what I'm suggesting doable, or just plain silly?  Is there a better way?

Cheers!

-klm.

Doing security for backend applications

[Ken Miller]

Let's say I have the following configuration:

1. Front end proxy server (no mod_perl)
2. Back end application server (mod_perl)
3. Back end application server (php)

Now, *all* application requests are passed to the mod_perl server (yes,
including the php requests).  Performing security checks for all the
applications on the mod_perl server is easy via a few simple handlers.
However, I also want to *transparently* handle high-level application access
security for the applications served from the php server using the same
perl/db modle I use in the mod perl server.

So, php application requests would bounce from the proxy server to the mod
perl server to the php server.

Is this workable? I currently use mod_rewrite to proxy the requests to the
mod_perl server, and I'm assuming I would have to do something similar for
the php server.  However, I'm not all that sure how to do this, since I
don't think mod_rewite will work the way I expect - I need to configure a
Location but mod_rewrite doesn't work with Location. Or does it?

In case anyone is wondering, I'm working on constructing a dynamic front-end
portal that will gate through to various applications, some developed in
house, others obtained from third parties - the clients wants to perform a
global security check before getting to the application, hence the stuff
that I'm creating.

This is all related to a single sign-on environment - once the user has
signed on an encrypted cookie will contain the application security
information used to authorize the user int the various applications.

Many thanks!

-klm.

Re: AuthzHandler, index.html not being accessed

[Ken Miller]

 A note: since cookie is involved, why not to implement
 all the access/authentication/authurization functions at
 the access control phase using cookie ?

I've got them split out to match the phase in which they'd be invoked.
That, and the fact that the access handler will be invoked everywhere, but
the authorization handler may be different based on the application being
protected.

Back to the original problem: it all boils down to the Authz handler.  When
it's activated via 'require', directory indexes are not generated.  Remove
the require, and *poof*, you get directory indexes.



 Peter
  I've got an interesting problem, related to my development of some
  Authen/Authz handlers.
 
  I have a directory on which I've installed an Access, Authen, and Authz
  handler:
 
  - the Access handler makes sure a cookie exists, and redirects the user
to a
  login page if it doens't.  If the cookie does exist, populate
  $r-connection-user. This works.
 
  - Authen handler currently returns OK - it will be used to validate the
user
  as stored in the cookie
 
  If I 'require valid-user' in the directory, my authz handler doesn't get
  invoked, which I expect.  However, If I request the directory (ie.
/test/) I
  get a directory listing instead of index.html.  If I take out the
require,
  thereby bypassing authen/authz, I get index.html.  If I also put in
custom
  'requires', my authz handler is invoked, and the same thing happens.
 
  So, it seems that when OK is returned from an authz handler, the
  DirectoryIndex is not being read.
 
  I've been unsucessful in trying to find a solution.
 
  Ideas?
 
  -klm.
 
  BTW, I understand that what I'm doing does appear to be similar to
  Apache::AuthCookie, but I have a few different requirements that I need
to
  incorporate
 
 
 

Re: AuthzHandler, index.html not being accessed

[Ken Miller]

That's exactly what I did.

When the authz handler is installed, I get the directory listing; when it's
uninstalled, I get 'Access Denied due to rule'.

In neither instance does index.html get displayed.

Very strange.

I can code around it by turning off indexes and always referencing
index.html, but I'd rather not, since this problem might be masking a
greater problem.

-klm.

- Original Message -
From: [EMAIL PROTECTED]
To: Ken Miller [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, June 03, 2002 1:50 PM
Subject: Re: AuthzHandler, index.html not being accessed


 Ken:

 back to your original problem. Maybe you should disbale
 the default index list by comment out Options Indexes
 in your httpd.conf, so as to isolate the problem: if it
 is authz related or not at all.

 Peter
 
 
   A note: since cookie is involved, why not to implement
   all the access/authentication/authurization functions at
   the access control phase using cookie ?
 
  I've got them split out to match the phase in which they'd be invoked.
  That, and the fact that the access handler will be invoked everywhere,
but
  the authorization handler may be different based on the application
being
  protected.
 
