Re: PerlAuthenHandler advice needed.
Here's a simple handler that will set the AuthType and AuthName dynamically and handle the authentication for you. This handler will prompt you for a password when you try to acess /manual with the AuthName, "The Manual" and prompt with the AuthName "The Icons" when you try to access /icons. These urls are part of Apaches basic installation (that's if you did not remove the manual from your htdocs directory). The authentication phase will let you in just as long you supply a username and password. You can of course code such that it you can authenicate against a .htpassword file, using Apache::Htpasswd. Anyhow, this should show you that you can indeed change the AuthName on-the-fly and also handle authentication without having to include AuthName,AuthType,AuthUserFile explicitly in your httpd.conf. Note: the authentication subroutine acted flaky, sometimes it worked and other times it didn't. But the realms did change for the each uri. i hope this helps youhave fun ;) Setting it up: In your httpd.conf ( in a global area): PerlHeaderParserHandler Apache::SetRealm; =code package Apache::SetRealm; use Apache; use Apache::Constants qw(:common); sub handler { my $r = shift; ## Make Apache aware the we want to also handle the Authentication phase using a custom ## handler, in this case the subroutine authenticate() $r-push_handlers(PerlAuthenHandler = \authenticate); my $uri = $r-uri; ## only handle uri that are defined as protected, in this case the only protected ## uri's are /icons and /manuals return OK unless is_protected($r); my $realm = get_realm($r); ## Construct the Header Field containing the type of authenticate (Basic) and our ## realmname return by get_realm() my $authheader = 'Basic realm="'.$realm.'"'; $r-header_out("WWW-Authenticate" ,$authheader); ## Return 401 to browser and prompt for login $r-status(AUTH_REQUIRED); $r-send_http_header("text/html"); return AUTH_REQUIRED; } sub get_realm { ## Get the AuthName for a specific uri. You can probably read these off of a file that ## contains a list of uri's and realmNames my $r = shift; return "The Icons" if ($r-uri =~ /\/icons/); return "The Manual" if ($r-uri =~ /\/manual/); } sub is_protected { ## Check the $uri requested matches our set of "Restricted" locations ## 1 = isProtected, 0 = NotProtected ## You can probably have these protected areas in a seperate file, the eagle book ## has some excellent ideas on how to acomplish this my $r = shift; my @protected = ('\/manual','\/icons'); for (@protected) { return 1 if ($r-uri =~ /$_/); } return 0; } sub authenticate { ## Straight out of the Eagle Book my $r = shift; return OK if $r-sub_request; my ($res,$password) = $r-get_basic_auth_pw; return $res if $res != OK; my $username = $r-connection-user; unless ($username $pass) { $r-note_basic_auth_failure; $r-log_reason("Did not provide username"); return AUTH_REQUIRED; } ## Now that you have the $username and $password you can ## include your code to open your AuthUserFile to check the password and username ## I suggest using Apache::Htpasswd, it provides all the methods/functions that you need to ## accomplish this part of the task... $r-log_reason("WELCOME $user"); return OK; } 1; -Carlos Todd Chapman wrote: Please explain again how to get my AuthHandler called without setting AuthName or AuthType in httpd.conf. Thanks. -Todd On Wed, 27 Sep 2000, Carlos Ramirez wrote: By choosing to use your custom AuthHandler, you basically override Apache's way of handling the particular phase, in this case the authentication phase. So you must handle prompting the user and also checking the password. You might want to read the Apache Guide (http://perl.apache.org/) on how to write you own handler and also the eagle book. After reviewing our previous conversation, I think you might need to send WWW-Authenticate header field in another phase (preferable at the PerlHeaderParserHandler) before the Authentication phase is called. Your PerlHeaderParserHandler can check the $r-uri for any password protected requests, i.e., if it matches /companyA, you can then set the WWW-Authenticate: Basic $realm and push it along it's merry way. Then your PerlAuthHandler will get the username and password and check it against the realms' AuthUserFile. Apache will handle the initial prompting for the username/password. Your requirements imply that you will have a file(??) that has a list of UserFiles for each Realm/path_info so that your authentication handler will know what file to check against. I hope this make sense ;) my coffee is running low... -Carlos Todd Chapman wrote: Thanks for the help. I was hoping that Apache would
Re: PerlAuthenHandler advice needed.
