Re: PerlAuthenHandler -- doesn't get there...? SOLVED
[ previous discussion snipped ] >httpd.conf or .htaccess (PerlModule hasta be in httpd.conf, >from my experience)-- > PerlAccessHandler My::Auth::access_handler > PerlSetVar Intranet "10.10.10.1 => userA, 10.10.10.2 => userB" > PerlAuthenHandler My::Auth::authen_handler > AuthName realm > AuthType Basic > Require valid-user > > order deny,allow > deny from all > # > # add 'order/deny', and we're done (as far as i can tell) > # > Before any changes to the Guide solidify out of this, I'd like to know that we're not pushing bad information into it. - order, deny, allow are all handled by mod_access, which worries about hostname- and IP address-based restrictions. - AuthType Basic is handled right in the core Apache code, where it, along with digest, is special-cased for in http_request and elsewhere. You aren't really doing Basic auth with your module, are you? That is, you're not putting the Auth-Required headers into your responses (to cause the browser to prompt for credentials) if you don't see the Basic auth headers in the requests, right? I'm using Apache::AuthCookie, not doing this from scratch, so that clouds things a bit for me, but I've been looking at Apache's behaviour a lot. Here's my test config (for Apache::AuthCookie): AllowOverride None Options +ExecCGI SetHandler cgi-script AuthType Site::AuthCookieHandler AuthName Testing PerlAuthenHandler Site::AuthCookieHandler->authenticate PerlAuthzHandler Site::AuthCookieHandler->authorize require valid-user Notice that there are no order, allow, deny directives in sight, and this works as it should. If I truss apache while I hit this spot with a request, I see the results of the handlers being invoked, which in AuthCookie's case is a redirection to a login form. If I replace "AuthType Site::AuthCookieHandler" with "AuthType Basic", the handlers don't get invoked, and I instead see this error from apache: configuration error: couldn't check user. No user file?: /some/where This comes from http_request.c, which is responding to "AuthType Basic". It's giving an error because I haven't told it where to find a user file (AuthUserFile) or database (AuthDBMUserFile) to check requests against, but I've requested Basic auth. ...Steve -- Steve van der Burg Information Services London Health Sciences Centre (519) 685-8300 ext 35559 [EMAIL PROTECTED]
Re: PerlAuthenHandler -- doesn't get there...? SOLVED
> SO -- Stas, here's a coupla extra tweaks i think you should > make so that cut/paste newbies (unlike me, of course) will > have an easier time with this particular example on the next > iteration: It's corrected in the guide's cvs version! Thanks Will! _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://apachetoday.com http://jazzvalley.com http://singlesheaven.com http://perlmonth.com perl.org apache.org
Re: PerlAuthenHandler -- doesn't get there...? SOLVED
Stas Bekman replied: > Argh, I wish I could always test every addition I have in the guide, some > code goes untested as it was posted to the mod_perl or contributed by > someone else. Then people come and use it, if something is wrong they send > me a patch I fix it. I guess this is a similar scenario -- I admit that > this code wasn't tested by me. If you find the problem and solve it, > please send me the patch, so everybody could benefit from it. > > As for hints you want to read the Eagle book, I try hard not to duplicate > information in the book, but sometimes I do. The book covers extensively > the Authentication handler writing. You should start from the Basic one > that works for you and then move on and add the extra, more complicated > logic inside. > > I'm looking forward for the patch :) Thanks a lot! hmm! "hey, i'm lost in the sears tower. can anybody tell me how to turn the lights on?" "whoops. maybe if you build your own skyscraper you can get back with us on that..." :) so here's what i've stumbled into, in the dark-- i'm using apache 1.3.9 on debian/gnu linux 2.2: ONE-- from http://perl.apache.org/current/htdocs/manual/mod/mod_perl.html PerlModule directive Description: List of Perl modules Syntax: PerlModule Arg1 x n (ITERATE) PerlSyntax: push @PerlModule, $arg1 Context: Allowed in *.conf anywhere and in .htaccess Override: Any other than None Status: Extension Module: mod_perl yet when i put 'PerlModule Serensoft::Auth' into the .htaccess file i consistently got [notice] child pid 30127 exit signal Segmentation fault (11) moving it back into the /etc/apache/httpd.conf file, all is sparkly again. TWO-- if i modify the .htaccess file or the Auth.pm file, it's USUALLY silently ignored until i do 'apachectl graceful' although sometimes .htaccess updates are activated. i presume that even having five or ten child apaches running around loose, it's the one that's dealing with the request that checks for updates to required modules & settings files... should i hafta 'graceful' just to update Auth.pm or .htaccess? THREE-- according to /usr/doc/apache/manual/mod/core.html, the AuthName and AuthType are allowed in .htaccess and directory sections only, NOT location sections; this could be a documentation oversight, i reckon. FOUR-- i'm now reasonably certain (90% or so) that the missing ingredients were basically indicated by Eric Cholet when he said > maybe you need "Order deny, allow" to trigger authentication seems that i also needed the companion deny from all as well (he probably thought i knew enough to presume that, but alas, i only now begin to see...). === SO -- Stas, here's a coupla extra tweaks i think you should make so that cut/paste newbies (unlike me, of course) will have an easier time with this particular example on the next iteration: My/Auth.pm-- [snip] sub authen_handler { [snip] my $reason = authen_dbi ($r, $user, $sent_pw, $level); # # '$level' looks like an artifact from the # original code that isn't part of this example. # [snip] sub authen_dbi{ my ($r, $user, $sent_pw, $level) = @_; # # $level, again. omit. # # validate username/passwd return 0 if (*PASSED*) # # i'd leave this as is; if you change it to a real perl # expression such as /PASSED/ some newbies will sail right # on by, wondering why they'll never authenticate properly # (i'd be one of them). # return "Failed for X reason"; } 1; # # add the 'require'-friendly 'non-zero final statement' # httpd.conf or .htaccess (PerlModule hasta be in httpd.conf, from my experience)-- PerlAccessHandler My::Auth::access_handler PerlSetVar Intranet "10.10.10.1 => userA, 10.10.10.2 => userB" PerlAuthenHandler My::Auth::authen_handler AuthName realm AuthType Basic Require valid-user order deny,allow deny from all # # add 'order/deny', and we're done (as far as i can tell) # and there you have it. i think. -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Their is five errers in this sentance.
