Re: PerlAuthenHandler advice needed.

2000-09-28 Thread Carlos Ramirez

Here's a simple handler that will set the AuthType and AuthName
dynamically and handle the authentication for you. This handler will
prompt you for a password when you try to acess /manual with the
AuthName, "The Manual" and prompt with the AuthName "The Icons" when you
try to access /icons. These urls are part of Apaches basic installation
(that's if you did not remove the manual from your htdocs directory).
The authentication phase will let you in just as long you supply a
username and password. You can of course code such that it you can
authenicate against a .htpassword file, using Apache::Htpasswd.

Anyhow, this should show you that you can indeed change the AuthName
on-the-fly and also handle 
authentication without having to include AuthName,AuthType,AuthUserFile
explicitly in your httpd.conf.

Note: the authentication subroutine acted flaky, sometimes it worked and
other times it didn't. But the realms did change for the each uri. 

i hope this helps youhave fun ;)


Setting it up:

In your httpd.conf ( in a global area):

PerlHeaderParserHandler Apache::SetRealm;


=code

package Apache::SetRealm;

use Apache;
use Apache::Constants qw(:common);
sub handler {
my $r   = shift;

## Make Apache aware the we want to also handle the Authentication
phase using a custom
## handler, in this case the subroutine authenticate()
  $r-push_handlers(PerlAuthenHandler = \authenticate);
my $uri = $r-uri;

   ## only handle uri that are defined as protected, in this case the
only protected
   ## uri's are /icons and /manuals
return OK unless is_protected($r);
my $realm = get_realm($r);

## Construct the Header Field containing the type of authenticate
(Basic) and our
   ## realmname return by get_realm()
my $authheader = 'Basic realm="'.$realm.'"';

$r-header_out("WWW-Authenticate" ,$authheader);

## Return 401 to browser and prompt for login
$r-status(AUTH_REQUIRED);
$r-send_http_header("text/html");
return AUTH_REQUIRED;
}

sub get_realm {
 ## Get the AuthName for a specific uri. You can probably read these
off of a file that
 ## contains a list of uri's and realmNames
  my $r = shift;
  return "The Icons"  if ($r-uri =~ /\/icons/);
  return "The Manual" if ($r-uri =~ /\/manual/);
}

sub is_protected {
  ## Check the $uri requested matches our set of "Restricted"
locations
 ## 1 = isProtected, 0 = NotProtected
 ## You can probably have these protected areas in a seperate file,
the eagle book
 ## has some excellent ideas on how to acomplish this
  my $r = shift;
  my @protected = ('\/manual','\/icons');

  for (@protected) { return 1 if ($r-uri =~ /$_/); }
  return 0;
}

sub authenticate {
  ## Straight out of the Eagle Book
my $r = shift;

return OK if $r-sub_request;

my ($res,$password) = $r-get_basic_auth_pw;
return $res if $res != OK;

my $username = $r-connection-user;
unless ($username  $pass) {
   $r-note_basic_auth_failure;
   $r-log_reason("Did not provide username");
   return AUTH_REQUIRED;
}

## Now that you have the $username and $password you can
## include your code to open your AuthUserFile to check the password
and username
## I suggest using Apache::Htpasswd, it provides all the
methods/functions that you need to
## accomplish this part of the task...

$r-log_reason("WELCOME $user");
return OK;

}

1;


-Carlos


Todd Chapman wrote:
 
 Please explain again how to get my AuthHandler called without setting
 AuthName or AuthType in httpd.conf.
 
 Thanks.
 
 -Todd
 
 On Wed, 27 Sep 2000, Carlos Ramirez wrote:
 
  By choosing to use your custom AuthHandler, you basically override Apache's way of
  handling the particular phase, in this case the authentication phase.  So you must
  handle prompting the user and also checking the password.
 
  You might want to read the Apache Guide (http://perl.apache.org/) on how to write 
you
  own handler and also the eagle book.
 
  After reviewing our previous conversation, I think you might need to send
  WWW-Authenticate header field in another phase (preferable at the
  PerlHeaderParserHandler)  before the Authentication phase is called.
 
