Re: Multiple authentication methods
Hi Darren Would you submit the current version? If you need help with the Documentation just let me know. For the makefile, I do not have any experience. Marcel Am Mittwoch den, 13. Februar 2002, um 21:01, schrieb darren chamberlain: > Quoting Marcel Weber <[EMAIL PROTECTED]> [13 Feb-02 14:53]: >> Why not submitting this somewhere? I think this could be >> usefull for quite a lot of people. I think this is cool, as you >> do not have to worry wether the module returns DECLINED or >> AUTH_REQUIRED. > > I can package this up and put it on CPAN as version 0.01 tomorrow > morning, if that seems reasonable to everyone involved. I'll > need to add some docs and a Makefile.PL, of course. > > (darren) > > -- > To believe is very dull. To doubt is intensely engrossing. To be on > alert is to live, to be lulled into security is to die. > -- Oscar Wilde > > --- PGP / GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
RE: Multiple authentication methods
At 17:21 13.02.2002 -0600, you wrote: >File::Spec is in included with the standard perl mods I believe >so dependencies shouldn't be a problem. > > > I see. You're right, this is actually much nicer! > > > > Sorry for the misinformation. On debian it return : also. I made a > > mistake checking it. > > > > But with the suggested code by Per it works just fine: > > > > sub load { > > my $module=@_[0]; > > $module = File::Spec->catfile(split /::/, $module); > > $module .= '.pm'; > > > > eval { require $module; }; > > > > return $@ ? 1 : 0; > > } > > > > Of course one has to put a use File::Spec at the beginning and a Per > > Finar Ellefsen That's Per Einar :) I think this module is a great idea. You should get it on CPAN as soon as possible. -- Per Einar Ellefsen [EMAIL PROTECTED]
RE: Multiple authentication methods
File::Spec is in included with the standard perl mods I believe so dependencies shouldn't be a problem. > I see. You're right, this is actually much nicer! > > Sorry for the misinformation. On debian it return : also. I made a > mistake checking it. > > But with the suggested code by Per it works just fine: > > sub load { > my $module=@_[0]; > $module = File::Spec->catfile(split /::/, $module); > $module .= '.pm'; > > eval { require $module; }; > > return $@ ? 1 : 0; > } > > Of course one has to put a use File::Spec at the beginning and a Per > Finar Ellefsen
Re: Multiple authentication methods
I see. You're right, this is actually much nicer! Sorry for the misinformation. On debian it return : also. I made a mistake checking it. But with the suggested code by Per it works just fine: sub load { my $module=@_[0]; $module = File::Spec->catfile(split /::/, $module); $module .= '.pm'; eval { require $module; }; return $@ ? 1 : 0; } Of course one has to put a use File::Spec at the beginning and a Per Finar Ellefsen Marcel Am Donnerstag den, 14. Februar 2002, um 00:11, schrieb Stathy G. Touloumis: > Interesting, one system is RedHat 7.2 and Suse 7.3 (custom built perl) > that > returns > a ':' for $Config{'path_sep'} > >> It returns a arrayref, as far as I experienced. Well I'm really new to >> mod_perl >> and my eagle book waits still in the library to be bought... But why >> is >> this >> version not nice? > > It's fine but I have become much more impressed with the mod_perl > configuration features. It provides a much cleaner interface for > specifying > directives. > > THIS : > > > AuthName Test > AuthType Basic ># These are AuthenSmb specific > PerlSetVar myPDC SAMBA > PerlSetVar myDOMAIN ARBEITSGRUPPE > # With PerlAddVar you pass an array > PerlAddVar AuthModules Apache::AuthSybase > PerlAddVar AuthModules Apache::AuthenSmb > PerlAuthenHandler Apache::AuthMulti > require valid-user > > > VS : > > > AuthName Test > AuthType Basic > # Now an actual apache conf > myPDC SAMBA > myDOMAIN ARBEITSGRUPPE > # No need to specify twice > AuthModules Apache::AuthSybase Apache::AuthenSmb > > PerlAuthenHandler Apache::AuthMulti > require valid-user > > > Of course there will be some minor changes in the module > and in the Makefile.PL > > > > --- PGP / GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
RE: Multiple authentication methods
Cool . . . Thanks for the tip : ) > > > The easiest thing would be to use Config, and do: > > > > > > $module =~ s[::][$Config{'path_sep'}]g; > > > > > > Right? > > > >Maybe not : ) When checking on 2 linux systems I got a path seperator of > >':'. Can you let me know if you get similar results? > > > > I'm getting the same problem here. It seems like > $Config{path_sep} has been > misunderstood: it gives ':' on Unix and ';' on Windows, so I believe it > means the separator between different items in your PATH > (/usr/bin:/usr/local/bin etc..). > > I think what you need is File::Spec. > > Use this instead: > $module = File::Spec->catfile(split /::/, $module); > > That'll be portable.