On Wed, 27 Sep 2000, Todd Chapman wrote: Problems with your suggestion: 1. The realm will not be known until I get path_info so Location/Location directives will not work. you can use $r-auth_name($realm) to set it at request time. 2. How can I get Perl to do the password lookup in the dynamically selected AuthUserFile? since mod_auth.c's structure defs are private to mod_auth.c, there's no $r-api for this. what you can do use .htaccess like so: Perl my $r = Apache-request; my $testing = $r-path_info =~ /test/; $AuthType = "Basic"; $AuthName = $testing ? "Testing" : "Whatever"; $Require = "user dougm"; $AuthUserFile = $testing ? "/tmp/htpasswd" : "/whatever/htpasswd"; /Perl also, i just committed this patch that makes $r-auth_type writable, the same way $r-auth_name is. and, defaults auth_type to Basic when unset and $r-get_basic_auth_pw is called. Index: src/modules/perl/Apache.xs === RCS file: /home/cvs/modperl/src/modules/perl/Apache.xs,v retrieving revision 1.110 diff -u -r1.110 Apache.xs --- src/modules/perl/Apache.xs 2000/09/27 19:44:23 1.110 +++ src/modules/perl/Apache.xs 2000/09/27 23:43:33 @@ -824,8 +824,9 @@ char *val const char * -auth_type(r) +mod_perl_auth_type(r, val=NULL) Apacher +char *val const char * document_root(r, ...) @@ -887,6 +888,9 @@ int ret; PPCODE: +if (!auth_type(r)) { +(void)mod_perl_auth_type(r, "Basic"); +} ret = get_basic_auth_pw(r, sent_pw); XPUSHs(sv_2mortal((SV*)newSViv(ret))); if(ret == OK) Index: src/modules/perl/mod_perl.h === RCS file: /home/cvs/modperl/src/modules/perl/mod_perl.h,v retrieving revision 1.103 diff -u -r1.103 mod_perl.h --- src/modules/perl/mod_perl.h 2000/09/22 18:51:59 1.103 +++ src/modules/perl/mod_perl.h 2000/09/27 23:43:46 @@ -1185,6 +1185,7 @@ perl_require_module("Apache", s) char *mod_perl_auth_name(request_rec *r, char *val); +char *mod_perl_auth_type(request_rec *r, char *val); module *perl_get_module_ptr(char *name, int len); void *perl_merge_server_config(pool *p, void *basev, void *addv); Index: src/modules/perl/perl_config.c === RCS file: /home/cvs/modperl/src/modules/perl/perl_config.c,v retrieving revision 1.105 diff -u -r1.105 perl_config.c --- src/modules/perl/perl_config.c 2000/09/27 15:37:33 1.105 +++ src/modules/perl/perl_config.c 2000/09/27 23:44:03 @@ -158,6 +158,24 @@ #endif } +char *mod_perl_auth_type(request_rec *r, char *val) +{ +#ifndef WIN32 +core_dir_config *conf = + (core_dir_config *)get_module_config(r-per_dir_config, core_module); + +if(val) { + conf-auth_type = pstrdup(r-pool, val); + set_module_config(r-per_dir_config, core_module, (void*)conf); + MP_TRACE_g(fprintf(stderr, "mod_perl: setting auth_type to %s\n", +conf-auth_name)); +} + +return conf-auth_type; +#else +return (char *) auth_type(r); +#endif +} + void mod_perl_dir_env(request_rec *r, perl_dir_config *cld) { if(MP_HASENV(cld)) {
Re: PerlAuthenHandler advice needed.
