Re: rflush() not working as documented?
On Wed, Aug 06, 2003 at 07:33:49AM -0700, Stas Bekman wrote:
Martin Wickman wrote:
[...]
oops, sorry. Can you try with the latest cvs?
Not at the moment. But I'll try in a few days.
Your particular problem report was fine, what you have missed is the output
of t/REPORT which tells us things about your environment. I can't see it
here
http://marc.theaimsgroup.com/?l=apache-modperlm=105968263417468w=2
Sorry, my deb package dont have the t/ stuff.
[...]
In any case, have you tried using the snooping filter I was talking about
in my previous reply? It shows you exactly what's going on inside.
It confirms my problems. Here is output:
connection output filter
o bucket 1: FLUSH []
connection output filter
o bucket 1: FLUSH []
connection output filter
o bucket 1: FLUSH []
connection output filter
o bucket 1: TRANSIENT
[htmlhead TITLE /headbody BODY/html]
And here is the code that generates this:
sub handler {
my $r = shift;
$r-content_type('text/html');
$r-print (htmlhead TITLE /head);
$r-rflush();
$r-print (bo);
$r-rflush();
$r-print (dy BODY);
$r-rflush();
$r-print (/html);
return Apache::OK;
}
1;
For the record, I am able to cut up a stream nicely using mod_cutup
[1]. This results in something like:
connection output filter
o bucket 1: TRANSIENT
[htmlfoo]
o bucket 2: TRANSIENT
[headbody]
o bucket 3: TRANSIENT
[
!-- sd]
o bucket 4: TRANSIENT
[sd --
[...]
Which at least proves that the snoop filter is working as expected :-)
Anyway, I'll try with the latest mod_perl version as soon as time
allows and post my results later.
[1] http://projects.standblue.net/markive/message.moto?list=apachemodulesID=771
Re: rflush() not working as documented?
Stas Bekman wrote: Geoffrey Young wrote: Martin Wickman wrote: Martin Wickman wrote: According to docs[1], $r-rflush() should create a new brigade with data. It does not. I've seen this also, but was never able to isolate a cause. rflush() works fine, it's possible that the issue with the streaming filter or some other upstream filter that ignores the flush buckets. I doubt that, no other external filter is in use. Are you using the latest mod_perl 2.0? Nope. I am using 1.99_07. (Btw, that information _was_ included in my report, but you trimmed it away:) This is with: Apache/2.0.47 (Debian GNU/Linux) mod_perl/1.99_07-dev Perl/v5.8.0 It's much appreciated when bug reports are written using the following guidelines: http://perl.apache.org/docs/2.0/user/help/help.html#Reporting_Problems Pardon me, but I do believe I supplied enough and accurate information -- including relevant, trimmed code snippets and excerpts from apache logs in my report. Except from the fact that I did not build mod_perl myself, I can't really see what I missed to include? Martin, please check the mod_perl 2.0 test suite, it has plenty of examples where it used exactly for the reason you've described. Ok, thanks I'll check it out. I'm guessing that my mod_perl is too old, I like to stay with the prebuilt packages (debian) if possible. But if needed, I'll build the latest version and test it. Just thought that someone would know, thats all.
Re: rflush() not working as documented?
On Thu, Aug 07, 2003 at 04:46:51PM -0700, Stas Bekman wrote: Please try the latest mp2 cvs, I've added a new test t/api/rflush.t, it tests rflush explicitly (even though it's already used for exactly this purpose in several other tests). [...] does it work for you? I tried the latest CVS (modperl-2.0_20030810101543) and my code now works as expected, ie rflush() splits correctly into brigades. The t/api/rflush.t works as well btw. Excellent! Is it any different from your code? Your test-code is essentially the same as my code. I guess my modperl version had a broken rflush() implementation. /Thank you!
Re: rflush() not working as documented?
Just checking that this did not get lost on the way. Anyone care to
give me a hint?