Re: Multiple authentication methods
Sorry, this code does not work... Should test it better before sending it to to mailing list... Marcel Am Donnerstag den, 14. Februar 2002, um 00:05, schrieb Marcel Weber: > So here comes the most actual code: > > Submitting it to CPAN would be fine! > > > > package Apache::AuthMulti; > > # Stathy G. Touloumis > # Marcel M. Weber > # Darren Chamberlain > # > # Version 0.01-2 / 13.02.2002 / Marcel M. Weber > > use strict; > use Apache::Constants qw(:common); > > sub handler { > my $r = shift; > my($res, $sent_pw) = $r->get_basic_auth_pw; > return $res if $res != OK; > > my @auth_modules=$r->dir_config->get("AuthModules"); > > for my $am (@auth_modules) > { > load($am); > if ($@){ > $r->log_reason("Error loading module '$am':$@"); > next; > } > > my $handler = $am->can('handler') or next; > if ($handler->($r) == OK) { > $r->warn("$am return OK"); > return OK; > } > > $r->log_reason("$am not OK"); > } > > $r->note_basic_auth_failure; > $r->log_reason("none of the handlers could authenticate this > user"); > return AUTH_REQUIRED; > } > > sub load { > my $module=@_[0]; > $module =~ s[::][$Config{'path_sep'}]go; > $module .= '.pm'; > > eval { require $module; }; > > return $@ ? 1 : 0; > } > > 1; > __END__ > > - > > Am Mittwoch den, 13. Februar 2002, um 21:42, schrieb Stathy G. > Touloumis: > >> >> I would suggest changing the PerlSetVar variables to actual apache configuration directives which would change this : my @auth_modules=$r->dir_config->get("AuthModules"); I don't have an immediate patch for this but have done it before. If you would like me to work on this code no prob, otherwise check the eagle book for some samples if unfamiliar. >>> >>> *nod* I'm not sure that the syntax would work; $r->dir_config() >>> would probably return an arrayref, and such; this needs to be >>> tested. >> > > It returns a arrayref, as far as I experienced. Well I'm really new to > mod_perl > and my eagle book waits still in the library to be bought... But why > is this > version not nice? > > --- > > Marcel > > PGP / GPG Key:http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc > > > --- PGP / GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
RE: Multiple authentication methods
Interesting, one system is RedHat 7.2 and Suse 7.3 (custom built perl) that returns a ':' for $Config{'path_sep'} > It returns a arrayref, as far as I experienced. Well I'm really new to > mod_perl > and my eagle book waits still in the library to be bought... But why is > this > version not nice? It's fine but I have become much more impressed with the mod_perl configuration features. It provides a much cleaner interface for specifying directives. THIS : AuthName Test AuthType Basic # These are AuthenSmb specific PerlSetVar myPDC SAMBA PerlSetVar myDOMAIN ARBEITSGRUPPE # With PerlAddVar you pass an array PerlAddVar AuthModules Apache::AuthSybase PerlAddVar AuthModules Apache::AuthenSmb PerlAuthenHandler Apache::AuthMulti require valid-user VS : AuthName Test AuthType Basic # Now an actual apache conf myPDC SAMBA myDOMAIN ARBEITSGRUPPE # No need to specify twice AuthModules Apache::AuthSybase Apache::AuthenSmb PerlAuthenHandler Apache::AuthMulti require valid-user Of course there will be some minor changes in the module and in the Makefile.PL
RE: Multiple authentication methods
At 16:51 13.02.2002 -0600, Stathy G. Touloumis wrote: > > The easiest thing would be to use Config, and do: > > > > $module =~ s[::][$Config{'path_sep'}]g; > > > > Right? > >Maybe not : ) When checking on 2 linux systems I got a path seperator of >':'. Can you let me know if you get similar results? > I'm getting the same problem here. It seems like $Config{path_sep} has been misunderstood: it gives ':' on Unix and ';' on Windows, so I believe it means the separator between different items in your PATH (/usr/bin:/usr/local/bin etc..). I think what you need is File::Spec. Use this instead: $module = File::Spec->catfile(split /::/, $module); That'll be portable. -- Per Einar Ellefsen [EMAIL PROTECTED]
Re: Multiple authentication methods
On my woody system it's fine. Marcel Am Mittwoch den, 13. Februar 2002, um 23:51, schrieb Stathy G. Touloumis: >> The easiest thing would be to use Config, and do: >> >> $module =~ s[::][$Config{'path_sep'}]g; >> >> Right? > > Maybe not : ) When checking on 2 linux systems I got a path seperator > of > ':'. Can you let me know if you get similar results? > > Thanks, > > > > > > --- PGP / GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
Re: Multiple authentication methods
