Re: PerlAuthenHandler -- doesn't get there...? SOLVED

[Steve van der Burg]

[ previous discussion snipped ]

>httpd.conf or .htaccess (PerlModule hasta be in httpd.conf,
>from my experience)--
>   PerlAccessHandler My::Auth::access_handler
>   PerlSetVar Intranet "10.10.10.1 => userA, 10.10.10.2 => userB"
>   PerlAuthenHandler My::Auth::authen_handler
>   AuthName realm
>   AuthType Basic
>   Require valid-user
>
>   order deny,allow
>   deny from all
>   #
>   # add 'order/deny', and we're done (as far as i can tell)
>   #
>

Before any changes to the Guide solidify out of this, I'd like to know that we're not 
pushing bad information into it.

- order, deny, allow are all handled by mod_access, which worries about hostname- and 
IP address-based restrictions.
- AuthType Basic is handled right in the core Apache code, where it, along with 
digest, is special-cased for in http_request and elsewhere.  You aren't really doing 
Basic auth with your module, are you?  That is, you're not putting the Auth-Required 
headers into your responses (to cause the browser to prompt for credentials) if you 
don't see the Basic auth headers in the requests, right?

I'm using Apache::AuthCookie, not doing this from scratch, so that clouds things a bit 
for me, but I've been looking at Apache's behaviour a lot.

Here's my test config (for Apache::AuthCookie):


 AllowOverride None
 Options +ExecCGI
 SetHandler cgi-script
 AuthType Site::AuthCookieHandler
 AuthName Testing
 PerlAuthenHandler  Site::AuthCookieHandler->authenticate
 PerlAuthzHandler   Site::AuthCookieHandler->authorize
 require valid-user


Notice that there are no order, allow, deny directives in sight, and this works as it 
should.
If I truss apache while I hit this spot with a request, I see the results of the 
handlers being invoked, which in AuthCookie's case is a redirection to a login form.
If I replace "AuthType Site::AuthCookieHandler" with "AuthType Basic", the handlers 
don't get invoked, and I instead see this error from apache:

  configuration error: couldn't check user.  No user file?: /some/where

This comes from http_request.c, which is responding to "AuthType Basic".  It's giving 
an error because I haven't told it where to find a user file (AuthUserFile) or 
database (AuthDBMUserFile) to check requests against, but I've requested Basic auth.

...Steve

-- 
Steve van der Burg
Information Services
London Health Sciences Centre
(519) 685-8300 ext 35559
[EMAIL PROTECTED]

Re: PerlAuthenHandler -- doesn't get there...? SOLVED

[Stas Bekman]

> SO -- Stas, here's a coupla extra tweaks i think you should
> make so that cut/paste newbies (unlike me, of course) will
> have an easier time with this particular example on the next
> iteration:

It's corrected in the guide's cvs version! Thanks Will!

_
Stas Bekman  JAm_pH --   Just Another mod_perl Hacker
http://stason.org/   mod_perl Guide  http://perl.apache.org/guide 
mailto:[EMAIL PROTECTED]   http://apachetoday.com http://jazzvalley.com
http://singlesheaven.com http://perlmonth.com   perl.org   apache.org

Re: PerlAuthenHandler -- doesn't get there...? SOLVED

[will trillich]

Stas Bekman replied:
> Argh, I wish I could always test every addition I have in the guide, some
> code goes untested as it was posted to the mod_perl or contributed by
> someone else. Then people come and use it, if something is wrong they send
> me a patch I fix it. I guess this is a similar scenario -- I admit that
> this code wasn't tested by me. If you find the problem and solve it,
> please send me the patch, so everybody could benefit from it.
> 
> As for hints you want to read the Eagle book, I try hard not to duplicate
> information in the book, but sometimes I do. The book covers extensively
> the Authentication handler writing. You should start from the Basic one
> that works for you and then move on and add the extra, more complicated
> logic inside.
> 
> I'm looking forward for the patch :) Thanks a lot!

hmm!  "hey, i'm lost in the sears tower. can anybody tell me
how to turn the lights on?" "whoops. maybe if you build your
own skyscraper you can get back with us on that..."  :)

so here's what i've stumbled into, in the dark--

i'm using apache 1.3.9 on debian/gnu linux 2.2:

