Mailing List Archive

Hi.

I don't have anything very precise to tell you, but here is what I know :
The AAA part has been significantly changed in Apache httpd 2.4, as compared to 2.2.
Therefore I suspect - but I am not sure - that some corresponding changes had to be made
in mod_perl, to adapt to these changes.
One of the changes that I see when looking at the Apache 2.4 vs 2.2 on-line documentation
(for Apache, not for mod_perl), concerns the syntax - and who handles - the "Require"
directives.

I also believe that the on-line mod_perl documentation does not yet reflect these changes,
and it seems a bit hard to find an up-to-date documentation yet.

But anyway, I just found this on CPAN :
https://metacpan.org/source/MSCHOUT/Apache-AuthCookie-3.23/lib/Apache2_4/AuthCookie.pm

That - along with the module name - seems to show a way to obtain the "Require" that you
need. Why don't you give it a try ?

Another way that I can think of, would be to use the Apache2::Directive module
(http://perl.apache.org/docs/2.0/api/Apache2/Directive.html), to obtain the Require via
the server's configuration tree.
That should be independent of the specific Apache version being used.


On 20.12.2015 03:35, Sergei Gerasenko wrote:
> Hello,
>
> I’m using mod_perl-2.0.8-10 and I’ve been googling for days for this info w/o any luck.
>
> I need to access the value for the Require directive in the apache configs. I need to access that info in my authorization handler (PerlAuthzHandler). It used to be that $r->requires provided that information, but it’s gone now according to the changelog. It has been replaced with register_auth_provider and according to this:
>
> perl -MModPerl::MethodLookup -e print_method register_auth_provider
> To use method 'register_auth_provider' add:
> use Apache2::RequestUtil ();
>
> … it should be in Apache2::RequestUtil. But I can’t find anything about that method in the description of Apache2::RequestUtil. Further, I get “undefined method” when I try to even mention it in my handler.
>
> I must be missing something really simple? Can somebody point me to a full example of using that method?
>
> Thanks!
>
> Sergei
>

Hi André,

This is definitely going to be helpful. I was considering just accessing
the raw config values, but could only find dir_config that remotely
resembled what I needed.
I ended up introducing a custom directive, but that's clunky in my opinion.
So, Apache2::Directive is already a big improvement. Also, if the hanlding
of 'requires' is so simple
as AuthCookie shows, that would be terrific. I will be back with an update
if I'm successful.

Thanks a ton!!

On Tue, Dec 22, 2015 at 2:19 AM, André Warnier <aw@ice-sa.com> wrote:

> Hi.
>
> I don't have anything very precise to tell you, but here is what I know :
> The AAA part has been significantly changed in Apache httpd 2.4, as
> compared to 2.2.
> Therefore I suspect - but I am not sure - that some corresponding changes
> had to be made in mod_perl, to adapt to these changes.
> One of the changes that I see when looking at the Apache 2.4 vs 2.2
> on-line documentation (for Apache, not for mod_perl), concerns the syntax -
> and who handles - the "Require" directives.
>
> I also believe that the on-line mod_perl documentation does not yet
> reflect these changes, and it seems a bit hard to find an up-to-date
> documentation yet.
>
> But anyway, I just found this on CPAN :
>
> https://metacpan.org/source/MSCHOUT/Apache-AuthCookie-3.23/lib/Apache2_4/AuthCookie.pm
>
> That - along with the module name - seems to show a way to obtain the
> "Require" that you need. Why don't you give it a try ?
>
> Another way that I can think of, would be to use the Apache2::Directive
> module (http://perl.apache.org/docs/2.0/api/Apache2/Directive.html), to
> obtain the Require via the server's configuration tree.
> That should be independent of the specific Apache version being used.
>
>
> On 20.12.2015 03:35, Sergei Gerasenko wrote:
>
>> Hello,
>>
>> I’m using mod_perl-2.0.8-10 and I’ve been googling for days for this info
>> w/o any luck.
>>
>> I need to access the value for the Require directive in the apache
>> configs. I need to access that info in my authorization handler
>> (PerlAuthzHandler). It used to be that $r->requires provided that
>> information, but it’s gone now according to the changelog. It has been
>> replaced with register_auth_provider and according to this:
>>
>> perl -MModPerl::MethodLookup -e print_method register_auth_provider
>> To use method 'register_auth_provider' add:
>> use Apache2::RequestUtil ();
>>
>> … it should be in Apache2::RequestUtil. But I can’t find anything about
>> that method in the description of Apache2::RequestUtil. Further, I get
>> “undefined method” when I try to even mention it in my handler.
>>
>> I must be missing something really simple? Can somebody point me to a
>> full example of using that method?
>>
>> Thanks!
>>
>> Sergei
>>
>>
>

Yep, I can see what I should do now. For the benefit of others here are the
differences:

OLD STYLE
=========

<Location blah>
PerlAuthzHandler YOUR_MODULE->YOUR_METHOD
require user fred
require group fred
</Location>```


Then in your YOUR_METHOD you would do something like:

my $requires = $r->requires
process your requires ..