So here comes the most actual code: Submitting it to CPAN would be fine! package Apache::AuthMulti; # Stathy G. Touloumis # Marcel M. Weber # Darren Chamberlain # # Version 0.01-2 / 13.02.2002 / Marcel M. Weber use strict; use Apache::Constants qw(:common); sub handler { my $r = shift; my($res, $sent_pw) = $r->get_basic_auth_pw; return $res if $res != OK; my @auth_modules=$r->dir_config->get("AuthModules"); for my $am (@auth_modules) { load($am); if ($@){ $r->log_reason("Error loading module '$am':$@"); next; } my $handler = $am->can('handler') or next; if ($handler->($r) == OK) { $r->warn("$am return OK"); return OK; } $r->log_reason("$am not OK"); } $r->note_basic_auth_failure; $r->log_reason("none of the handlers could authenticate this user"); return AUTH_REQUIRED; } sub load { my $module=@_[0]; $module =~ s[::][$Config{'path_sep'}]go; $module .= '.pm'; eval { require $module; }; return $@ ? 1 : 0; } 1; __END__ - Am Mittwoch den, 13. Februar 2002, um 21:42, schrieb Stathy G. Touloumis: > > >>> I would suggest changing the PerlSetVar variables >>> to actual apache configuration directives which would change this : >>> >>> my @auth_modules=$r->dir_config->get("AuthModules"); >>> >>> I don't have an immediate patch for this but have done it before. >>> If you would like me to work on this code no prob, otherwise check >>> the eagle book for some samples if unfamiliar. >> >> *nod* I'm not sure that the syntax would work; $r->dir_config() >> would probably return an arrayref, and such; this needs to be >> tested. > It returns a arrayref, as far as I experienced. Well I'm really new to mod_perl and my eagle book waits still in the library to be bought... But why is this version not nice? --- Marcel PGP / GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
RE: Multiple authentication methods
> The easiest thing would be to use Config, and do: > > $module =~ s[::][$Config{'path_sep'}]g; > > Right? Maybe not : ) When checking on 2 linux systems I got a path seperator of ':'. Can you let me know if you get similar results? Thanks,
RE: Multiple authentication methods
> > I would suggest changing the PerlSetVar variables > > to actual apache configuration directives which would change this : > > > > my @auth_modules=$r->dir_config->get("AuthModules"); > > > > I don't have an immediate patch for this but have done it before. > > If you would like me to work on this code no prob, otherwise check > > the eagle book for some samples if unfamiliar. > > *nod* I'm not sure that the syntax would work; $r->dir_config() > would probably return an arrayref, and such; this needs to be > tested. You can specify anything for a directive as you can for dir_config() yet it is more extensible : Syntax checking, ability to set in '.htaccess' files and of course everybodies favorite . . . it's faster ; ) Doesn't need to be implemented now but just a thought . . . > I stole that almost whole hog from Template/Config.pm, lines > 68-78. Take it up with Andy. ;) > > The easiest thing would be to use Config, and do: > > $module =~ s[::][$Config{'path_sep'}]g; > > Right? Anything other than hardcoding and this is fine by me. Although should probably compile once : s[::][$Config{'path_sep'}]go;
Re: Multiple authentication methods
Quoting Stathy G. Touloumis <[EMAIL PROTECTED]> [13 Feb-02 15:26]: > Some more fixes ; ) Yay! Bug reports already... > I would suggest changing the PerlSetVar variables > to actual apache configuration directives which would change this : > > my @auth_modules=$r->dir_config->get("AuthModules"); > > I don't have an immediate patch for this but have done it before. > If you would like me to work on this code no prob, otherwise check > the eagle book for some samples if unfamiliar. *nod* I'm not sure that the syntax would work; $r->dir_config() would probably return an arrayref, and such; this needs to be tested. > Also, > > THIS : > > my $handler = \&{"$am\::handler"}; > if ($handler->($r) == OK) { > $r->warn("$am return OK"); > return OK; > > TO : > > ## 'or next' can be changed > my $handler = $am->can('handler') or next; > if ($handler->($r) == OK) { > $r->warn("$am return OK"); > return OK; > } Yeah, I just didn't think of that when I wrote the code. That is the Correct Way. > And I would consider changing this : > > $module =~ s[::][/]g; > > to be more portable. I am working on another class for runtime > management of classes that should address this but won't be on > CPAN for a few days. I stole that almost whole hog from Template/Config.pm, lines 68-78. Take it up with Andy. ;) The easiest thing would be to use Config, and do: $module =~ s[::][$Config{'path_sep'}]g; Right? (darren) -- What a strange illusion it is to suppose that beauty is goodness. -- Leo Tolstoy
RE: Multiple authentication methods