ONE--

from http://perl.apache.org/current/htdocs/manual/mod/mod_perl.html
PerlModule directive

Description: List of Perl modules

Syntax: PerlModule Arg1 x n (ITERATE) 
PerlSyntax: push @PerlModule, $arg1 
Context: Allowed in *.conf anywhere and in .htaccess 
Override: Any other than None 
Status: Extension 
Module: mod_perl 

yet when i put 'PerlModule Serensoft::Auth' into
the .htaccess file i consistently got
[notice] child pid 30127 exit signal Segmentation fault (11)

moving it back into the /etc/apache/httpd.conf file,
all is sparkly again.

TWO--

if i modify the .htaccess file or the Auth.pm file, it's
USUALLY silently ignored until i do
'apachectl graceful'
although sometimes .htaccess updates are activated.

i presume that even having five or ten child apaches running
around loose, it's the one that's dealing with the request that
checks for updates to required modules & settings files...
should i hafta 'graceful' just to update Auth.pm or .htaccess?

THREE--

according to /usr/doc/apache/manual/mod/core.html, the
AuthName and AuthType are allowed in .htaccess and
directory sections only, NOT location sections; this 
could be a documentation oversight, i reckon.

FOUR--

i'm now reasonably certain (90% or so) that the missing
ingredients were basically indicated by Eric Cholet when he said

> maybe you need "Order deny, allow" to trigger authentication

seems that i also needed the companion
deny from all
as well (he probably thought i knew enough to presume that,
but alas, i only now begin to see...).

===

SO -- Stas, here's a coupla extra tweaks i think you should
make so that cut/paste newbies (unlike me, of course) will
have an easier time with this particular example on the next
iteration:

My/Auth.pm--
[snip]
sub authen_handler {
[snip]
my $reason = authen_dbi ($r, $user, $sent_pw, $level);
#
# '$level' looks like an artifact from the
# original code that isn't part of this example.
#
[snip]

sub authen_dbi{
  my ($r, $user, $sent_pw, $level) = @_;
#
# $level, again. omit.
#

  # validate username/passwd

  return 0 if (*PASSED*)
#
# i'd leave this as is; if you change it to a real perl
# expression such as /PASSED/ some newbies will sail right
# on by, wondering why they'll never authenticate properly
# (i'd be one of them).
#

  return "Failed for X reason";

}

1;
#
# add the 'require'-friendly 'non-zero final statement'
#

httpd.conf or .htaccess (PerlModule hasta be in httpd.conf,
from my experience)--
PerlAccessHandler My::Auth::access_handler
PerlSetVar Intranet "10.10.10.1 => userA, 10.10.10.2 => userB"
PerlAuthenHandler My::Auth::authen_handler
AuthName realm
AuthType Basic
Require valid-user

order deny,allow
deny from all
#
# add 'order/deny', and we're done (as far as i can tell)
#

and there you have it. i think.

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Their is five errers in this sentance.

Re: PerlAuthenHandler -- doesn't get there...?

[Stas Bekman]

On Fri, 18 Aug 2000, will trillich wrote:

> thanks for your posts, guys!
> 
> Eric Cholet replied:
> > > i copied the sample code from 'illustrated security scenarios'
> > > at http://perl.apache.org/guide/security.html nearly verbatim,
> > > (cut & paste + munge) changed '(*PASSED*)' to a simple test
> > > (moot, at this point) and inserted a few $r->warn("") for tracing
> > > and debugging purposes.
> > >
> > > access_handler() works fine. all its $r->warn output shows up
> > > in the logfile as it should.
> > >
> > > BUT i never see any incursion into the authen_handler() AT ALL!
> > 
> > maybe you need "Order deny, allow" to trigger authentication
> 
> Steve van der Burg replied:
> > After looking at my own configuration for 
> > Apache::AuthCookie, and snooping in the Apache source a
> > bit, I think that your "AuthType Basic" needs to be
> > changed to "AuthType Serensoft::Auth".
> 
> tried both... alas, still no entry into authen_handler.
> it's never executed at all.
> 
> (Steve--docs for most of the standard auth modules [see your
> local http://localhost/doc/apache/manual/mod/] which seem 
> to indicate 'AuthType Basic' not 'AuthType Mod::Path'...?)
> 
> if Stas can get it to work using the framework on the guide page,
> what've i got missing? (can anybody confirm that it can/does
> run as expected?)