  Your PerlHeaderParserHandler can check the $r-uri for any password protected
  requests, i.e., if it matches /companyA, you can then set the WWW-Authenticate: 
Basic
  $realm and push it along it's merry way.
 
  Then your PerlAuthHandler will get the username and password and check it against 
the
  realms' AuthUserFile.  Apache will handle the initial prompting for the
  username/password.
 
  Your requirements imply that you will have a file(??) that has a list of UserFiles
  for each Realm/path_info so that your authentication handler will know what file to
  check against.
 
  I hope this make sense ;) my coffee is running low...
 
  -Carlos
 
 
  Todd Chapman wrote:
 
   Thanks for the help. I was hoping that Apache would 

Re: PerlAuthenHandler advice needed.

2000-09-28 Thread Doug MacEachern

On Wed, 27 Sep 2000, Todd Chapman wrote:

 
 Problems with your suggestion:
 
 1. The realm will not be known until I get path_info so
 Location/Location directives will not work.

you can use $r-auth_name($realm) to set it at request time.
 
 2. How can I get Perl to do the password lookup in the dynamically
 selected AuthUserFile?

since mod_auth.c's structure defs are private to mod_auth.c, there's no
$r-api for this.  what you can do use .htaccess like so:

Perl
my $r = Apache-request;

my $testing = $r-path_info =~ /test/;

$AuthType = "Basic";
$AuthName =  $testing ? "Testing" : "Whatever";
$Require = "user dougm";
$AuthUserFile = $testing ? "/tmp/htpasswd" : "/whatever/htpasswd";

/Perl

also, i just committed this patch that makes $r-auth_type writable, the
same way $r-auth_name is.  and, defaults auth_type to Basic when unset
and $r-get_basic_auth_pw is called.

Index: src/modules/perl/Apache.xs
===
RCS file: /home/cvs/modperl/src/modules/perl/Apache.xs,v
retrieving revision 1.110
diff -u -r1.110 Apache.xs
--- src/modules/perl/Apache.xs  2000/09/27 19:44:23 1.110
+++ src/modules/perl/Apache.xs  2000/09/27 23:43:33
@@ -824,8 +824,9 @@
 char *val
 
 const char *
-auth_type(r)
+mod_perl_auth_type(r, val=NULL)
 Apacher
+char *val
 
 const char *
 document_root(r, ...)
@@ -887,6 +888,9 @@
 int ret;
 
 PPCODE:
+if (!auth_type(r)) {
+(void)mod_perl_auth_type(r, "Basic");
+}
 ret = get_basic_auth_pw(r, sent_pw);
 XPUSHs(sv_2mortal((SV*)newSViv(ret)));
 if(ret == OK)
Index: src/modules/perl/mod_perl.h
===
RCS file: /home/cvs/modperl/src/modules/perl/mod_perl.h,v
retrieving revision 1.103
diff -u -r1.103 mod_perl.h
--- src/modules/perl/mod_perl.h 2000/09/22 18:51:59 1.103
+++ src/modules/perl/mod_perl.h 2000/09/27 23:43:46
@@ -1185,6 +1185,7 @@
 perl_require_module("Apache", s)
 
 char *mod_perl_auth_name(request_rec *r, char *val);
+char *mod_perl_auth_type(request_rec *r, char *val);
 
 module *perl_get_module_ptr(char *name, int len);
 void *perl_merge_server_config(pool *p, void *basev, void *addv);
Index: src/modules/perl/perl_config.c
===
RCS file: /home/cvs/modperl/src/modules/perl/perl_config.c,v
retrieving revision 1.105
diff -u -r1.105 perl_config.c
--- src/modules/perl/perl_config.c  2000/09/27 15:37:33 1.105
+++ src/modules/perl/perl_config.c  2000/09/27 23:44:03
@@ -158,6 +158,24 @@
 #endif
 }
 