Some more fixes ; ) I would suggest changing the PerlSetVar variables to actual apache configuration directives which would change this : my @auth_modules=$r->dir_config->get("AuthModules"); I don't have an immediate patch for this but have done it before. If you would like me to work on this code no prob, otherwise check the eagle book for some samples if unfamiliar. Also, THIS : my $handler = \&{"$am\::handler"}; if ($handler->($r) == OK) { $r->warn("$am return OK"); return OK; TO : ## 'or next' can be changed my $handler = $am->can('handler') or next; if ($handler->($r) == OK) { $r->warn("$am return OK"); return OK; } And I would consider changing this : $module =~ s[::][/]g; to be more portable. I am working on another class for runtime management of classes that should address this but won't be on CPAN for a few days. > - > > package Apache::AuthMulti; > > # Stathy G. Touloumis > # Marcel M. Weber > # Darren Chamberlain > # > # Version 0.1.0 / 2002.02.13 / Marcel M. Weber > > use strict; > use Apache::Constants qw(:common); > > sub handler { > my $r = shift; > my($res, $sent_pw) = $r->get_basic_auth_pw; > return $res if $res != OK; > > my @auth_modules=$r->dir_config->get("AuthModules"); > > for my $am (@auth_modules) > { > load($am); > if ($@){ > $r->log_reason("Error loading module '$am':$@"); > next; > } > > my $handler = \&{"$am\::handler"}; > if ($handler->($r) == OK) { > $r->warn("$am return OK"); > return OK; > } > > $r->log_reason("$am not OK"); > } > > $r->note_basic_auth_failure; > $r->log_reason("none of the handlers could authenticate this > user"); > return AUTH_REQUIRED; > } > > sub load { > my $module=@_[0]; > $module =~ s[::][/]g; > $module .= '.pm'; > > eval { require $module; }; > > return $@ ? 1 : 0; > } > > 1; > __END__ > > > --- > > In the httpd.conf you have to put something like this: > > > AuthName Test > AuthType Basic ># These are AuthenSmb specific > PerlSetVar myPDC SAMBA > PerlSetVar myDOMAIN ARBEITSGRUPPE > # With PerlAddVar you pass an array > PerlAddVar AuthModules Apache::AuthSybase > PerlAddVar AuthModules Apache::AuthenSmb > PerlAuthenHandler Apache::AuthMulti > require valid-user > > > --- > > Works perfect... > > Why not submitting this somewhere? I think this could be usefull for > quite a lot of people. I think this is cool, as you do not have to worry > wether the module returns DECLINED or AUTH_REQUIRED. > > Marcel > > > Am Mittwoch den, 13. Februar 2002, um 15:02, schrieb darren chamberlain: > > > Quoting Marcel Weber <[EMAIL PROTECTED]> [12 Feb-02 16:15]: > >> I don't get the point why it did not work the other way round, > >> but now everything is just fine now : > > > > Make it a little more generic: > > > > package Apache::MultiAuthen; > > > > use strict; > > use Apache::Constants qw(:common); > > > > sub handler { > > my $r = shift; > > my($res, $sent_pw) = $r->get_basic_auth_pw; > > return $res if $res != OK; > > > > # Tweak this; unsure about dir_config returning an array > > my @auth_modules = $r->dir_config("AuthModules"); > > > > for my $am (@auth_modules) { > > load($am); > > > > if ($@) { > > $r->log("Error loading module '$am': $@"); > > next; > > } > > > > my $handler = \&{"$am\::handler"}; > > if ($handler->($r) == OK) { > > $r->log_reason("$am return OK"); > > return OK > > } > > > > $r->log_reason("$am not OK"); > > } > > > > $r->note_basic_auth_failure; > > return AUTH_REQUIRED; > > } > > > > sub load { > > my $module = @_; > > $module =~ s[::][/]g; > > $module .= '.pm'; > > > > eval { require $module; }; > > > > return $@ ? 1 : 0; > > } > > > > 1; > > > > __END__ > > > > (darren) > > > > -- > > Never attribute to malice that which is adequately explained by > > incompetence. > > -- Napolean Bonaparte > > > > > --- > > PGP / GPG Key:http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc >
Re: Multiple authentication methods
> > > I think you might need to iterate through $r->err_headers_out and > remove WWW-Authenticate and Proxy-Authenticate after each > authentication module runs. > > say you have an AuthSMB and AythSybase chain. AuthSMB calls > note_basic_auth_failure and sets the WWW-Authenticate header, > AuthSybase succeeds and sets the Authorizaion header. in this case, > both WWW-Authenticate and Authorization will be passed to the browser > (I think), which could lead to spurious results in some browsers. > > or not. the browser sends the Authorization header, last I checked :) at any rate, I think my thoughts were headed somewhere. you might end up with a popup box on every request or something if every request ends up with a WWW-Authenticate header. it at least warrants a test I would think. the return code part is probably valid, though. anyway, I swear to start thinking before I type from now on... --Geoff
Re: Multiple authentication methods