On Thu, Jul 31, 2003 at 10:17:06PM +0200, Martin Wickman wrote:
Hello
According to docs[1], $r-rflush() should create a new brigade with
data. It does not.
It seems the docs and/or my understanding of this is in error.
This is with:
Apache/2.0.47 (Debian GNU/Linux) mod_perl/1.99_07-dev Perl/v5.8.0
And I am using the streaming filter api.
[1]
http://perl.apache.org/docs/2.0/user/handlers/filters.html#Multiple_Invocations_of_Filter_Handlers
Long version below:
--
I have tried to make my outputfilter clever enough so it can handle
being called several times, with tags potentially split between
several brigades.
Now I would like to test this somehow (ie, force mod_perl to call my
filter several times). I tried using $r-rflush(), but cannot get it
to work as I and the docs would expect.
I tried creating a ResponseHandler which explicitly breaks some silly
html data into brigades:
sub handler {
my $r = shift;
$r-content_type('text/html');
$r-log_error (Cutting);
$r-print (htmlhead title /head); $r-rflush();
$r-print (bo);$r-rflush();
$r-print (dy body ); $r-rflush();
$r-print (/html);
$r-log_error (Cutting: end);
return Apache::OK;
}
And then a simple 'DebugFilter' output filter which just prints each chunk:
sub handler : FilterRequestHandler {
my $f = shift;
$f-r-log_error (DebugFilter called);
$f-print (DebugFilter called\n);
while ($f-read(my $buffer, 1024)) {
$f-print(CHUNK:$buffer:CHUNK\n);
}
return Apache::OK;
}
And httpd.conf
Location /test/
PerlResponseHandler MyApache::Cutter
PerlOutputFilterHandler MyApache::DebugFilter
/Location
When I run this, I see that DebugFilter gets called 4 times (3
rflush's + 1 eos or something). But the strange thing is that only the
_last_ call contains data. That data is _everything_ nicely
concatenated and not splitted as I would guess.
Here is actual output:
$ wget --quiet -O - http://localhost/test/
DebugFilter called
DebugFilter called
DebugFilter called
DebugFilter called
CHUNK:htmlhead title /headbody body /html:CHUNK
And the error_log:
[Thu Jul 31 21:52:42 2003] [error] Cutting: start
[Thu Jul 31 21:52:42 2003] [error] DebugFilter called
[Thu Jul 31 21:52:42 2003] [error] DebugFilter called
[Thu Jul 31 21:52:42 2003] [error] DebugFilter called
[Thu Jul 31 21:52:42 2003] [error] Cutting: end
[Thu Jul 31 21:52:42 2003] [error] DebugFilter called
Filter brigades with rflush() not working?
Hello
According to [1], $r-rflush() should create a new brigade with
data. It does not. It seems the docs and/or my understanding of this
is in error (probably the latter...).
This is with:
Apache/2.0.47 (Debian GNU/Linux) mod_perl/1.99_07-dev Perl/v5.8.0
And I am using the streaming filter api.
[1]
http://perl.apache.org/docs/2.0/user/handlers/filters.html#Multiple_Invocations_of_Filter_Handlers
Long version below:
---
I have tried to make my outputfilter clever enough so it can handle
being called several times, with tags potentially split between
several brigades.
Now I would like to test this somehow (ie, force mod_perl to call my
filter several times). I tried using $r-rflush(), but cannot get it
to work as I and the docs would expect.
I tried creating a ResponseHandler which explicitly breaks some silly
html data into brigades:
sub handler {
my $r = shift;
$r-content_type('text/html');
$r-log_error (Cutting);
$r-print (htmlhead title /head); $r-rflush();
$r-print (bo);$r-rflush();
$r-print (dy body ); $r-rflush();
$r-print (/html);
$r-log_error (Cutting: end);
return Apache::OK;
}
And then a simple 'DebugFilter' output filter which just prints each chunk:
sub handler : FilterRequestHandler {
my $f = shift;
$f-r-log_error (DebugFilter called);
$f-print (DebugFilter called\n);
while ($f-read(my $buffer, 1024)) {
$f-print(CHUNK:$buffer:CHUNK\n);
}
return Apache::OK;
}
And httpd.conf
Location /test/
PerlResponseHandler MyApache::Cutter
PerlOutputFilterHandler MyApache::DebugFilter
/Location
When I run this, I see that DebugFilter gets called 4 times (3
rflush's + 1 eos or something). But the strange thing is that only the
_last_ call contains data. That data is _everything_ nicely
concatenated and not splitted as I would guess.