On Wed, 27 Sep 2000, Carlos Ramirez wrote: my $authheader = 'Basic realm="'.$realm.'"'; $r-header_out("WWW-Authenticate" ,$authheader); there's a cleaner way for that: $r-auth_name($realm); $r-note_basic_auth_failure; $r-status(AUTH_REQUIRED); no need for that. $r-send_http_header("text/html"); or this because.. return AUTH_REQUIRED; ..apache will send the headers when you return an error return OK if $r-sub_request; there's no Apache::sub_request method my ($res,$password) = $r-get_basic_auth_pw; this will core dump if AuthName is not set in the configuration file. not with the current cvs though, see previous message. $r-note_basic_auth_failure; this won't work right unless you've set $r-auth_name($val)
Re: PerlAuthenHandler advice needed.
Thanks for the help Doug. This is what I have now but all I get is a segementation fault in the log. Any ideas? -Todd package Apache::SetRealm; ## Usage: PerlHeaderParserHandler Apache::SetRealm use strict; use Apache::Constants qw(:common); sub handler { my $r = shift; # find the name of the realm # if realm does not exist error # else see if Auth header set # if auth header not set return AUTH_REQUIRED # else return OK # If Auth header is set a future PerlAuthenHandler will check the password. # When that happens we can't use get_basic_auth_info because AuthName is # not set in the config file. We will have to parse the Auth header manually. # The realm will be determined from path_info. return OK if $r-header_in('Authorization'); my $realm = get_realm($r); # Prompt for authentication info in the proper realm $r-auth_name($realm); $r-note_basic_auth_failure; return AUTH_REQUIRED; } sub get_realm { ## Get the AuthName for a specific uri. You can probably read these off of a file that ## contains a list of uri's and realmNames my $r = shift; $r-uri =~ /\/modperl\/(.*)/; return $1 if $1; return "Top Level"; } 1;
Re: PerlAuthenHandler advice needed.
$r->auth_name($realm), $r->auth_type($basic) did not work for me, which is why I used the $r->header_out method. Also, after I set the outgoing header and returned AUTH_REQUIRED, I got prompted but the $realm did not show. Instead it displayed 'unknown' as the realm name. But when I set the $r->status and sent out the response via $r->send_http_header and returned AUTH_REQUIRED, the $realm name showed? I read the docs as i started this exercise and was aware of $r->auth_name, $r->auth_type, but since they did'nt work and I kept getting segfaults when using them I decided to try other routes. But anyways I'm glad that I read the docs right and that you can indeed set the AuthName using $r->auth_name. As for the authenticate subroutine, I just copied that from the eagle book, just as a demonstration... I'll upgrade my mod_perl from 1.2.1 -> latest and see if these work for me. Thanks for the helpful insights and explanations DougI have seen the light ;) -Carlos Doug MacEachern wrote: On Wed, 27 Sep 2000, Carlos Ramirez wrote: > my $authheader = 'Basic realm="'.$realm.'"'; > > $r->header_out("WWW-Authenticate" ,$authheader); there's a cleaner way for that: $r->auth_name($realm); $r->note_basic_auth_failure; > $r->status(AUTH_REQUIRED); no need for that. > $r->send_http_header("text/html"); or this because.. > return AUTH_REQUIRED; ..apache will send the headers when you return an error > return OK if $r->sub_request; there's no Apache::sub_request method > my ($res,$password) = $r->get_basic_auth_pw; this will core dump if AuthName is not set in the configuration file. not with the current cvs though, see previous message. > $r->note_basic_auth_failure; this won't work right unless you've set $r->auth_name($val) -- --- Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 --- - Someday I'll find that peer and reset his connection!
Re: PerlAuthenHandler advice needed.
On Thu, 28 Sep 2000, Todd Chapman wrote: Thanks for the help Doug. This is what I have now but all I get is a segementation fault in the log. $r-note_basic_auth_failure; if AuthType is not set, this will core dump. i just expanded the change that defaults AuthType to Basic for get_basic_auth_pw to include note_basic_auth_failure, in the cvs tree.
Re: PerlAuthenHandler advice needed.