Argh, I wish I could always test every addition I have in the guide, some
code goes untested as it was posted to the mod_perl or contributed by
someone else. Then people come and use it, if something is wrong they send
me a patch I fix it. I guess this is a similar scenario -- I admit that
this code wasn't tested by me. If you find the problem and solve it,
please send me the patch, so everybody could benefit from it.

As for hints you want to read the Eagle book, I try hard not to duplicate
information in the book, but sometimes I do. The book covers extensively
the Authentication handler writing. You should start from the Basic one
that works for you and then move on and add the extra, more complicated
logic inside.

I'm looking forward for the patch :) Thanks a lot!

_
Stas Bekman  JAm_pH --   Just Another mod_perl Hacker
http://stason.org/   mod_perl Guide  http://perl.apache.org/guide 
mailto:[EMAIL PROTECTED]   http://apachetoday.com http://jazzvalley.com
http://singlesheaven.com http://perlmonth.com   perl.org   apache.org

Re: PerlAuthenHandler -- doesn't get there...?

[will trillich]

thanks for your posts, guys!

Eric Cholet replied:
> > i copied the sample code from 'illustrated security scenarios'
> > at http://perl.apache.org/guide/security.html nearly verbatim,
> > (cut & paste + munge) changed '(*PASSED*)' to a simple test
> > (moot, at this point) and inserted a few $r->warn("") for tracing
> > and debugging purposes.
> >
> > access_handler() works fine. all its $r->warn output shows up
> > in the logfile as it should.
> >
> > BUT i never see any incursion into the authen_handler() AT ALL!
> 
> maybe you need "Order deny, allow" to trigger authentication

Steve van der Burg replied:
> After looking at my own configuration for 
> Apache::AuthCookie, and snooping in the Apache source a
> bit, I think that your "AuthType Basic" needs to be
> changed to "AuthType Serensoft::Auth".

tried both... alas, still no entry into authen_handler.
it's never executed at all.

(Steve--docs for most of the standard auth modules [see your
local http://localhost/doc/apache/manual/mod/] which seem 
to indicate 'AuthType Basic' not 'AuthType Mod::Path'...?)

if Stas can get it to work using the framework on the guide page,
what've i got missing? (can anybody confirm that it can/does
run as expected?)

what modules are required for this simple authenticator to work?
there's gotta be something i'm missing. Doesn't look like
'AuthUserFile' or the like, would come into play, does it?

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Their is five errers in this sentance.

Re: PerlAuthenHandler -- doesn't get there...?

[Steve van der Burg]

>> i canna get the PerlAuthenHandler to do ANYTHING. first
>> line of code after $r = shift is $r->warn() but nothing
>> shows up in the log. aaugh!

[snip]

>> 
>> PerlAccessHandler Serensoft::Auth::access_handler
>> PerlSetVar Intranet "this => that"
>> PerlAuthenHandler Serensoft::Auth::authen_handler
>> AuthName "dontUthink subscriber"
>> AuthType Basic
>> Require valid-user
>> 

[snip]

After looking at my own configuration for Apache::AuthCookie, and snooping in the 
Apache source a bit, I think that your "AuthType Basic" needs to be changed to 
"AuthType Serensoft::Auth".

...Steve

-- 
Steve van der Burg
Information Services
London Health Sciences Centre
(519) 685-8300 ext 35559
[EMAIL PROTECTED]

Re: PerlAuthenHandler -- doesn't get there...?