Here is actual output:
$ wget --quiet -O - http://localhost/test/
DebugFilter called
DebugFilter called
DebugFilter called
DebugFilter called
CHUNK:htmlhead title /headbody body /html:CHUNK
And the error_log:
[Thu Jul 31 21:52:42 2003] [error] Cutting: start
[Thu Jul 31 21:52:42 2003] [error] DebugFilter called
[Thu Jul 31 21:52:42 2003] [error] DebugFilter called
[Thu Jul 31 21:52:42 2003] [error] DebugFilter called
[Thu Jul 31 21:52:42 2003] [error] Cutting: end
[Thu Jul 31 21:52:42 2003] [error] DebugFilter called
Invalid command 'PerlLoadModule'
Hello On apache startup I get: Invalid command 'PerlLoadModule', perhaps mis-spelled or defined by a module not included in the server configuration This is with Apache/2.0.46 (Debian GNU/Linux) mod_perl/1.99_07-dev Perl/v5.8.0 Is my mod_perl to old or something? Btw, I have followed relevant examples on http://perl.apache.org/docs/2.0/user/config/custom.html
Re: [QUESTION] Can't read out verified username (auth)
On Mon, Jul 21, 2003 at 01:05:58AM +0200, Fatih Gey wrote: i was writing my own AuthHandler with modperl v2 (v1.99_09). [...] After having entered user/pass via html-form, this authentification does his job well, but on the following request (on same browser) $obj-user doesnt seem to return any value.. so this handler tries to compare http post data ( which arent present this time) with userdata in mysql-table.. resulting in an Auth_Required error. Well, how do you suppose that the browser should know how and what credentials to send? Unless you (a) create a session-cookie, (b) encode a session-kei into each url or (c) use the simple but proper Basic Authentication scheme, there is no way to accomplish this. And from what I gather you are not doing any of that?
Re: [QUESTION] Can't read out verified username (auth)
On Mon, Jul 21, 2003 at 12:36:55PM +0200, Fatih Gey wrote:
On Mon, Jul 21, 2003 at 01:05:58AM +0200, Fatih Gey wrote:
i was writing my own AuthHandler with modperl v2 (v1.99_09).
[...]
After having entered user/pass via html-form, this authentification
does his job well, but on the following request (on same browser)
$obj-user doesnt seem to return any value.. so this handler tries
to compare http post data ( which arent present this time) with
userdata in mysql-table.. resulting in an Auth_Required error.
Well, how do you suppose that the browser should know how and what
credentials to send?
Unless you (a) create a session-cookie, (b) encode a session-kei into
each url or (c) use the simple but proper Basic Authentication scheme,
there is no way to accomplish this. And from what I gather you are not
doing any of that?
I supposed the browser to resend always an unique bowser session
id, which is used by apache to save certain values, like
$ENV{'REMOTE_USER'} (similiar to a session-cookie with uid and
serverbased $vars) .. Isn't this the way Basic Authentication
scheme works ? ..
Nope. When the browser gets a 401 response from the server, it will
(most likely) pop up a dialog asking the user for name and
password. These credentials gets mangled into an Authorization header
which gets sent with the next request once the user klicks OK in the
dialog. Now, you can perform your authen-code as you like.
Cookies and forms' got nothing to do with it, really.