+char *mod_perl_auth_type(request_rec *r, char *val)
+{
+#ifndef WIN32 
+core_dir_config *conf = 
+  (core_dir_config *)get_module_config(r-per_dir_config, core_module); 
+
+if(val) {
+   conf-auth_type = pstrdup(r-pool, val);
+   set_module_config(r-per_dir_config, core_module, (void*)conf); 
+   MP_TRACE_g(fprintf(stderr, "mod_perl: setting auth_type to %s\n", 
+conf-auth_name));
+}
+
+return conf-auth_type;
+#else
+return (char *) auth_type(r);
+#endif
+}
+
 void mod_perl_dir_env(request_rec *r, perl_dir_config *cld)
 {
 if(MP_HASENV(cld)) {






Re: PerlAuthenHandler advice needed.

2000-09-28 Thread Doug MacEachern

On Wed, 27 Sep 2000, Carlos Ramirez wrote:

 my $authheader = 'Basic realm="'.$realm.'"';
 
 $r-header_out("WWW-Authenticate" ,$authheader);

there's a cleaner way for that:
$r-auth_name($realm);
$r-note_basic_auth_failure;
 
 $r-status(AUTH_REQUIRED);

no need for that.

 $r-send_http_header("text/html");

or this because..

 return AUTH_REQUIRED;

..apache will send the headers when you return an error

 return OK if $r-sub_request;

there's no Apache::sub_request method 

 my ($res,$password) = $r-get_basic_auth_pw;

this will core dump if AuthName is not set in the configuration file.
not with the current cvs though, see previous message.

$r-note_basic_auth_failure;

this won't work right unless you've set $r-auth_name($val)





Re: PerlAuthenHandler advice needed.

2000-09-28 Thread Todd Chapman


Thanks for the help Doug. This is what I have now but all I get is a
segementation fault in the log.

Any ideas?

-Todd

package Apache::SetRealm;

## Usage: PerlHeaderParserHandler Apache::SetRealm

use strict;
use Apache::Constants qw(:common);

sub handler {
my $r = shift;

   # find the name of the realm
   # if realm does not exist error
   # else see if Auth header set
   # if auth header not set return AUTH_REQUIRED
   # else return OK

# If Auth header is set a future PerlAuthenHandler will check the
password.
# When that happens we can't use get_basic_auth_info because AuthName is
# not set in the config file. We will have to parse the Auth header manually.
# The realm will be determined from path_info.
return OK if $r-header_in('Authorization');

my $realm = get_realm($r);

# Prompt for authentication info in the proper realm
$r-auth_name($realm);
$r-note_basic_auth_failure;
return AUTH_REQUIRED;
}

sub get_realm {
 ## Get the AuthName for a specific uri. You can probably read these off of a file 
that ## contains a list of uri's and realmNames
  my $r = shift;
  $r-uri =~ /\/modperl\/(.*)/;
  return $1 if $1;
  return "Top Level";
}

1;






Re: PerlAuthenHandler advice needed.

2000-09-28 Thread Carlos Ramirez


$r->auth_name($realm), $r->auth_type($basic) did not work for me, which
is why I used the $r->header_out method. Also, after I set the outgoing
header and returned AUTH_REQUIRED, I got prompted but the $realm did not
show. Instead it displayed 'unknown' as the realm name. But when I set
the $r->status and sent out the response via $r->send_http_header and returned
AUTH_REQUIRED, the $realm name showed?
I read the docs as i started this exercise and was aware of $r->auth_name,
$r->auth_type, but since they did'nt work and I kept getting segfaults
when using them I decided to try other routes. But anyways I'm glad that
I read the docs right and that you can indeed set the AuthName using $r->auth_name.
As for the authenticate subroutine, I just copied that from the eagle
book, just as a demonstration...
I'll upgrade my mod_perl from 1.2.1 -> latest and see if these work
for me.
Thanks for the helpful insights and explanations DougI have seen
the light ;)
-Carlos