​NEW STYLE:
​==========​

PerlAddAuthzProvider user YOUR_MODULE->YOUR_USER_AUTHZ_METHOD
PerlAddAuthzProvider group YOUR_MODULE->YOUR_GROUP_AUTHZ_METHOD

<Location blah>
require user fred
required group fred
</Location>```


And in your YOUR_MODULE:

sub YOUR_USER_AUTHZ_METHOD {
my ($self, $r, @requires) = @_;
}

sub YOUR_GROUP_AUTHZ_METHOD {
my ($self, $r, @requires) = @_;
}

Thanks, André for helping me finally solve this problem. From your link on
Apache-AuthCookie, I also found this:
​ ​
http://search.cpan.org/~mschout/Apache-AuthCookie-3.23/README.apache-2.4.pod
and in there I read under APACHE 2.4 PORTING NOTES.


​Thanks again,​
​ ​
Sergei

On Tue, Dec 22, 2015 at 2:19 AM, André Warnier <aw@ice-sa.com> wrote:

> Hi.
>
> I don't have anything very precise to tell you, but here is what I know :
> The AAA part has been significantly changed in Apache httpd 2.4, as
> compared to 2.2.
> Therefore I suspect - but I am not sure - that some corresponding changes
> had to be made in mod_perl, to adapt to these changes.
> One of the changes that I see when looking at the Apache 2.4 vs 2.2
> on-line documentation (for Apache, not for mod_perl), concerns the syntax -
> and who handles - the "Require" directives.
>
> I also believe that the on-line mod_perl documentation does not yet
> reflect these changes, and it seems a bit hard to find an up-to-date
> documentation yet.
>
> But anyway, I just found this on CPAN :
>
> https://metacpan.org/source/MSCHOUT/Apache-AuthCookie-3.23/lib/Apache2_4/AuthCookie.pm
>
> That - along with the module name - seems to show a way to obtain the
> "Require" that you need. Why don't you give it a try ?
>
> Another way that I can think of, would be to use the Apache2::Directive
> module (http://perl.apache.org/docs/2.0/api/Apache2/Directive.html), to
> obtain the Require via the server's configuration tree.
> That should be independent of the specific Apache version being used.
>
>
> On 20.12.2015 03:35, Sergei Gerasenko wrote:
>
>> Hello,
>>
>> I’m using mod_perl-2.0.8-10 and I’ve been googling for days for this info
>> w/o any luck.
>>
>> I need to access the value for the Require directive in the apache
>> configs. I need to access that info in my authorization handler
>> (PerlAuthzHandler). It used to be that $r->requires provided that
>> information, but it’s gone now according to the changelog. It has been
>> replaced with register_auth_provider and according to this:
>>
>> perl -MModPerl::MethodLookup -e print_method register_auth_provider
>> To use method 'register_auth_provider' add:
>> use Apache2::RequestUtil ();
>>
>> … it should be in Apache2::RequestUtil. But I can’t find anything about
>> that method in the description of Apache2::RequestUtil. Further, I get
>> “undefined method” when I try to even mention it in my handler.
>>
>> I must be missing something really simple? Can somebody point me to a
>> full example of using that method?
>>
>> Thanks!
>>
>> Sergei
>>
>>
>

Hi Sergei.
My turn to thank you for providing the information below (and also to Michael Schout of
course). That will also be invaluable to me, when I get around to update my own mod_perl
AAA modules.

