1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210
|
NAME
Apache::AuthenHook - Perl API for Apache 2.1 authentication
SYNOPSIS
PerlLoadModule Apache::AuthenHook
PerlModule My::OtherProvider
<Location /digest>
Require valid-user
AuthType Digest
AuthName realm1
AuthDigestProvider My::DigestProvider file My::OtherProvider::digest
AuthUserFile realm1
</Location>
<Location /basic>
Require valid-user
AuthType Basic
AuthName foorealm
AuthBasicProvider My::OtherProvider::basic file My::BasicProvider
AuthUserFile realm1
</Location>
DESCRIPTION
Apache::AuthenHook offers access to the 2.1 Apache authentication
API in Perl. This is different than the authentication API
from Apache 1.3 or even Apache 2.0, but in its differences lies
strength.
For a full description of how authentication works in 2.1, see
http://www.serverwatch.com/tutorials/article.php/2202671
Basically, the difference between 2.0 and 2.1 is that authentication
is now delegated to providers, and each provider has a specific
purpose. For instance, mod_authn_file covers gleaning the password
from an .htpasswd or .htdigest file, while mod_auth_basic covers
the Basic dialogue between the client and server, regardless
of the source of the password. The best part of all this (to me)
is that Digest authentication is also delegated out -
mod_auth_digest now handles all the intricacies of Digest
authentication (including the elusive MSIE support) which
means you don't need to worry about them (and neither do I).
All that Digest authentication requires is *some* authentication
provider to provide user credentials - this can be via
mod_authn_file or another mechanism of your choosing.
Apache::AuthenHook registers and coordinates the use of Perl
handlers as authentication providers.
How does this affect you? Read on...
EXAMPLE
Say you want to enable Digest authentication in your Apache 2.1 server...
PerlLoadModule Apache::AuthenHook
<Location /digest>
Require valid-user
AuthType Digest
AuthName realm1
AuthDigestProvider My::DigestProvider file
AuthUserFile realm1
</Location>
This configuration means that My::DigestProvider will be
responsible for providing user credentials for requests to
/digest. if My::DigestProvider finds a suitable user,
mod_auth_digest will verify those credentials and take care of
setting all the proper headers, set the proper HTTP response
status, and so on. If My::DigestProvider cannot find a matching
user it can decide what to do next - either pass the user to
the next provider (in this case the default file provider,
which will use the flat file "realm1") or decide that no user
means no access.
Here is a simple My::DigestProvider
use Apache2::Const -compile => qw(OK DECLINED HTTP_UNAUTHORIZED);
sub handler {
my ($r, $user, $realm, $hash) = @_;
# user1 at realm1 is found - pass to mod_auth_digest
if ($user eq 'user1' && $realm eq 'realm1') {
$$hash = 'eee52b97527306e9e8c4613b7fa800eb';
return Apache2::Const::OK;
}
# user2 is denied outright
if ($user eq 'user2' && $realm eq 'realm1') {
return Apache2::Const::HTTP_UNAUTHORIZED;
}
# all others are passed along to the next provider
return Apache2::Const::DECLINED;
}
isn't that easy?
the only thing that is a bit tricky here is $$hash. the fourth
argument passed to your handler, $hash, is a reference to
to a simple scalar that needs to be populated with the MD5 hash of
the user:realm:password combination you determine for the
incoming user. this may seem a bit strange, but it is actually
exactly how things work over in Apache C land, so I guess that
makes it ok.
as you can see, returning OK means "user found" and requires
that $$hash be populated - mod_auth_digest will take care
of determining whether the hash matches the incoming Digest
criteria. returning HTTP_UNAUTHORIZED (which is the same
as the former and still available AUTH_REQUIRED constant)
means "no access." returning DECLINED means "some other provider
can try."
The steps are remarkably similar for Basic authentication, first
<Location /basic>
Require valid-user
AuthType Basic
AuthName foorealm
AuthBasicProvider My::BasicProvider file
AuthUserFile realm1
</Location>
then
use Apache2::Const -compile => qw(OK DECLINED HTTP_UNAUTHORIZED);
sub handler {
my ($r, $user, $password) = @_;
# user1/basic1 is ok
if ($user eq 'user1' && $password eq 'basic1') {
return Apache2::Const::OK;
}
# user2 is denied outright
if ($user eq 'user2') {
return Apache2::Const::HTTP_UNAUTHORIZED;
}
# all others are passed along to the next provider
return Apache2::Const::DECLINED;
}
In the case of Basic authentication, the return codes mean
essentially the same thing. The one exception is that OK
means that you have checked the user against the password
and have found that they match (as opposed to with Digest,
where the actual verification is not done by you).
These explanations should be enough to get you going -
see the files in the test suite for more examples.
NOTES
This has been tested under the prefork MPM only, using
mostly Perl 5.9.0 (as well as some 5.8.0). It will not
work under threaded MPMs - soon, just not yet.
FEATURES/BUGS
This is very much so alphaware, so beware - bugs may lurk
in unexpected places. there is one bug that is outside
of my control, though, and concerns MSIE and Digest
authentication for URIs that include query strings. see
http://httpd.apache.org/docs-2.0/mod/mod_auth_digest.html
one workaround for this issue is is to use POST instead of
GET for your forms.
A limitation of this interface is that you can't use Perl
providers that are not at least two levels deep -
the criterion for registering a Perl
provider is a simple check for a double-colon.
for example, My::Provider will work while Provider won't
(although Provider::handler will). anyway, single
level handlers are rare, so fixing it would be a lot
of trouble for little benefit.
AUTHOR
Geoffrey Young E<lt>geoff@modperlcookbook.orgE<gt>
COPYRIGHT
Copyright (c) 2003, Geoffrey Young
All rights reserved.
This module is free software. It may be used, redistributed
and/or modified under the same terms as Perl itself.
|