  Back to the original problem: it all boils down to the Authz handler.
When
  it's activated via 'require', directory indexes are not generated.
Remove
  the require, and *poof*, you get directory indexes.
 
  
  
   Peter
I've got an interesting problem, related to my development of some
Authen/Authz handlers.
   
I have a directory on which I've installed an Access, Authen, and
Authz
handler:
   
- the Access handler makes sure a cookie exists, and redirects the
user
  to a
login page if it doens't.  If the cookie does exist, populate
$r-connection-user. This works.
   
- Authen handler currently returns OK - it will be used to validate
the
  user
as stored in the cookie
   
If I 'require valid-user' in the directory, my authz handler doesn't
get
invoked, which I expect.  However, If I request the directory (ie.
  /test/) I
get a directory listing instead of index.html.  If I take out the
  require,
thereby bypassing authen/authz, I get index.html.  If I also put in
  custom
'requires', my authz handler is invoked, and the same thing happens.
   
So, it seems that when OK is returned from an authz handler, the
DirectoryIndex is not being read.
   
I've been unsucessful in trying to find a solution.
   
Ideas?
   
-klm.
   
BTW, I understand that what I'm doing does appear to be similar to
Apache::AuthCookie, but I have a few different requirements that I
need
  to
incorporate
   
   
   
  
  
 

Re: AuthzHandler, index.html not being accessed

[Ken Miller]

I should also mention this:

Apache/1.3.23 (Unix) mod_perl/1.26

- Original Message -
From: Ken Miller [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, May 30, 2002 11:12 AM
Subject: AuthzHandler, index.html not being accessed


 I've got an interesting problem, related to my development of some
 Authen/Authz handlers.

 I have a directory on which I've installed an Access, Authen, and Authz
 handler:

 - the Access handler makes sure a cookie exists, and redirects the user to
a
 login page if it doens't.  If the cookie does exist, populate
 $r-connection-user. This works.

 - Authen handler currently returns OK - it will be used to validate the
user
 as stored in the cookie

 If I 'require valid-user' in the directory, my authz handler doesn't get
 invoked, which I expect.  However, If I request the directory (ie. /test/)
I
 get a directory listing instead of index.html.  If I take out the require,
 thereby bypassing authen/authz, I get index.html.  If I also put in custom
 'requires', my authz handler is invoked, and the same thing happens.

 So, it seems that when OK is returned from an authz handler, the
 DirectoryIndex is not being read.

 I've been unsucessful in trying to find a solution.

 Ideas?

 -klm.

 BTW, I understand that what I'm doing does appear to be similar to
 Apache::AuthCookie, but I have a few different requirements that I need to
 incorporate

How to proxy everything except selected urls?

[Ken Miller]

I the past, when I've setup a proxy/app server configuration, it's always
been to forward certain url's to the app server, with the rest being
processed by the proxy.

However, I need to turn this around.  I want to pass everything to the app
server, except for some url's that point at static content (images, mostly).

I initially thought something like this would work:

---
ProxyPass   On
ProxyPass   /   http://other.server.com:1234/
ProxyPassReverse/   http://other.server.com:1234/

alias /graphics /local/path
---

However, /graphics also get's proxied to the app server.  This isn't what I
want.

I don't think mod_proxy can do this; at least it's not clear to me how to if
it does support this feature.

Would mod_rewrite be a better solution?  Match on the URL's that I want
processed locally (and stop), else map the url to the app server, and
forward the request?

What's the best way to do this?

(in case you're wondering, the back-end app server will be generating most
of the content dynamically; I could just have a set of heavy servers, but
I'm trying to offload what I can to a lighter front-end.  In the end,
however, it may not be worth the effort, since the number of static files
will be small compared to the dynamic content...)

 -klm.

different type of login with Apache::AuthCookie?

[Ken Miller]

We currently use Apache::AuthCookie for authentication/authorization, and it
works great.  However, we want to make a change to how the login works.

In addition to having Apache::AuthCookie intercept requests for URL's that
require auth/authz, we would like to provide a signon area on the main page
where the user can proactively sign in.

Would this be as simple as setting the same cookie (using the same format,
obviously) as Apache::Authcookie is looking for when signon occurs on the
front page?  Or, better still, is there a way using A:A itself to do this?