Read more here: http://www.faqs.org/rfcs/rfc2617.html
Abusing apache auth phases [FWD: [Re: Combining authen-handler with mod_auth]]
Any thoughts on this stuff? I'd like to try my ideas on the list before going ahead and implementing it in practice. - Forwarded message from Martin Wickman [EMAIL PROTECTED] - From: Martin Wickman [EMAIL PROTECTED] Subject: Re: Combining authen-handler with mod_auth On Mon, Jul 07, 2003 at 10:06:59AM -0700, Geoffrey Young wrote: [...] I think a lot of interesting password policies could be implemented if it was possible to run perl-code before and after existing authentication modules. Is it feasible to add this to the current mod_perl as a runtime option? runtime is not likely to be possible. I'm considering a patch that would make the hook behavior configurable as a compile-time option, Instead of trying to cram multiple perl-script into the same Authen phase (which could not be done without patching Apache and/or mod_perl), I ended up using other phases but Authen. Other phases that should not really be used for authentication like this and breaks a few Apache rules. I specifically had to change mod_auth_ so it returns sets a apache note and returns DECLINED instead of stopping the whole request with a HTTP_UNAUTHORIZED. The change is simple and can be applied to any auth module without much effort. So, I thought I'd ask the list for opinions regarding this poor-mans-approach. Here is the setup: Location /secure/ AuthType Basic AuthName Secure Area Require valid-user # Find userinfo in cache. If user is banned, return # HTTP_UNAUTHORIZED else let him through to next handler PerlAccessHandler MyApache::Bouncer # The actual auth module. Patched so it creates an apache # request note if user is unauthorized + let request through # to next handler (DECLINED) _even tho_ user failed! AuthExternal wicauth # If apache note contains current user, update cache (nfailures # count) and return HTTP_UNAUTHORIZED or return OK PerlFixUpHandler MyApache::Ledger /Location Here is my tidied error_log log which shows how it works. [ User wic with wrong pwd below ] Bouncer: wic not in cache. Letting through. AuthExtern wicauth: Failed for user wic. Ledger: wic not in cache. Adding. Bouncer: wic in cache: 1 --- nfailures AuthExtern wicauth: Failed for user wic Ledger: wic in cache. Updating. [ ... 10 times or something like that ... ] Bouncer: wic in cache: 10 AuthExtern wicauth: Failed for user wic. Ledger: banning wic for 2 hours. Bouncer: wic in cache: banned Bouncer: wic is banned! Bouncer: wic in cache: banned Bouncer: wic is banned! [ The user wic is banned and have to wait for 2 hours until Bouncer will let him through. ] Bouncer: wic banning time has expired. Letting through. AuthExtern wicauth: OK accepted for user wic. Ledger: wic login ok. By keeping count like this (and assuming it works in a real situation), one can device lots of cool ways to add login and password policies. Just change relevant part in the Bouncer/Ledger. (Btw, I am using Cache::FileCache to keep track of number of failed retries.) - End forwarded message -
Re: Combining authen-handler with mod_auth
On Mon, Jul 07, 2003 at 10:06:59AM -0700, Geoffrey Young wrote: [...] I think a lot of interesting password policies could be implemented if it was possible to run perl-code before and after existing authentication modules. Is it feasible to add this to the current mod_perl as a runtime option? runtime is not likely to be possible. I'm considering a patch that would make the hook behavior configurable as a compile-time option, Instead of trying to cram multiple perl-script into the same Authen phase, which btw could not be done without patching Apache and/or mod_perl, I ended up using other phases but Authen. Other phases that should not really be used for authentication like this and breaks a few Apache rules. I specifically had to change mod_auth_ so it returns sets a apache note and returns DECLINED instead of stopping the whole request with a HTTP_UNAUTHORIZED. The change is simple and can be applied to any auth module without much effort. So, I thought I'd ask the list for opinions regarding this poor-mans-approach. Here is the