On Thu, 28 Sep 2000, Carlos Ramirez wrote: $r-auth_name($realm), $r-auth_type($basic) did not work for me, which is why I used the $r-header_out method. Also, after I set the outgoing header and returned AUTH_REQUIRED, I got prompted but the $realm did not show. Instead it displayed 'unknown' as the realm name. But when I set the $r-status and sent out the response via $r-send_http_header and returned AUTH_REQUIRED, the $realm name showed? $r-auth_name($realm) works fine, provided you call $r-note_basic_auth_failure, rather than $r-header_out('WWW-Authenticate',...) $r-auth_type did not become writeable until the patch i posted earlier. I read the docs as i started this exercise and was aware of $r-auth_name, $r-auth_type, but since they did'nt work and I kept getting segfaults when using them I decided to try other routes. But anyways I'm glad that I read the docs right and that you can indeed set the AuthName using $r-auth_name. until the recent change where $r-auth_type became writeable, and get_basic_auth_pw/note_basic_auth_failure default AuthType to Basic if it is not configured, those methods would segfault.
Re: PerlAuthenHandler advice needed.
Thanks Doug but I (and my customer) don't want to live on the CVS bleeding edge right now. Can you suggest something else? Original problem: I need to set the realm for virtual documents based on path_info and use Basic authentication. Otherwise I may have to move to some cooie based authentication but I don't want to do that. -Todd On Thu, 28 Sep 2000, Doug MacEachern wrote: On Thu, 28 Sep 2000, Todd Chapman wrote: Thanks for the help Doug. This is what I have now but all I get is a segementation fault in the log. $r-note_basic_auth_failure; if AuthType is not set, this will core dump. i just expanded the change that defaults AuthType to Basic for get_basic_auth_pw to include note_basic_auth_failure, in the cvs tree.
Re: PerlAuthenHandler advice needed.
On Thu, 28 Sep 2000, Todd Chapman wrote: Thanks Doug but I (and my customer) don't want to live on the CVS bleeding edge right now. Can you suggest something else? yeah, add this to httpd.conf: AuthType Basic
Re: PerlAuthenHandler advice needed.
Duh! Thanks. Now, is there any way to determine the realm the browser thinks it's authentication to? Is the realm stored in the Authorization header or any other headers? -Todd On Thu, 28 Sep 2000, Doug MacEachern wrote: On Thu, 28 Sep 2000, Todd Chapman wrote: Thanks Doug but I (and my customer) don't want to live on the CVS bleeding edge right now. Can you suggest something else? yeah, add this to httpd.conf: AuthType Basic
Re: PerlAuthenHandler advice needed.
Todd Chapman [EMAIL PROTECTED] writes: Duh! Thanks. Now, is there any way to determine the realm the browser thinks it's authentication to? Is the realm stored in the Authorization header or any other headers? I wouldn't try to use realms in any serious way- various browsers do various things. The only reliable way to have the browser send different passwords to different locations is to use different server names. -- Joe Schaefer
Re: PerlAuthenHandler advice needed.
Problems with your suggestion: 1. The realm will not be known until I get path_info so Location/Location directives will not work. 2. How can I get Perl to do the password lookup in the dynamically selected AuthUserFile? Thanks for the help. -Todd On Wed, 27 Sep 2000, Carlos Ramirez wrote: You can you use Location to specify seperate AuthUserFile's like so: Location /companyA AuthType Basic AuthName CompanyA AuthUserFile path/to/CompanyAUsersFile /Location Location /companyN AuthType Basic AuthName CompanyN AuthUserFile path/to/CompanyNUsersFIle /Location Or you can write your own AuthHandler that lookups up AuthName, AuthUserFile in a seperate file against the path_info. This will eliminate the need to flood you httpd.conf file with a bunch of Location/Location directives. Todd Chapman wrote: I have read chapter 6 of the modperl book but still don't know how to set up authenification the way I want. I would like to use Basic authentification to protect virtual documents. The trick is that I want to set AuthName and AuthUserFile based on path_info. For example: http://virtual/companyA/dir1 would prompt for a password in the companyA realm and check it against the appropriate AuthUserFile. How do I add this flexibility without reinventing the parts Apache already does so well? Thanks. -Todd -- --- Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 --- - Someday I'll find that peer and reset his connection!