Marcel Weber wrote: > > Fixed some errors. Here comes the working version: > I think you might need to iterate through $r->err_headers_out and remove WWW-Authenticate and Proxy-Authenticate after each authentication module runs. say you have an AuthSMB and AythSybase chain. AuthSMB calls note_basic_auth_failure and sets the WWW-Authenticate header, AuthSybase succeeds and sets the Authorizaion header. in this case, both WWW-Authenticate and Authorization will be passed to the browser (I think), which could lead to spurious results in some browsers. also, you might want to check specifically for AUTH_REQUIRED instead of OK in the chain. AUTH_REQUIRED is not the only return code that get_basic_auth_pw can return (SERVER_ERROR and DECLINED are also possible) and you probably would want to propagate a SERVER_ERROR rather than returning AUTH_REQUIRED. HTH --Geoff
Re: Multiple authentication methods
Quoting Marcel Weber <[EMAIL PROTECTED]> [13 Feb-02 14:53]: > Why not submitting this somewhere? I think this could be > usefull for quite a lot of people. I think this is cool, as you > do not have to worry wether the module returns DECLINED or > AUTH_REQUIRED. I can package this up and put it on CPAN as version 0.01 tomorrow morning, if that seems reasonable to everyone involved. I'll need to add some docs and a Makefile.PL, of course. (darren) -- To believe is very dull. To doubt is intensely engrossing. To be on alert is to live, to be lulled into security is to die. -- Oscar Wilde
Re: Multiple authentication methods
Fixed some errors. Here comes the working version: - package Apache::AuthMulti; # Stathy G. Touloumis # Marcel M. Weber # Darren Chamberlain # # Version 0.1.0 / 2002.02.13 / Marcel M. Weber use strict; use Apache::Constants qw(:common); sub handler { my $r = shift; my($res, $sent_pw) = $r->get_basic_auth_pw; return $res if $res != OK; my @auth_modules=$r->dir_config->get("AuthModules"); for my $am (@auth_modules) { load($am); if ($@){ $r->log_reason("Error loading module '$am':$@"); next; } my $handler = \&{"$am\::handler"}; if ($handler->($r) == OK) { $r->warn("$am return OK"); return OK; } $r->log_reason("$am not OK"); } $r->note_basic_auth_failure; $r->log_reason("none of the handlers could authenticate this user"); return AUTH_REQUIRED; } sub load { my $module=@_[0]; $module =~ s[::][/]g; $module .= '.pm'; eval { require $module; }; return $@ ? 1 : 0; } 1; __END__ --- In the httpd.conf you have to put something like this: AuthName Test AuthType Basic # These are AuthenSmb specific PerlSetVar myPDC SAMBA PerlSetVar myDOMAIN ARBEITSGRUPPE # With PerlAddVar you pass an array PerlAddVar AuthModules Apache::AuthSybase PerlAddVar AuthModules Apache::AuthenSmb PerlAuthenHandler Apache::AuthMulti require valid-user --- Works perfect... Why not submitting this somewhere? I think this could be usefull for quite a lot of people. I think this is cool, as you do not have to worry wether the module returns DECLINED or AUTH_REQUIRED. Marcel Am Mittwoch den, 13. Februar 2002, um 15:02, schrieb darren chamberlain: > Quoting Marcel Weber <[EMAIL PROTECTED]> [12 Feb-02 16:15]: >> I don't get the point why it did not work the other way round, >> but now everything is just fine now : > > Make it a little more generic: > > package Apache::MultiAuthen; > > use strict; > use Apache::Constants qw(:common); > > sub handler { > my $r = shift; > my($res, $sent_pw) = $r->get_basic_auth_pw; > return $res if $res != OK; > > # Tweak this; unsure about dir_config returning an array > my @auth_modules = $r->dir_config("AuthModules"); > > for my $am (@auth_modules) { > load($am); > > if ($@) { > $r->log("Error loading module '$am': $@"); > next; > } > > my $handler = \&{"$am\::handler"}; > if ($handler->($r) == OK) { > $r->log_reason("$am return OK"); > return OK > } > > $r->log_reason("$am not OK"); > } > > $r->note_basic_auth_failure; > return AUTH_REQUIRED; > } > > sub load { > my $module = @_; > $module =~ s[::][/]g; > $module .= '.pm'; > > eval { require $module; }; > > return $@ ? 1 : 0; > } > > 1; > > __END__ > > (darren) > > -- > Never attribute to malice that which is adequately explained by > incompetence. > -- Napolean Bonaparte > > --- PGP / GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc
Re: Multiple authentication methods
> the only problem is that, > for the PerlAuthenHandler and PerlAuthzHandler the first handler to > return an Apache error code (anything other than OK, DECLINED, or > DONE) terminates the chain. which is generally fine, except when you > want to return AUTH_REQUIRED and note_basic_auth_failure(). blarg... of course, returning OK also ends the chain, meaning that the user has been authenticated and Apache can stop now. in that respect both the PerlAuthenHandler and PerlAuthzHandler are like the PerlTransHandler (if that helps you think about it). sorry, too much information up there :) --Geoff