Doug MacEachern wrote:
On Wed, 27 Sep 2000, Carlos Ramirez wrote:
> my $authheader = 'Basic realm="'.$realm.'"';
>
> $r->header_out("WWW-Authenticate" ,$authheader);
there's a cleaner way for that:
$r->auth_name($realm);
$r->note_basic_auth_failure;
> $r->status(AUTH_REQUIRED);
no need for that.
> $r->send_http_header("text/html");
or this because..
> return AUTH_REQUIRED;
..apache will send the headers when you return an error
> return OK if $r->sub_request;
there's no Apache::sub_request method
> my ($res,$password) = $r->get_basic_auth_pw;
this will core dump if AuthName is not set in the configuration file.
not with the current cvs though, see previous message.
>
$r->note_basic_auth_failure;
this won't work right unless you've set $r->auth_name($val)

--
---
Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
---
- Someday I'll find that peer and reset his connection!



Re: PerlAuthenHandler advice needed.

2000-09-28 Thread Doug MacEachern

On Thu, 28 Sep 2000, Todd Chapman wrote:

 
 Thanks for the help Doug. This is what I have now but all I get is a
 segementation fault in the log.

 $r-note_basic_auth_failure;

if AuthType is not set, this will core dump.  i just expanded the change
that defaults AuthType to Basic for get_basic_auth_pw to include
note_basic_auth_failure, in the cvs tree.




Re: PerlAuthenHandler advice needed.

2000-09-28 Thread Doug MacEachern

On Thu, 28 Sep 2000, Carlos Ramirez wrote:

 $r-auth_name($realm), $r-auth_type($basic) did not work for me, which
 is why I used the $r-header_out method. Also, after I set the outgoing
 header and returned AUTH_REQUIRED, I got prompted but the $realm did not
 show. Instead it displayed 'unknown' as the realm name. But when I set
 the $r-status and sent out the response via $r-send_http_header and
 returned AUTH_REQUIRED, the $realm name showed?

$r-auth_name($realm) works fine, provided you call
$r-note_basic_auth_failure, rather than
$r-header_out('WWW-Authenticate',...)

$r-auth_type did not become writeable until the patch i posted earlier.
 
 I read the docs as i started this exercise and was aware of
 $r-auth_name, $r-auth_type, but since they did'nt work and I kept
 getting segfaults when using them I decided to try other routes. But
 anyways I'm glad that I read the docs right and that you can indeed set
 the AuthName using $r-auth_name.

until the recent change where $r-auth_type became writeable, and
get_basic_auth_pw/note_basic_auth_failure default AuthType to Basic if it
is not configured, those methods would segfault.




Re: PerlAuthenHandler advice needed.

2000-09-28 Thread Todd Chapman


Thanks Doug but I (and my customer) don't want to live on the CVS bleeding
edge right now. Can you suggest something else?

Original problem:

I need to set the realm for virtual documents based on path_info and use
Basic authentication. Otherwise I may have to move to some cooie based
authentication but I don't want to do that.

-Todd

On Thu, 28 Sep 2000, Doug MacEachern wrote:

 On Thu, 28 Sep 2000, Todd Chapman wrote:
 
  
  Thanks for the help Doug. This is what I have now but all I get is a
  segementation fault in the log.
 
  $r-note_basic_auth_failure;
 
 if AuthType is not set, this will core dump.  i just expanded the change
 that defaults AuthType to Basic for get_basic_auth_pw to include
 note_basic_auth_failure, in the cvs tree.
 




Re: PerlAuthenHandler advice needed.

2000-09-28 Thread Doug MacEachern

On Thu, 28 Sep 2000, Todd Chapman wrote:

 
 Thanks Doug but I (and my customer) don't want to live on the CVS bleeding
 edge right now. Can you suggest something else?

yeah, add this to httpd.conf:

AuthType Basic





Re: PerlAuthenHandler advice needed.

2000-09-28 Thread Todd Chapman


Duh! Thanks.

Now, is there any way to determine the realm the browser thinks it's
authentication to? Is the realm stored in the Authorization header or any
other headers?

-Todd

On Thu, 28 Sep 2000, Doug MacEachern wrote:

 On Thu, 28 Sep 2000, Todd Chapman wrote:
 
  
  Thanks Doug but I (and my customer) don't want to live on the CVS bleeding
  edge right now. Can you suggest something else?
 
 yeah, add this to httpd.conf:
 
 AuthType Basic
 
 




Re: PerlAuthenHandler advice needed.