Thanks!

-klm.

Request Limiter

[Ken Miller]

There was a module floating around a while back that did 
request limiting (aDOS preventional tool). I've searched the 
archives (unsuccessfully), and I was wondering if anyone knows what the heck I'm 
talking about.

I thought it was on Matt Sergeant's web site, but for the life 
of me I can't remember what the url is.

Can someone help? 

My next question would be, if I can't find the module, is what 
phase would I place a request limiter? Should it just go at the head of 
the PerlHandler chain, or earlier in the request phase?

(I do have 'the book', but unfortunately, it's elsewhere right 
now).

Thanks!

 -klm.

RE: [benchmark] DBI/preload (was Re: [RFC] improving memory mapping thru code exercising)

[Ken Miller]

At 11:10 AM 6/6/00 -0400, Geoffrey Young wrote:


 -Original Message-
 From: Jason Terry [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, June 06, 2000 10:52 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [benchmark] DBI/preload (was Re: [RFC] improving memory
 mapping thru code exercising)
 
 
 I just wanted to thank you guys for sending this to the mailing list.
 
 I added these lines to my startup script
 use Carp;
 CGI-compile(qw(my_common_functions));
 DBI-install_driver('mysql');

I tried this in my startup.pl with Oracle, and this is what I got:

DBI handle cleared whilst still active at
/home/cardlock/lib/perl5/site_perl/5.005/sun4-solaris/DBD/Oracle.pm line 82.
dbih_clearcom (h 0x54f978, com 0x3319e8):
   FLAGS 0x211: COMSET Warn AutoCommit 
   TYPE 1
   PARENT undef
   KIDS 0 (0 active)
   IMP_DATA undef in 'DBD::Oracle::dr'

I tried both 

use DBD::Oracle

and

DBI-install_driver( 'Oracle' );

with the same results. It didn't seem to cause any problems, since
everything still worked.

Something to worry about?


Cheers!

-klm.

---
Ken Miller, Consultant
Shetland Software Services Inc.

Re: Data structure question

[Ken Miller]

At 12:39 PM 6/6/00 -0400, Drew Taylor wrote:
Hello,

This doesn't directly relate to mod_perl, but I'd like to make this as
memory efficient as possible since it runs under mod_perl. :-) 

I have a question about data structures. Currently, I am doing SQL
queries and returning an array ref and a hash ref. The array is to
preserve order, and the hash contains various bits of data about that
particular product ( it could be another hash ref, and often is). After
getting the two references, I use foreach to loop through the array, and
within that loop I access various data from the hash where the productID
is the key. It looks like this:

Common.pm:
sub getdata {
   my $AR = [123, 456, 243, ... ]
   my $HR = { 123 = {foo=bar, name='name', price='123'}, ... }
   return ($AR, $HR);
}

Otherstuff.pm:
my ($AR, $HR) = $self-getdata();
foreach (@{$AR}) {
   my $name = $HR-{$_}{name};
   ...
}

I would like to return a single data structure, but order IS important
(hence the current setup). I was thinking of using an array, where each
element is a hash reference. So I would return something like this:

[ {ID=123, name='name123', foor='bar'},  {ID=321, name='name321',
bar='foo'}, ... ]

Well, if the keys are unique, you could just return a hashref, and then
access it using sorted keys:

foreach( sort keys %$HR ) {
## insert useful stuff here
}

Are there any de-referenceing issues (performance wise) that would make
this less efficient than the 2 structures? TIA for any pointers.

Probably not, except your method takes more mems, since you're returning an
extra array.  'Course, the sort takes mems as well, but not as much as the
extra array.

And, there is the overhead of sorting the keys.

I think an array of hashref's is probably the best bet.  Then you can use
the DBs sort, and just build the array on the fly, once.

For the site I'm working on, I return a reference to a ResultSet object
which through the next() method returns the next row in the result set:

my $account = $dbs-get_account( "123456789" );
my $rs = $account-get_cards;
while( my $unit = $rs-next ) {
# do something
}

so this enforces the order (due to the order by in the SQL query).  This is
a bit slower, since next() returns allocated objects, but it works.


Cheers!

-klm.