Re: PerlAuthenHandler -- doesn't get there...?
On Fri, 18 Aug 2000, will trillich wrote: > thanks for your posts, guys! > > Eric Cholet replied: > > > i copied the sample code from 'illustrated security scenarios' > > > at http://perl.apache.org/guide/security.html nearly verbatim, > > > (cut & paste + munge) changed '(*PASSED*)' to a simple test > > > (moot, at this point) and inserted a few $r->warn("") for tracing > > > and debugging purposes. > > > > > > access_handler() works fine. all its $r->warn output shows up > > > in the logfile as it should. > > > > > > BUT i never see any incursion into the authen_handler() AT ALL! > > > > maybe you need "Order deny, allow" to trigger authentication > > Steve van der Burg replied: > > After looking at my own configuration for > > Apache::AuthCookie, and snooping in the Apache source a > > bit, I think that your "AuthType Basic" needs to be > > changed to "AuthType Serensoft::Auth". > > tried both... alas, still no entry into authen_handler. > it's never executed at all. > > (Steve--docs for most of the standard auth modules [see your > local http://localhost/doc/apache/manual/mod/] which seem > to indicate 'AuthType Basic' not 'AuthType Mod::Path'...?) > > if Stas can get it to work using the framework on the guide page, > what've i got missing? (can anybody confirm that it can/does > run as expected?) Argh, I wish I could always test every addition I have in the guide, some code goes untested as it was posted to the mod_perl or contributed by someone else. Then people come and use it, if something is wrong they send me a patch I fix it. I guess this is a similar scenario -- I admit that this code wasn't tested by me. If you find the problem and solve it, please send me the patch, so everybody could benefit from it. As for hints you want to read the Eagle book, I try hard not to duplicate information in the book, but sometimes I do. The book covers extensively the Authentication handler writing. You should start from the Basic one that works for you and then move on and add the extra, more complicated logic inside. I'm looking forward for the patch :) Thanks a lot! _ Stas Bekman JAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide http://perl.apache.org/guide mailto:[EMAIL PROTECTED] http://apachetoday.com http://jazzvalley.com http://singlesheaven.com http://perlmonth.com perl.org apache.org
Re: PerlAuthenHandler -- doesn't get there...?
thanks for your posts, guys! Eric Cholet replied: > > i copied the sample code from 'illustrated security scenarios' > > at http://perl.apache.org/guide/security.html nearly verbatim, > > (cut & paste + munge) changed '(*PASSED*)' to a simple test > > (moot, at this point) and inserted a few $r->warn("") for tracing > > and debugging purposes. > > > > access_handler() works fine. all its $r->warn output shows up > > in the logfile as it should. > > > > BUT i never see any incursion into the authen_handler() AT ALL! > > maybe you need "Order deny, allow" to trigger authentication Steve van der Burg replied: > After looking at my own configuration for > Apache::AuthCookie, and snooping in the Apache source a > bit, I think that your "AuthType Basic" needs to be > changed to "AuthType Serensoft::Auth". tried both... alas, still no entry into authen_handler. it's never executed at all. (Steve--docs for most of the standard auth modules [see your local http://localhost/doc/apache/manual/mod/] which seem to indicate 'AuthType Basic' not 'AuthType Mod::Path'...?) if Stas can get it to work using the framework on the guide page, what've i got missing? (can anybody confirm that it can/does run as expected?) what modules are required for this simple authenticator to work? there's gotta be something i'm missing. Doesn't look like 'AuthUserFile' or the like, would come into play, does it? -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Their is five errers in this sentance.