2000-09-28 Thread Joe Schaefer

Todd Chapman [EMAIL PROTECTED] writes:

 Duh! Thanks.
 
 Now, is there any way to determine the realm the browser thinks it's
 authentication to? Is the realm stored in the Authorization header or any
 other headers?
 

I wouldn't try to use realms in any serious way- various browsers
do various things.  The only reliable way to have the browser send
different passwords to different locations is to use different 
server names.

-- 
Joe Schaefer



Re: PerlAuthenHandler advice needed.

2000-09-27 Thread Todd Chapman


Problems with your suggestion:

1. The realm will not be known until I get path_info so
Location/Location directives will not work.

2. How can I get Perl to do the password lookup in the dynamically
selected AuthUserFile?

Thanks for the help.

-Todd

On Wed, 27 Sep 2000, Carlos Ramirez wrote:

 You can you use Location to specify seperate AuthUserFile's like so:
 
 Location /companyA
 AuthType Basic
 AuthName CompanyA
 AuthUserFile path/to/CompanyAUsersFile
 
 /Location
 
 Location /companyN
 AuthType Basic
 AuthName CompanyN
 AuthUserFile path/to/CompanyNUsersFIle
 /Location
 
 
 Or you can write your own AuthHandler that lookups up AuthName, AuthUserFile
 in a seperate file against the path_info. This will eliminate the need to
 flood you httpd.conf file with a bunch of Location/Location directives.
 
 
 
 
 
 
 Todd Chapman wrote:
 
  I have read chapter 6 of the modperl book but still don't know how to set
  up authenification the way I want. I would like to use Basic
  authentification to protect virtual documents. The trick is that I want
  to set AuthName and AuthUserFile based on path_info.
 
  For example:
 
  http://virtual/companyA/dir1
 
  would prompt for a password in the companyA realm and check it against the
  appropriate AuthUserFile.
 
  How do I add this flexibility without reinventing the parts Apache already
  does so well?
 
  Thanks.
 
  -Todd
 
 --
 ---
 Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
 ---
 - Someday I'll find that peer and reset his connection!
 
 
 




Re: PerlAuthenHandler advice needed.

2000-09-27 Thread Carlos Ramirez


1. Oh, I mis-interpreted your question. I thought you already had a list
of virtual directories with the
 AuthNames defined.
You can set the AuthName by sending them in the server response header
field:
WWW-Authenticate Basic $realm
So the first request to /companyA, you AuthHandler will respond with:
$r->header_out(WWW-Authenticate => 'Basic $realm); ## Sets Realm field
$r->note_basic_auth_failure; ## Prompts for password
The when a username and password are supplied i.e.
($ret,$password) = $r->get_basic_auth_pw;
where $ret = 1;
Then:
1. determine the AuthUserFile
2. use Apache::Htpasswd to check password
-Carlos






Todd Chapman wrote:
Problems with your suggestion:
1. The realm will not be known until I get path_info so
Location>/Location> directives will not work.
2. How can I get Perl to do the password lookup in the dynamically
selected AuthUserFile?
Thanks for the help.
-Todd
On Wed, 27 Sep 2000, Carlos Ramirez wrote:
> You can you use Location to specify seperate AuthUserFile's like so:
>
> Location /companyA>
> AuthType Basic
> AuthName CompanyA
> AuthUserFile path/to/CompanyAUsersFile
>
> /Location>
> 
> Location /companyN>
> AuthType Basic
> AuthName CompanyN
> AuthUserFile path/to/CompanyNUsersFIle
> /Location>
>
>
> Or you can write your own AuthHandler that lookups up AuthName, AuthUserFile
> in a seperate file against the path_info. This will eliminate the
need to
> flood you httpd.conf file with a bunch of Location>/Location>
directives.
>
>
>
>
>
>
> Todd Chapman wrote:
>
> > I have read chapter 6 of the modperl book but still don't know
how to set
> > up authenification the way I want. I would like to use Basic
> > authentification to protect virtual documents. The trick is that
I want
> > to set AuthName and AuthUserFile based on path_info.
> >
> > For example:
> >
> > http://virtual/companyA/dir1
> >
> > would prompt for a password in the companyA realm and check it
against the
> > appropriate AuthUserFile.
> >
> > How do I add this flexibility without reinventing the parts Apache
already
> > does so well?
> >
> > Thanks.
> >
> > -Todd
>
> --
> ---
> Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
> ---
> - Someday I'll find that peer and reset his connection!
>
>
>