Re: PerlAuthenHandler advice needed.
1. Oh, I mis-interpreted your question. I thought you already had a list of virtual directories with the AuthNames defined. You can set the AuthName by sending them in the server response header field: WWW-Authenticate Basic $realm So the first request to /companyA, you AuthHandler will respond with: $r->header_out(WWW-Authenticate => 'Basic $realm); ## Sets Realm field $r->note_basic_auth_failure; ## Prompts for password The when a username and password are supplied i.e. ($ret,$password) = $r->get_basic_auth_pw; where $ret = 1; Then: 1. determine the AuthUserFile 2. use Apache::Htpasswd to check password -Carlos Todd Chapman wrote: Problems with your suggestion: 1. The realm will not be known until I get path_info so Location>/Location> directives will not work. 2. How can I get Perl to do the password lookup in the dynamically selected AuthUserFile? Thanks for the help. -Todd On Wed, 27 Sep 2000, Carlos Ramirez wrote: > You can you use Location to specify seperate AuthUserFile's like so: > > Location /companyA> > AuthType Basic > AuthName CompanyA > AuthUserFile path/to/CompanyAUsersFile > > /Location> > > Location /companyN> > AuthType Basic > AuthName CompanyN > AuthUserFile path/to/CompanyNUsersFIle > /Location> > > > Or you can write your own AuthHandler that lookups up AuthName, AuthUserFile > in a seperate file against the path_info. This will eliminate the need to > flood you httpd.conf file with a bunch of Location>/Location> directives. > > > > > > > Todd Chapman wrote: > > > I have read chapter 6 of the modperl book but still don't know how to set > > up authenification the way I want. I would like to use Basic > > authentification to protect virtual documents. The trick is that I want > > to set AuthName and AuthUserFile based on path_info. > > > > For example: > > > > http://virtual/companyA/dir1 > > > > would prompt for a password in the companyA realm and check it against the > > appropriate AuthUserFile. > > > > How do I add this flexibility without reinventing the parts Apache already > > does so well? > > > > Thanks. > > > > -Todd > > -- > --- > Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 > --- > - Someday I'll find that peer and reset his connection! > > > -- --- Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 --- - Someday I'll find that peer and reset his connection!
Re: PerlAuthenHandler advice needed.
Thanks for the help. I was hoping that Apache would check the password for me but this should work. Now, how do I get Apache to run my PerlAuthenHandler without setting the AuthType or AuthName in httpd.conf? Do I need to do the Authentication in a PerlHandler? -Todd On Wed, 27 Sep 2000, Carlos Ramirez wrote: 1. Oh, I mis-interpreted your question. I thought you already had a list of virtual directories with the AuthNames defined. You can set the AuthName by sending them in the server response header field: WWW-Authenticate Basic $realm So the first request to /companyA, you AuthHandler will respond with: $r-header_out(WWW-Authenticate = 'Basic $realm); ## Sets Realm field $r-note_basic_auth_failure; ## Prompts for password The when a username and password are supplied i.e. ($ret,$password) = $r-get_basic_auth_pw; where $ret = 1; Then: 1. determine the AuthUserFile 2. use Apache::Htpasswd to check password -Carlos Todd Chapman wrote: Problems with your suggestion: 1. The realm will not be known until I get path_info so Location/Location directives will not work. 2. How can I get Perl to do the password lookup in the dynamically selected AuthUserFile? Thanks for the help. -Todd On Wed, 27 Sep 2000, Carlos Ramirez wrote: You can you use Location to specify seperate AuthUserFile's like so: Location /companyA AuthType Basic AuthName CompanyA AuthUserFile path/to/CompanyAUsersFile /Location Location /companyN AuthType Basic AuthName CompanyN AuthUserFile path/to/CompanyNUsersFIle /Location Or you can write your own AuthHandler that lookups up AuthName, AuthUserFile in a seperate file against the path_info. This will eliminate the need to flood you httpd.conf file with a bunch of Location/Location directives. Todd Chapman wrote: I have read chapter 6 of the modperl book but still don't know how to set up authenification the way I want. I would like to use Basic authentification to protect virtual documents. The trick is that I want to set AuthName and AuthUserFile based on path_info. For example: http://virtual/companyA/dir1 would prompt for a password in the companyA realm and check it against the appropriate AuthUserFile. How do I add this flexibility without reinventing the parts Apache already does so well? Thanks. -Todd -- --- Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 --- - Someday I'll find that peer and reset his connection! -- --- Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 --- - Someday I'll find that peer and reset his connection!