[Eric Cholet]

> i canna get the PerlAuthenHandler to do ANYTHING. first
> line of code after $r = shift is $r->warn() but nothing
> shows up in the log. aaugh!
> 
> i copied the sample code from 'illustrated security scenarios' 
> at http://perl.apache.org/guide/security.html nearly verbatim,
> (cut & paste + munge) changed '(*PASSED*)' to a simple test
> (moot, at this point) and inserted a few $r->warn("") for tracing
> and debugging purposes.
> 
> access_handler() works fine. all its $r->warn output shows up 
> in the logfile as it should.
> 
> BUT i never see any incursion into the authen_handler() AT ALL!

maybe you need "Order deny, allow" to trigger authentication
 
> [my main site is serensoft.com; the virtual site is dontUthink.com
> and the url i'm trying to test is dontUthink.com/auth ... it lets
> me in, every time, without asking for any userid:password.]
> 
> httpd.conf:
> PerlModule Serensoft::Auth
> 
> 
> PerlAccessHandler Serensoft::Auth::access_handler
> PerlSetVar Intranet "this => that"
> PerlAuthenHandler Serensoft::Auth::authen_handler
> AuthName "dontUthink subscriber"
> AuthType Basic
> Require valid-user
> 
> 
> Serensoft/Auth.pm:
> Package Serensoft::Auth;
> use strict;
> use Apache::Constants qw(:common);
> 
> [snip]
> 
> sub authen_handler {
> my $r = shift;
> $r->warn('authen_handler'); # <== NEVER gets here!!!
> 
> # get user's authentication credentials
> my ($res, $sent_pw) = $r->get_basic_auth_pw;
> return $res if $res != OK;
> my $user = $r->connection->user;
> 
> # authenticate through DBI
> my $reason = authen_dbi ($r, $user, $sent_pw); # $level? eh?
> 
> if ($reason) {
> $r->note_basic_auth_failure;
> $r->log_reason ($reason, $r->uri);
> return AUTH_REQUIRED;
> }
> return OK;
> }
> 
> i even tried adding
> $r->set_handlers(PerlAuthenHandler => [\&authen_handler]);
> right at the end of access_handler() (before returning OK)
> but alas, to no avail.
> 
> what obvious dial have i forgotten to frob?
> 
> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
> Their is five errers in this sentance.
> 

PerlAuthenHandler -- doesn't get there...?

[will trillich]

i canna get the PerlAuthenHandler to do ANYTHING. first
line of code after $r = shift is $r->warn() but nothing
shows up in the log. aaugh!

i copied the sample code from 'illustrated security scenarios' 
at http://perl.apache.org/guide/security.html nearly verbatim,
(cut & paste + munge) changed '(*PASSED*)' to a simple test
(moot, at this point) and inserted a few $r->warn("") for tracing
and debugging purposes.

access_handler() works fine. all its $r->warn output shows up 
in the logfile as it should.

BUT i never see any incursion into the authen_handler() AT ALL!

[my main site is serensoft.com; the virtual site is dontUthink.com
and the url i'm trying to test is dontUthink.com/auth ... it lets
me in, every time, without asking for any userid:password.]

httpd.conf:
PerlModule Serensoft::Auth


PerlAccessHandler Serensoft::Auth::access_handler
PerlSetVar Intranet "this => that"
PerlAuthenHandler Serensoft::Auth::authen_handler
AuthName "dontUthink subscriber"
AuthType Basic
Require valid-user


Serensoft/Auth.pm:
Package Serensoft::Auth;
use strict;
use Apache::Constants qw(:common);

[snip]

sub authen_handler {
my $r = shift;
$r->warn('authen_handler'); # <== NEVER gets here!!!

# get user's authentication credentials
my ($res, $sent_pw) = $r->get_basic_auth_pw;
return $res if $res != OK;
my $user = $r->connection->user;

# authenticate through DBI
my $reason = authen_dbi ($r, $user, $sent_pw); # $level? eh?

if ($reason) {
$r->note_basic_auth_failure;
$r->log_reason ($reason, $r->uri);
return AUTH_REQUIRED;
}
return OK;
}

i even tried adding
$r->set_handlers(PerlAuthenHandler => [\&authen_handler]);
right at the end of access_handler() (before returning OK)
but alas, to no avail.

what obvious dial have i forgotten to frob?

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Their is five errers in this sentance.