--
---
Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
---
- Someday I'll find that peer and reset his connection!



Re: PerlAuthenHandler advice needed.

2000-09-27 Thread Todd Chapman


Thanks for the help. I was hoping that Apache would check the password for
me but this should work.

Now, how do I get Apache to run my PerlAuthenHandler without setting the
AuthType or AuthName in httpd.conf?

Do I need to do the Authentication in a PerlHandler?

-Todd

On Wed, 27 Sep 2000, Carlos Ramirez wrote:

 1. Oh, I mis-interpreted your question. I thought you already had a list of
 virtual directories with the
 AuthNames defined.
 
 You can set the AuthName by sending them in the server response header field:
 
 WWW-Authenticate Basic $realm
 
 So the first request to /companyA, you AuthHandler will respond with:
 
 $r-header_out(WWW-Authenticate = 'Basic $realm); ## Sets Realm field
 $r-note_basic_auth_failure; ## Prompts for password
 
 The when a username and password are supplied i.e.
 ($ret,$password) = $r-get_basic_auth_pw;
 
 where $ret = 1;
 
 Then:
 1. determine the AuthUserFile
 2. use Apache::Htpasswd to check password
 
 -Carlos
 
 
 
 
 
 
 
 Todd Chapman wrote:
 
  Problems with your suggestion:
 
  1. The realm will not be known until I get path_info so
  Location/Location directives will not work.
 
  2. How can I get Perl to do the password lookup in the dynamically
  selected AuthUserFile?
 
  Thanks for the help.
 
  -Todd
 
  On Wed, 27 Sep 2000, Carlos Ramirez wrote:
 
   You can you use Location to specify seperate AuthUserFile's like so:
  
   Location /companyA
   AuthType Basic
   AuthName CompanyA
   AuthUserFile path/to/CompanyAUsersFile
  
   /Location
   
   Location /companyN
   AuthType Basic
   AuthName CompanyN
   AuthUserFile path/to/CompanyNUsersFIle
   /Location
  
  
   Or you can write your own AuthHandler that lookups up AuthName, AuthUserFile
   in a seperate file against the path_info. This will eliminate the need to
   flood you httpd.conf file with a bunch of Location/Location directives.
  
  
  
  
  
  
   Todd Chapman wrote:
  
I have read chapter 6 of the modperl book but still don't know how to set
up authenification the way I want. I would like to use Basic
authentification to protect virtual documents. The trick is that I want
to set AuthName and AuthUserFile based on path_info.
   
For example:
   
http://virtual/companyA/dir1
   
would prompt for a password in the companyA realm and check it against the
appropriate AuthUserFile.
   
How do I add this flexibility without reinventing the parts Apache already
does so well?
   
Thanks.
   
-Todd
  
   --
   ---
   Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
   ---
   - Someday I'll find that peer and reset his connection!
  
  
  
 
 --
 ---
 Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
 ---
 - Someday I'll find that peer and reset his connection!
 
 
 




Re: PerlAuthenHandler advice needed.