Re: PerlAuthenHandler advice needed.
By choosing to use your custom AuthHandler, you basically override Apache's way of handling the particular phase, in this case the authentication phase. So you must handle prompting the user and also checking the password. You might want to read the Apache Guide (http://perl.apache.org/) on how to write you own handler and also the eagle book. After reviewing our previous conversation, I think you might need to send WWW-Authenticate header field in another phase (preferable at the PerlHeaderParserHandler) before the Authentication phase is called. Your PerlHeaderParserHandler can check the $r->uri for any password protected requests, i.e., if it matches /companyA, you can then set the WWW-Authenticate: Basic $realm and push it along it's merry way. Then your PerlAuthHandler will get the username and password and check it against the realms' AuthUserFile. Apache will handle the initial prompting for the username/password. Your requirements imply that you will have a file(??) that has a list of UserFiles for each Realm/path_info so that your authentication handler will know what file to check against. I hope this make sense ;) my coffee is running low... -Carlos Todd Chapman wrote: Thanks for the help. I was hoping that Apache would check the password for me but this should work. Now, how do I get Apache to run my PerlAuthenHandler without setting the AuthType or AuthName in httpd.conf? Do I need to do the Authentication in a PerlHandler? -Todd On Wed, 27 Sep 2000, Carlos Ramirez wrote: > 1. Oh, I mis-interpreted your question. I thought you already had a list of > virtual directories with the > AuthNames defined. > > You can set the AuthName by sending them in the server response header field: > > WWW-Authenticate Basic $realm > > So the first request to /companyA, you AuthHandler will respond with: > > $r->header_out(WWW-Authenticate => 'Basic $realm); ## Sets Realm field > $r->note_basic_auth_failure; ## Prompts for password > > The when a username and password are supplied i.e. > ($ret,$password) = $r->get_basic_auth_pw; > > where $ret = 1; > > Then: > 1. determine the AuthUserFile > 2. use Apache::Htpasswd to check password > > -Carlos > > > > > > > > Todd Chapman wrote: > > > Problems with your suggestion: > > > > 1. The realm will not be known until I get path_info so > > Location>/Location> directives will not work. > > > > 2. How can I get Perl to do the password lookup in the dynamically > > selected AuthUserFile? > > > > Thanks for the help. > > > > -Todd > > > > On Wed, 27 Sep 2000, Carlos Ramirez wrote: > > > > > You can you use Location to specify seperate AuthUserFile's like so: > > > > > > Location /companyA> > > > AuthType Basic > > > AuthName CompanyA > > > AuthUserFile path/to/CompanyAUsersFile > > > > > > /Location> > > > > > > Location /companyN> > > > AuthType Basic > > > AuthName CompanyN > > > AuthUserFile path/to/CompanyNUsersFIle > > > /Location> > > > > > > > > > Or you can write your own AuthHandler that lookups up AuthName, AuthUserFile > > > in a seperate file against the path_info. This will eliminate the need to > > > flood you httpd.conf file with a bunch of Location>/Location> directives. > > > > > > > > > > > > > > > > > > > > > Todd Chapman wrote: > > > > > > > I have read chapter 6 of the modperl book but still don't know how to set > > > > up authenification the way I want. I would like to use Basic > > > > authentification to protect virtual documents. The trick is that I want > > > > to set AuthName and AuthUserFile based on path_info. > > > > > > > > For example: > > > > > > > > http://virtual/companyA/dir1 > > > > > > > > would prompt for a password in the companyA realm and check it against the > > > > appropriate AuthUserFile. > > > > > > > > How do I add this flexibility without reinventing the parts Apache already > > > > does so well? > > > > > > > > Thanks. > > > > > > > > -Todd > > > > > > -- > > > --- > > > Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 > > > --- > > > - Someday I'll find that peer and reset his connection! > > > > > > > > > > > -- > --- > Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 > --- > - Someday I'll find that peer and reset his connection! > > > -- --- Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 --- - Someday I'll find that peer and reset his connection!