Re: Multiple authentication methods
Aaron Ross wrote: > > shouldn't stacked handlers be the right solution here? are stacked auth > handlers not allowed or something? > yes, you can stack multiple auth handlers. the only problem is that, for the PerlAuthenHandler and PerlAuthzHandler the first handler to return an Apache error code (anything other than OK, DECLINED, or DONE) terminates the chain. which is generally fine, except when you want to return AUTH_REQUIRED and note_basic_auth_failure(). when writing your own auth modules, you could return DECLINED (and not call note_basic_auth_failure()) instead of AUTH_REQUIRED and let mod_auth take care of setting AUTH_REQUIRED for you (since the perl handlers generally run before the Apache C modules). however, with Apache::AuthFoo, the AUTH_REQUIRED stuff is generally compiled in, which means that the authentication chain is terminated prematurely. the solution darren posted is kinda nifty and is along the lines of what you would need to have in order to use the shrink-wrapped Apache:: solutions - one controlling handler that traps the return code of the other handlers, keeping them from Apache so that Apache doesn't end the handler chain before you're ready. HTH --Geoff
RE: Multiple authentication methods
He wants to check a 'handler' return value. > shouldn't stacked handlers be the right solution here? are stacked auth > handlers not allowed or something? > > aaron > > On Wed, 2002-02-13 at 09:02, darren chamberlain wrote: > > Quoting Marcel Weber <[EMAIL PROTECTED]> [12 Feb-02 16:15]: > > > I don't get the point why it did not work the other way round, > > > but now everything is just fine now : > > > > Make it a little more generic: > > > > package Apache::MultiAuthen; > > > > use strict; > > use Apache::Constants qw(:common); > > > > sub handler { > > my $r = shift; > > my($res, $sent_pw) = $r->get_basic_auth_pw; > > return $res if $res != OK; > > > > # Tweak this; unsure about dir_config returning an array > > my @auth_modules = $r->dir_config("AuthModules"); > > > > for my $am (@auth_modules) { > > load($am); > > > > if ($@) { > > $r->log("Error loading module '$am': $@"); > > next; > > } > > > > my $handler = \&{"$am\::handler"}; > > if ($handler->($r) == OK) { > > $r->log_reason("$am return OK"); > > return OK > > } > > > > $r->log_reason("$am not OK"); > > } > > > > $r->note_basic_auth_failure; > > return AUTH_REQUIRED; > > } > > > > sub load { > > my $module = @_; > > $module =~ s[::][/]g; > > $module .= '.pm'; > > > > eval { require $module; }; > > > > return $@ ? 1 : 0; > > } > > > > 1; > > > > __END__ > > > > (darren) > > > > -- > > Never attribute to malice that which is adequately explained by > > incompetence. > > -- Napolean Bonaparte > -- > aaron ross . alias intelligence, inc > email . [EMAIL PROTECTED] > phone . 215 545 6428 >
Re: Multiple authentication methods
Quoting Aaron Ross <[EMAIL PROTECTED]> [13 Feb-02 09:21]: > shouldn't stacked handlers be the right solution here? are > stacked auth handlers not allowed or something? Assuming your mod_perl has been built with them, then, yes, that's probably a better solution. But I had a fun 15 minutes writing Apache::MultiAuthen, though. :) (darren) -- My studies in Speculative Philosophy, metaphysics, and science are all summed up in the image of a mouse called man running in and out of every hole in the Cosmos hunting for the Absolute Cheese. -- Edmund Burke
Re: Multiple authentication methods
shouldn't stacked handlers be the right solution here? are stacked auth handlers not allowed or something? aaron On Wed, 2002-02-13 at 09:02, darren chamberlain wrote: > Quoting Marcel Weber <[EMAIL PROTECTED]> [12 Feb-02 16:15]: > > I don't get the point why it did not work the other way round, > > but now everything is just fine now : > > Make it a little more generic: > > package Apache::MultiAuthen; > > use strict; > use Apache::Constants qw(:common); > > sub handler { > my $r = shift; > my($res, $sent_pw) = $r->get_basic_auth_pw; > return $res if $res != OK; > > # Tweak this; unsure about dir_config returning an array > my @auth_modules = $r->dir_config("AuthModules"); > > for my $am (@auth_modules) { > load($am); > > if ($@) { > $r->log("Error loading module '$am': $@"); > next; > } > > my $handler = \&{"$am\::handler"}; > if ($handler->($r) == OK) { > $r->log_reason("$am return OK"); > return OK > } > > $r->log_reason("$am not OK"); > } > > $r->note_basic_auth_failure; > return AUTH_REQUIRED; > } > > sub load { > my $module = @_; > $module =~ s[::][/]g; > $module .= '.pm'; > > eval { require $module; }; > > return $@ ? 1 : 0; > } > > 1; > > __END__ > > (darren) > > -- > Never attribute to malice that which is adequately explained by > incompetence. > -- Napolean Bonaparte -- aaron ross . alias intelligence, inc email . [EMAIL PROTECTED] phone . 215 545 6428