2000-09-27 Thread Carlos Ramirez


By choosing to use your custom AuthHandler, you basically override Apache's
way of handling the particular phase, in this case the authentication phase.
So you must handle prompting the user and also checking the password.
You might want to read the Apache Guide (http://perl.apache.org/) on
how to write you own handler and also the eagle book.
After reviewing our previous conversation, I think you might need to
send WWW-Authenticate header field in another phase (preferable at the
PerlHeaderParserHandler) before the Authentication phase is called.
Your PerlHeaderParserHandler can check the $r->uri for any password
protected requests, i.e., if it matches /companyA, you can then set
the WWW-Authenticate: Basic $realm and push it along it's merry way.
Then your PerlAuthHandler will get the username and password and check
it against the realms' AuthUserFile. Apache will handle the initial
prompting for the username/password.
Your requirements imply that you will have a file(??) that has a list
of UserFiles for each Realm/path_info so that your authentication handler
will know what file to check against.
I hope this make sense ;) my coffee is running low...
-Carlos

Todd Chapman wrote:
Thanks for the help. I was hoping that Apache would
check the password for
me but this should work.
Now, how do I get Apache to run my PerlAuthenHandler without setting
the
AuthType or AuthName in httpd.conf?
Do I need to do the Authentication in a PerlHandler?
-Todd
On Wed, 27 Sep 2000, Carlos Ramirez wrote:
> 1. Oh, I mis-interpreted your question. I thought you already had
a list of
> virtual directories with the
> AuthNames defined.
>
> You can set the AuthName by sending them in the server response header
field:
>
> WWW-Authenticate Basic $realm
>
> So the first request to /companyA, you AuthHandler will respond with:
>
> $r->header_out(WWW-Authenticate => 'Basic $realm); ## Sets Realm
field
> $r->note_basic_auth_failure; ## Prompts for password
>
> The when a username and password are supplied i.e.
> ($ret,$password) = $r->get_basic_auth_pw;
>
> where $ret = 1;
>
> Then:
> 1. determine the AuthUserFile
> 2. use Apache::Htpasswd to check password
>
> -Carlos
>
>
>
>
>
>
>
> Todd Chapman wrote:
>
> > Problems with your suggestion:
> >
> > 1. The realm will not be known until I get path_info so
> > Location>/Location> directives will not work.
> >
> > 2. How can I get Perl to do the password lookup in the dynamically
> > selected AuthUserFile?
> >
> > Thanks for the help.
> >
> > -Todd
> >
> > On Wed, 27 Sep 2000, Carlos Ramirez wrote:
> >
> > > You can you use Location to specify seperate AuthUserFile's like
so:
> > >
> > > Location /companyA>
> > > AuthType Basic
> > > AuthName CompanyA
> > > AuthUserFile path/to/CompanyAUsersFile
> > >
> > > /Location>
> > > 
> > > Location /companyN>
> > > AuthType Basic
> > > AuthName CompanyN
> > > AuthUserFile path/to/CompanyNUsersFIle
> > > /Location>
> > >
> > >
> > > Or you can write your own AuthHandler that lookups up AuthName,
AuthUserFile
> > > in a seperate file against the path_info. This will eliminate
the need to
> > > flood you httpd.conf file with a bunch of Location>/Location>
directives.
> > >
> > >
> > >
> > >
> > >
> > >
> > > Todd Chapman wrote:
> > >
> > > > I have read chapter 6 of the modperl book but still don't know
how to set
> > > > up authenification the way I want. I would like to use Basic
> > > > authentification to protect virtual documents. The trick is
that I want
> > > > to set AuthName and AuthUserFile based on path_info.
> > > >
> > > > For example:
> > > >
> > > > http://virtual/companyA/dir1
> > > >
> > > > would prompt for a password in the companyA realm and check
it against the
> > > > appropriate AuthUserFile.
> > > >
> > > > How do I add this flexibility without reinventing the parts
Apache already
> > > > does so well?
> > > >
> > > > Thanks.
> > > >
> > > > -Todd
> > >
> > > --
> > > ---
> > > Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
> > > ---
> > > - Someday I'll find that peer and reset his connection!
> > >
> > >
> > >
>
> --
> ---
> Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
> ---
> - Someday I'll find that peer and reset his connection!
>
>
>

--
---
Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
---
- Someday I'll find that peer and reset his connection!



Re: PerlAuthenHandler advice needed.

2000-09-27 Thread Todd Chapman


Please explain again how to get my AuthHandler called without setting
AuthName or AuthType in httpd.conf.