Re: PerlAuthenHandler advice needed.
Please explain again how to get my AuthHandler called without setting AuthName or AuthType in httpd.conf. Thanks. -Todd On Wed, 27 Sep 2000, Carlos Ramirez wrote: By choosing to use your custom AuthHandler, you basically override Apache's way of handling the particular phase, in this case the authentication phase. So you must handle prompting the user and also checking the password. You might want to read the Apache Guide (http://perl.apache.org/) on how to write you own handler and also the eagle book. After reviewing our previous conversation, I think you might need to send WWW-Authenticate header field in another phase (preferable at the PerlHeaderParserHandler) before the Authentication phase is called. Your PerlHeaderParserHandler can check the $r-uri for any password protected requests, i.e., if it matches /companyA, you can then set the WWW-Authenticate: Basic $realm and push it along it's merry way. Then your PerlAuthHandler will get the username and password and check it against the realms' AuthUserFile. Apache will handle the initial prompting for the username/password. Your requirements imply that you will have a file(??) that has a list of UserFiles for each Realm/path_info so that your authentication handler will know what file to check against. I hope this make sense ;) my coffee is running low... -Carlos Todd Chapman wrote: Thanks for the help. I was hoping that Apache would check the password for me but this should work. Now, how do I get Apache to run my PerlAuthenHandler without setting the AuthType or AuthName in httpd.conf? Do I need to do the Authentication in a PerlHandler? -Todd On Wed, 27 Sep 2000, Carlos Ramirez wrote: 1. Oh, I mis-interpreted your question. I thought you already had a list of virtual directories with the AuthNames defined. You can set the AuthName by sending them in the server response header field: WWW-Authenticate Basic $realm So the first request to /companyA, you AuthHandler will respond with: $r-header_out(WWW-Authenticate = 'Basic $realm); ## Sets Realm field $r-note_basic_auth_failure; ## Prompts for password The when a username and password are supplied i.e. ($ret,$password) = $r-get_basic_auth_pw; where $ret = 1; Then: 1. determine the AuthUserFile 2. use Apache::Htpasswd to check password -Carlos Todd Chapman wrote: Problems with your suggestion: 1. The realm will not be known until I get path_info so Location/Location directives will not work. 2. How can I get Perl to do the password lookup in the dynamically selected AuthUserFile? Thanks for the help. -Todd On Wed, 27 Sep 2000, Carlos Ramirez wrote: You can you use Location to specify seperate AuthUserFile's like so: Location /companyA AuthType Basic AuthName CompanyA AuthUserFile path/to/CompanyAUsersFile /Location Location /companyN AuthType Basic AuthName CompanyN AuthUserFile path/to/CompanyNUsersFIle /Location Or you can write your own AuthHandler that lookups up AuthName, AuthUserFile in a seperate file against the path_info. This will eliminate the need to flood you httpd.conf file with a bunch of Location/Location directives. Todd Chapman wrote: I have read chapter 6 of the modperl book but still don't know how to set up authenification the way I want. I would like to use Basic authentification to protect virtual documents. The trick is that I want to set AuthName and AuthUserFile based on path_info. For example: http://virtual/companyA/dir1 would prompt for a password in the companyA realm and check it against the appropriate AuthUserFile. How do I add this flexibility without reinventing the parts Apache already does so well? Thanks. -Todd -- --- Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 --- - Someday I'll find that peer and reset his connection! -- --- Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 --- - Someday I'll find that peer and reset his connection! -- --- Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 --- - Someday I'll find that peer and reset his connection!