setup: Location /secure/ AuthType Basic AuthName Secure Area Require valid-user # Find userinfo in cache. If user is banned, return # HTTP_UNAUTHORIZED else let him through to next handler PerlAccessHandler MyApache::Bouncer # The actual auth module. Patched so it creates an apache # request note if user is unauthorized + let request through # to next handler (DECLINED) _even tho_ user failed! AuthExternal wicauth # If apache note contains current user, update cache (nfailures # count) and return HTTP_UNAUTHORIZED or return OK PerlFixUpHandler MyApache::Ledger /Location Here is my tidied error_log log which shows how it works. [ User wic with wrong pwd below ] Bouncer: wic not in cache. Letting through. AuthExtern wicauth: Failed for user wic. Ledger: wic not in cache. Adding. Bouncer: wic in cache: 1 --- nfailures AuthExtern wicauth: Failed for user wic Ledger: wic in cache. Updating. [ ... 10 times or something like that ... ] Bouncer: wic in cache: 10 AuthExtern wicauth: Failed for user wic. Ledger: banning wic for 2 hours. Bouncer: wic in cache: banned Bouncer: wic is banned! Bouncer: wic in cache: banned Bouncer: wic is banned! [ The user wic is banned and have to wait for 2 hours until Bouncer will let him through. ] Bouncer: wic banning time has expired. Letting through. AuthExtern wicauth: OK accepted for user wic. Ledger: wic login ok. By keeping count like this (and assuming it works in a real situation), one can device lots of cool ways to add login and password policies. Just change relevant part in the Bouncer/Ledger. (Btw, I am using Cache::FileCache to keep track of number of failed retries.)
Combining authen-handler with mod_auth
Hello The short version: How can I force my mod_perl Authen-handler to run after mod_auth and not before it? The long version: I have been trying to do some clever things using a combination of mod_auth with Authen-handlers in mod_perl2 (v1.99.07-1) and apache 2. The actual implementation is not really important, but for reference see [1]. The handler should count the number of failed retries for each user and then do take appropriate action (for instance, ban the user or log info to a file). My approach is to have a perl-handler run right *after* mod_auth when mod_auth has decided the supplied uid/password did not match [2] I have no problems creating a plain authentication handler in mod_perl, but after trying and trying lots of combinations with perl-handlers I am struggling to get my handler to run *after* mod_auth. Like this: Location /secure/ # AuthAuthoritative Off AuthUserFile /tmp/htpasswd AuthType Basic AuthName Secrets Require valid-user PerlAuthenHandler MyApache::AuthenTest /Location No matter how I configure AuthenTest, it will always run right before mod_auth! Any ideas how do do this, or for that matter, if there is another approach that is better. /Regards Martin [2] http://groups.google.com/groups?hl=enlr=ie=UTF-8selm=be0i9b%2411n3fm%241%40ID-156202.news.dfncis.de [1] I realize there may be issues with HTTP_UNAUTHORIZED causing apache to abort the chain (according to docs anyway), but that can be handled by patching auth_mod if needed.
Re: Combining authen-handler with mod_auth
On Sat, Jul 05, 2003 at 02:28:09PM -0400, Geoffrey Young wrote: Martin Wickman wrote: Hello The short version: How can I force my mod_perl Authen-handler to run after mod_auth and not before it? in Apache 1.3 you could control this with CleanModuleList/AddModule, but those directives don't exist in 2.0. I think the only way to do it in 2.0 is to change modperl_hooks.c and recompile. try changing this ap_hook_authen(modperl_authen_handler, NULL, NULL, APR_HOOK_FIRST); to this ap_hook_authen(modperl_authen_handler, NULL, NULL, APR_HOOK_LAST); Thanks! I guess that may be possible, but somewhat problematic since I like to stay with the distros apache-version. Btw, I remember seeing something about APR_HOOK_(LAST|FIRST|...) in the docs on perl.apache.org. Not implemented yet? I think a lot of interesting password policies could be implemented if it was possible to run perl-code before and after existing authentication modules. Is it feasible to add this to the current mod_perl as a runtime option?