Re: Multiple authentication methods
Quoting Marcel Weber <[EMAIL PROTECTED]> [12 Feb-02 16:15]: > I don't get the point why it did not work the other way round, > but now everything is just fine now : Make it a little more generic: package Apache::MultiAuthen; use strict; use Apache::Constants qw(:common); sub handler { my $r = shift; my($res, $sent_pw) = $r->get_basic_auth_pw; return $res if $res != OK; # Tweak this; unsure about dir_config returning an array my @auth_modules = $r->dir_config("AuthModules"); for my $am (@auth_modules) { load($am); if ($@) { $r->log("Error loading module '$am': $@"); next; } my $handler = \&{"$am\::handler"}; if ($handler->($r) == OK) { $r->log_reason("$am return OK"); return OK } $r->log_reason("$am not OK"); } $r->note_basic_auth_failure; return AUTH_REQUIRED; } sub load { my $module = @_; $module =~ s[::][/]g; $module .= '.pm'; eval { require $module; }; return $@ ? 1 : 0; } 1; __END__ (darren) -- Never attribute to malice that which is adequately explained by incompetence. -- Napolean Bonaparte
RE: Multiple authentication methods
That is odd, I would check the interface for the authentication modules and be sure that they are being used properly. It may help to also put in some debug/trace statements to figure out where things are failing or not working as expected : ) > This way, I do not get any failure messages, but the > authenication does not > work at all. Say, it does not matter wat password your typing in, you get > always authenticated. Even when one auf the handlers logs a violation and > return AUTH_REQUIRED / DECLINED. > > package Apache::AuthenIntra; > > use strict; > use Apache::AuthenSmb; > use Apache::AuthSybase; > use Apache::Constants; > > sub handler { > my $r = shift; > my($res, $sent_pw) = $r->get_basic_auth_pw; > return $res if $res != OK; > > if ( Apache::AuthenSmb::handler($r) == Apache::Constants::OK ) { > return Apache::Constants::OK; > } elsif ( Apache::AuthSybase::handler($r) == > Apache::Constants::OK ) > { > return Apache::Constants::OK; > } > $r->note_basic_auth_failure; > return Apache::Constant::AUTH_REQUIRED; > } > > Marcel > > > -Ursprüngliche Nachricht- > Von: Stathy G. Touloumis [mailto:[EMAIL PROTECTED]] > Gesendet: Dienstag, 12. Februar 2002 18:32 > An: Marcel Weber; [EMAIL PROTECTED] > Betreff: RE: Multiple authentication methods > > > > The get_handlers code is out of AuthenSmb as I do not have the slightest > > idea of how to get the results of the called function. > Hmmm, It would seem that it would be better to call the function directly > from your handler. I am not sure how the AuthenSmb handlers should be > called but you should get the idea. > > sub handler { > my $r = shift; > my($res, $sent_pw) = $r->get_basic_auth_pw; > return $res if $res != OK; > > if ( Apache::AuthSybase->handler($r) == Apache::Constants::OK ) { > return Apache::Constants::OK; > > } elsif ( Apache::AuthenSmb->handler($r) == Apache::Constants::OK ) { > return Apache::Constants::OK; > > } else { > return Apache::Constant::DECLINED; > > } > > > } > > > I get just as far, as I can authenticate via AuthSybase, but the second > > method is never executed. Well, probably some expirienced perl > coder would > > laugh at me... > > He he, we all had to start from the beginning ; ) > > > > Hmm, I fiddled a bit around whith this code but, it does not > > really work the > > way I want it to. > > > > This is what I coded: > > > > sub handler { > > my $r = shift; > > my($res, $sent_pw) = $r->get_basic_auth_pw; > > return $res if $res != OK; > > > > $r->push_handlers( PerlAuthenHandler=> Apache::AuthSybase ); > > if (@{ $r->get_handlers("PerlAuthenHandler") || []}) { > > return OK; > > } > > $r->push_handlers( PerlAuthenHandler=> Apache::AuthenSmb ); > > if (@{ $r->get_handlers("PerlAuthenHandler") || []}) { > > return OK; > > } > > return DECLINED; > > } > > > > The get_handlers code is out of AuthenSmb as I do not have the slightest > > idea of how to get the results of the called function. > > > > What the code should do is: Call AuthSybase, check return value, if OK > > return OK, else call AuthenSMB, return return value. > > > >
RE: Multiple authentication methods