Thanks.

-Todd

On Wed, 27 Sep 2000, Carlos Ramirez wrote:

 By choosing to use your custom AuthHandler, you basically override Apache's way of
 handling the particular phase, in this case the authentication phase.  So you must
 handle prompting the user and also checking the password.
 
 You might want to read the Apache Guide (http://perl.apache.org/) on how to write you
 own handler and also the eagle book.
 
 After reviewing our previous conversation, I think you might need to send
 WWW-Authenticate header field in another phase (preferable at the
 PerlHeaderParserHandler)  before the Authentication phase is called.
 
 Your PerlHeaderParserHandler can check the $r-uri for any password protected
 requests, i.e., if it matches /companyA, you can then set the WWW-Authenticate: Basic
 $realm and push it along it's merry way.
 
 Then your PerlAuthHandler will get the username and password and check it against the
 realms' AuthUserFile.  Apache will handle the initial prompting for the
 username/password.
 
 Your requirements imply that you will have a file(??) that has a list of UserFiles
 for each Realm/path_info so that your authentication handler will know what file to
 check against.
 
 I hope this make sense ;) my coffee is running low...
 
 -Carlos
 
 
 Todd Chapman wrote:
 
  Thanks for the help. I was hoping that Apache would check the password for
  me but this should work.
 
  Now, how do I get Apache to run my PerlAuthenHandler without setting the
  AuthType or AuthName in httpd.conf?
 
  Do I need to do the Authentication in a PerlHandler?
 
  -Todd
 
  On Wed, 27 Sep 2000, Carlos Ramirez wrote:
 
   1. Oh, I mis-interpreted your question. I thought you already had a list of
   virtual directories with the
   AuthNames defined.
  
   You can set the AuthName by sending them in the server response header field:
  
   WWW-Authenticate Basic $realm
  
   So the first request to /companyA, you AuthHandler will respond with:
  
   $r-header_out(WWW-Authenticate = 'Basic $realm); ## Sets Realm field
   $r-note_basic_auth_failure; ## Prompts for password
  
   The when a username and password are supplied i.e.
   ($ret,$password) = $r-get_basic_auth_pw;
  
   where $ret = 1;
  
   Then:
   1. determine the AuthUserFile
   2. use Apache::Htpasswd to check password
  
   -Carlos
  
  
  
  
  
  
  
   Todd Chapman wrote:
  
Problems with your suggestion:
   
1. The realm will not be known until I get path_info so
Location/Location directives will not work.
   
2. How can I get Perl to do the password lookup in the dynamically
selected AuthUserFile?
   
Thanks for the help.
   
-Todd
   
On Wed, 27 Sep 2000, Carlos Ramirez wrote:
   
 You can you use Location to specify seperate AuthUserFile's like so:

 Location /companyA
 AuthType Basic
 AuthName CompanyA
 AuthUserFile path/to/CompanyAUsersFile

 /Location
 
 Location /companyN
 AuthType Basic
 AuthName CompanyN
 AuthUserFile path/to/CompanyNUsersFIle
 /Location


 Or you can write your own AuthHandler that lookups up AuthName, AuthUserFile
 in a seperate file against the path_info. This will eliminate the need to
 flood you httpd.conf file with a bunch of Location/Location directives.






 Todd Chapman wrote:

  I have read chapter 6 of the modperl book but still don't know how to set
  up authenification the way I want. I would like to use Basic
  authentification to protect virtual documents. The trick is that I want
  to set AuthName and AuthUserFile based on path_info.
 
  For example:
 
  http://virtual/companyA/dir1
 
  would prompt for a password in the companyA realm and check it against the
  appropriate AuthUserFile.
 
  How do I add this flexibility without reinventing the parts Apache already
  does so well?
 
  Thanks.
 
  -Todd

 --
 ---
 Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
 ---
 - Someday I'll find that peer and reset his connection!



  
   --
   ---
   Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
   ---
   - Someday I'll find that peer and reset his connection!
  
  
  
 
 --
 ---
 Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181
 ---
 - Someday I'll find that peer and reset his connection!