Re: PerlAuthenHandler -- doesn't get there...?
>> i canna get the PerlAuthenHandler to do ANYTHING. first >> line of code after $r = shift is $r->warn() but nothing >> shows up in the log. aaugh! [snip] >> >> PerlAccessHandler Serensoft::Auth::access_handler >> PerlSetVar Intranet "this => that" >> PerlAuthenHandler Serensoft::Auth::authen_handler >> AuthName "dontUthink subscriber" >> AuthType Basic >> Require valid-user >> [snip] After looking at my own configuration for Apache::AuthCookie, and snooping in the Apache source a bit, I think that your "AuthType Basic" needs to be changed to "AuthType Serensoft::Auth". ...Steve -- Steve van der Burg Information Services London Health Sciences Centre (519) 685-8300 ext 35559 [EMAIL PROTECTED]
Re: PerlAuthenHandler -- doesn't get there...?
> i canna get the PerlAuthenHandler to do ANYTHING. first > line of code after $r = shift is $r->warn() but nothing > shows up in the log. aaugh! > > i copied the sample code from 'illustrated security scenarios' > at http://perl.apache.org/guide/security.html nearly verbatim, > (cut & paste + munge) changed '(*PASSED*)' to a simple test > (moot, at this point) and inserted a few $r->warn("") for tracing > and debugging purposes. > > access_handler() works fine. all its $r->warn output shows up > in the logfile as it should. > > BUT i never see any incursion into the authen_handler() AT ALL! maybe you need "Order deny, allow" to trigger authentication > [my main site is serensoft.com; the virtual site is dontUthink.com > and the url i'm trying to test is dontUthink.com/auth ... it lets > me in, every time, without asking for any userid:password.] > > httpd.conf: > PerlModule Serensoft::Auth > > > PerlAccessHandler Serensoft::Auth::access_handler > PerlSetVar Intranet "this => that" > PerlAuthenHandler Serensoft::Auth::authen_handler > AuthName "dontUthink subscriber" > AuthType Basic > Require valid-user > > > Serensoft/Auth.pm: > Package Serensoft::Auth; > use strict; > use Apache::Constants qw(:common); > > [snip] > > sub authen_handler { > my $r = shift; > $r->warn('authen_handler'); # <== NEVER gets here!!! > > # get user's authentication credentials > my ($res, $sent_pw) = $r->get_basic_auth_pw; > return $res if $res != OK; > my $user = $r->connection->user; > > # authenticate through DBI > my $reason = authen_dbi ($r, $user, $sent_pw); # $level? eh? > > if ($reason) { > $r->note_basic_auth_failure; > $r->log_reason ($reason, $r->uri); > return AUTH_REQUIRED; > } > return OK; > } > > i even tried adding > $r->set_handlers(PerlAuthenHandler => [\&authen_handler]); > right at the end of access_handler() (before returning OK) > but alas, to no avail. > > what obvious dial have i forgotten to frob? > > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- > Their is five errers in this sentance. >
PerlAuthenHandler -- doesn't get there...?
i canna get the PerlAuthenHandler to do ANYTHING. first line of code after $r = shift is $r->warn() but nothing shows up in the log. aaugh! i copied the sample code from 'illustrated security scenarios' at http://perl.apache.org/guide/security.html nearly verbatim, (cut & paste + munge) changed '(*PASSED*)' to a simple test (moot, at this point) and inserted a few $r->warn("") for tracing and debugging purposes. access_handler() works fine. all its $r->warn output shows up in the logfile as it should. BUT i never see any incursion into the authen_handler() AT ALL! [my main site is serensoft.com; the virtual site is dontUthink.com and the url i'm trying to test is dontUthink.com/auth ... it lets me in, every time, without asking for any userid:password.] httpd.conf: PerlModule Serensoft::Auth PerlAccessHandler Serensoft::Auth::access_handler PerlSetVar Intranet "this => that" PerlAuthenHandler Serensoft::Auth::authen_handler AuthName "dontUthink subscriber" AuthType Basic Require valid-user Serensoft/Auth.pm: Package Serensoft::Auth; use strict; use Apache::Constants qw(:common); [snip] sub authen_handler { my $r = shift; $r->warn('authen_handler'); # <== NEVER gets here!!! # get user's authentication credentials my ($res, $sent_pw) = $r->get_basic_auth_pw; return $res if $res != OK; my $user = $r->connection->user; # authenticate through DBI my $reason = authen_dbi ($r, $user, $sent_pw); # $level? eh? if ($reason) { $r->note_basic_auth_failure; $r->log_reason ($reason, $r->uri); return AUTH_REQUIRED; } return OK; } i even tried adding $r->set_handlers(PerlAuthenHandler => [\&authen_handler]); right at the end of access_handler() (before returning OK) but alas, to no avail. what obvious dial have i forgotten to frob? -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Their is five errers in this sentance.