> I also tried something like this at first. But I get this error message in > my apache/error.log > > > [Tue Feb 12 20:20:59 2002] [error] Can't locate object method > "handler" via > package "Apache::AuthenS > mb" (perhaps you forgot to load "Apache::AuthenSmb"?) at > /usr/share/perl5/Apache/AuthenIntra.pm line > 13. Try calling it via Apache::AuthenSmb::handler($r) instead. You will probably want to do the same with Apache::AuthSybase::handler($r) as well. > resp. vice versa, when the AuthSybase method is first. Perhaps it is my > mod_perl installation. It is a stock Debian Woody installation. > > Marcel > > > -Ursprüngliche Nachricht- > Von: Stathy G. Touloumis [mailto:[EMAIL PROTECTED]] > Gesendet: Dienstag, 12. Februar 2002 18:32 > An: Marcel Weber; [EMAIL PROTECTED] > Betreff: RE: Multiple authentication methods > > > > The get_handlers code is out of AuthenSmb as I do not have the slightest > > idea of how to get the results of the called function. > Hmmm, It would seem that it would be better to call the function directly > from your handler. I am not sure how the AuthenSmb handlers should be > called but you should get the idea. > > sub handler { > my $r = shift; > my($res, $sent_pw) = $r->get_basic_auth_pw; > return $res if $res != OK; > > if ( Apache::AuthSybase->handler($r) == Apache::Constants::OK ) { > return Apache::Constants::OK; > > } elsif ( Apache::AuthenSmb->handler($r) == Apache::Constants::OK ) { > return Apache::Constants::OK; > > } else { > return Apache::Constant::DECLINED; > > } > > > } > > > I get just as far, as I can authenticate via AuthSybase, but the second > > method is never executed. Well, probably some expirienced perl > coder would > > laugh at me... > > He he, we all had to start from the beginning ; ) > > > > Hmm, I fiddled a bit around whith this code but, it does not > > really work the > > way I want it to. > > > > This is what I coded: > > > > sub handler { > > my $r = shift; > > my($res, $sent_pw) = $r->get_basic_auth_pw; > > return $res if $res != OK; > > > > $r->push_handlers( PerlAuthenHandler=> Apache::AuthSybase ); > > if (@{ $r->get_handlers("PerlAuthenHandler") || []}) { > > return OK; > > } > > $r->push_handlers( PerlAuthenHandler=> Apache::AuthenSmb ); > > if (@{ $r->get_handlers("PerlAuthenHandler") || []}) { > > return OK; > > } > > return DECLINED; > > } > > > > The get_handlers code is out of AuthenSmb as I do not have the slightest > > idea of how to get the results of the called function. > > > > What the code should do is: Call AuthSybase, check return value, if OK > > return OK, else call AuthenSMB, return return value. > > > >
RE: Multiple authentication methods
> The get_handlers code is out of AuthenSmb as I do not have the slightest > idea of how to get the results of the called function. Hmmm, It would seem that it would be better to call the function directly from your handler. I am not sure how the AuthenSmb handlers should be called but you should get the idea. sub handler { my $r = shift; my($res, $sent_pw) = $r->get_basic_auth_pw; return $res if $res != OK; if ( Apache::AuthSybase->handler($r) == Apache::Constants::OK ) { return Apache::Constants::OK; } elsif ( Apache::AuthenSmb->handler($r) == Apache::Constants::OK ) { return Apache::Constants::OK; } else { return Apache::Constant::DECLINED; } } > I get just as far, as I can authenticate via AuthSybase, but the second > method is never executed. Well, probably some expirienced perl coder would > laugh at me... He he, we all had to start from the beginning ; ) > Hmm, I fiddled a bit around whith this code but, it does not > really work the > way I want it to. > > This is what I coded: > > sub handler { > my $r = shift; > my($res, $sent_pw) = $r->get_basic_auth_pw; > return $res if $res != OK; > > $r->push_handlers( PerlAuthenHandler=> Apache::AuthSybase ); > if (@{ $r->get_handlers("PerlAuthenHandler") || []}) { > return OK; > } > $r->push_handlers( PerlAuthenHandler=> Apache::AuthenSmb ); > if (@{ $r->get_handlers("PerlAuthenHandler") || []}) { > return OK; > } > return DECLINED; > } > > The get_handlers code is out of AuthenSmb as I do not have the slightest > idea of how to get the results of the called function. > > What the code should do is: Call AuthSybase, check return value, if OK > return OK, else call AuthenSMB, return return value. >
Re: Multiple authentication methods
> > >AuthName Test >AuthType Basic >PerlSetVar myPDC SAMBA >PerlSetVar myDOMAIN ARBEITSGRUPPE >PerlAuthenHandler Apache::AuthenSmb Apache::AuthSybase >require valid-user > > is mod_perl compiled with STACKED HANDLERS? the first module to run will need to return DECLINED for the second to ever see the request. You may need a simple AuthHandler that always fails at the end. Try AuthenSmb, DECLINED or OK, try AuthSybase, DECLINED or OK, then AuthFailed, always returned FORBIDDEN. HTH, aaron -- aaron ross . alias intelligence, inc email . [EMAIL PROTECTED] phone . 215 545 6428