-------
Ken Miller, Consultant
Shetland Software Services Inc.

Fine-grained authorization w. Apache::AuthCookie

[Ken Miller]

I'm using Apache::AuthCookie for general authentication/authorization for a
site I'm working on.  However, there's a requirement for fine-grained
authorization down to the page level - a user may have access to most pages
in a directory, but be disalllowed access to a single page.  Note that the
pages in question are in a single directory.

What I don't want is to have the user tossed to a login page if they try to
access a page for which they have no access, which is what AuthCookie
currently does.

I thought about chaining an additional authorization handler, but that
won't work since if the first one in the chain approves access, then the
rest won't be called.  I think that AuthCookie should come first, since it
verifies that the user has actually logged in.  So, if the user passes
muster on the first stage of authorization (general access to directory)
then any other handlers in the chain won't be called.  Or is there a way to
override this behaviour?

What's the best way to do this?  I can always stuff some code into my main
handler, but that's ugly.

Thanks.



Cheers!

-klm.

---
Ken Miller, Consultant
Shetland Software Services Inc.

Re: Access to userland objects in different phases

[Ken Miller]

At 05:28 PM 5/15/00 -0400, you wrote:

I use Class::Singleton in mod_perl apps with *no* problem
whatsoever. In fact, it's pretty nifty to simply say:

 my $obj = $class-instance;

anywhere in my application and have the object (whatever it is) simply
pop up.

Well, after looking at the Class::Singleton class, I gave it a shot.  After
hacking away at a ChildInitHandler, this is what I ended up with:

package X::Y::Apache::ChildInit;

use strict;
use X::Y::DB::SingletonServices;
use Apache;

##--
-
sub handler
{
my $s = Apache-server;

my $dbs = X::Y::DB::SingletonServices-instance(
{ uri  = $s-dir_config( 'DATABASE_URI' ),
 userid   = $s-dir_config( 'DATABASE_USERID' ),
 password = $s-dir_config( 'DATABASE_PASSWORD' ),
 options  = { AutoCommit = 0,
   RaiseError = 1,
   PrintError = 0,
   ChopBlanks = 1 } } );

$s-log_error( "$$: Services object allocated, handle=$dbs" );
}

1;

Perfect!  I now have access to my services object everywhere!

Thanks for the point at Class::Singleton.  I would have eventually written
my own, but with CPAN, what's the point?


Cheers!

-klm.

-------
Ken Miller, Consultant
Shetland Software Services Inc.

Access to userland objects in different phases

[Ken Miller]

In the content serving phase I have a Database services object which
manages all access to/from the database.  The DB::Services object is
created the first time the handler is hit; the $dbs is made available by
creating a symtab entry, so all my Mason components can get at the database
easily.

I also have a couple of Authen and Authz handlers (ala Apache::AuthCookie),
and I would like to have access to the services object there as well.  I
could just create another DB::Services object, but there is quite a bit of
overhead associated with having a Services object in memory, hence I would
like to have a single Services object per Apache process. 

Since the auth phases occur before content serving, I would have to create
the DB::Services object in the Auth/Authz handler, and then obtain access
to it in the Mason handler.

So, I think I would do something like this:

Create the DB::Services object in the authentication phase if it hasn't
already been created.  (the Services object has to be created in the
auth/authz phase, since that's before the phase in which Mason runs) Once
it's been created, then do something like:

local *HTML::Mason::Commands::dbs = \$dbs;

thus making the DBS available to Mason.  By the time the Mason handler
get's invoked, a $dbs is already in the right namespace, and is therefore
ready to use.  Any access to $dbs from the actual handler could be obtained
by explicitly referencing the $dbs object via the package global name.

I guess another way of doing it would be to turn the $dbs class into a
Singleton, and provide a class method to get at the instance:

DB::Services-set_uri( 'dbi:Oracle:' );
DB::Services-set_userid( 'foo' );
DB::Services-set_password( 'bar' );
DB::Services-set_options( { ... } );

my $dbs = DB::Services-get_instance;

get_instance() would create the backing object the first time, then
returned the cached object on subsequent calls.

Thoughts?



Cheers!

-klm.

---
Ken Miller, Consultant
Shetland Software Services Inc.