On 22.12.2015 17:57, Sergei Gerasenko wrote:
> Yep, I can see what I should do now. For the benefit of others here are the differences:
>
> OLD STYLE
> =========
>
> <Location blah>
> PerlAuthzHandler YOUR_MODULE->YOUR_METHOD
> require user fred
> require group fred
> </Location>```
>
>
> Then in your YOUR_METHOD you would do something like:
>
> my $requires = $r->requires
> process your requires ..
>
>
> ​NEW STYLE:
> ​==========​
>
> PerlAddAuthzProvider user YOUR_MODULE->YOUR_USER_AUTHZ_METHOD
> PerlAddAuthzProvider group YOUR_MODULE->YOUR_GROUP_AUTHZ_METHOD
>
> <Location blah>
> require user fred
> required group fred
> </Location>```
>
>
> And in your YOUR_MODULE:
>
> sub YOUR_USER_AUTHZ_METHOD {
> my ($self, $r, @requires) = @_;
> }
>
> sub YOUR_GROUP_AUTHZ_METHOD {
> my ($self, $r, @requires) = @_;
> }
>
> Thanks, André for helping me finally solve this problem. From your link on
> Apache-AuthCookie, I also found this:
> ​ ​
> http://search.cpan.org/~mschout/Apache-AuthCookie-3.23/README.apache-2.4.pod and in there
> I read under APACHE 2.4 PORTING NOTES.
>
>
> ​Thanks again,​
> ​ ​
> Sergei
>
> On Tue, Dec 22, 2015 at 2:19 AM, André Warnier <aw@ice-sa.com <mailto:aw@ice-sa.com>> wrote:
>
> Hi.
>
> I don't have anything very precise to tell you, but here is what I know :
> The AAA part has been significantly changed in Apache httpd 2.4, as compared to 2.2.
> Therefore I suspect - but I am not sure - that some corresponding changes had to be
> made in mod_perl, to adapt to these changes.
> One of the changes that I see when looking at the Apache 2.4 vs 2.2 on-line
> documentation (for Apache, not for mod_perl), concerns the syntax - and who handles -
> the "Require" directives.
>
> I also believe that the on-line mod_perl documentation does not yet reflect these
> changes, and it seems a bit hard to find an up-to-date documentation yet.
>
> But anyway, I just found this on CPAN :
> https://metacpan.org/source/MSCHOUT/Apache-AuthCookie-3.23/lib/Apache2_4/AuthCookie.pm
>
> That - along with the module name - seems to show a way to obtain the "Require" that
> you need. Why don't you give it a try ?
>
> Another way that I can think of, would be to use the Apache2::Directive module
> (http://perl.apache.org/docs/2.0/api/Apache2/Directive.html), to obtain the Require
> via the server's configuration tree.
> That should be independent of the specific Apache version being used.
>
>
> On 20.12.2015 03 <tel:20.12.2015%2003>:35, Sergei Gerasenko wrote:
>
> Hello,
>
> I’m using mod_perl-2.0.8-10 and I’ve been googling for days for this info w/o any
> luck.
>
> I need to access the value for the Require directive in the apache configs. I need
> to access that info in my authorization handler (PerlAuthzHandler). It used to be
> that $r->requires provided that information, but it’s gone now according to the
> changelog. It has been replaced with register_auth_provider and according to this:
>
> perl -MModPerl::MethodLookup -e print_method register_auth_provider
> To use method 'register_auth_provider' add:
> use Apache2::RequestUtil ();
>
> … it should be in Apache2::RequestUtil. But I can’t find anything about that
> method in the description of Apache2::RequestUtil. Further, I get “undefined
> method” when I try to even mention it in my handler.
>
> I must be missing something really simple? Can somebody point me to a full example
> of using that method?
>
> Thanks!
>
> Sergei
>
>
>

The way in which I understand the pod and the code, is that you don't have to do anything
to get the requires as a list/array : they just come that way.
The first element of the array seems to be the "keyword" (like "user" in "Require user xxx
yyy" etc.), and the following list elements are then "xxx", "yyy", etc).

On 22.12.2015 19:55, Sergei Gerasenko wrote:
> The only thing I don't get how to do is to make apache collect all of the requires into an
> array and pass it to the authz handler. The way it works right now is that the authz
> handler is ran for every require.
>
> You will notice that Apache2_4/AuthCookie.pm expects the 3rd param to be an array, which
> is puzzling. Maybe the module does some magic on aggregating the requires into an array.
> Haven't looked at that yet.
>
> On Tue, Dec 22, 2015 at 11:06 AM, A. Warnier <aw@ice-sa.com <mailto:aw@ice-sa.com>> wrote:
>
> Hi Sergei.
> My turn to thank you for providing the information below (and also to Michael Schout
> of course). That will also be invaluable to me, when I get around to update my own
> mod_perl AAA modules.
>
> On 22.12.2015 17:57, Sergei Gerasenko wrote:
>
> Yep, I can see what I should do now. For the benefit of others here are the
> differences:
>
> OLD STYLE
> =========
>
> <Location blah>
> PerlAuthzHandler YOUR_MODULE->YOUR_METHOD
> require user fred
> require group fred
> </Location>```
>
>
> Then in your YOUR_METHOD you would do something like:
>
> my $requires = $r->requires
> process your requires ..
>
>
> ​NEW STYLE:
> ​==========​
>
> PerlAddAuthzProvider user YOUR_MODULE->YOUR_USER_AUTHZ_METHOD
> PerlAddAuthzProvider group YOUR_MODULE->YOUR_GROUP_AUTHZ_METHOD
>
> <Location blah>
> require user fred
> required group fred
> </Location>```
>
>
> And in your YOUR_MODULE:
>
> sub YOUR_USER_AUTHZ_METHOD {
> my ($self, $r, @requires) = @_;
> }
>
> sub YOUR_GROUP_AUTHZ_METHOD {
> my ($self, $r, @requires) = @_;
> }
>
> Thanks, André for helping me finally solve this problem. From your link on
> Apache-AuthCookie, I also found this:
> ​ ​
> http://search.cpan.org/~mschout/Apache-AuthCookie-3.23/README.apache-2.4.pod and
> in there
> I read under APACHE 2.4 PORTING NOTES.
>
>
> ​Thanks again,​
> ​ ​
> Sergei
>
> On Tue, Dec 22, 2015 at 2:19 AM, André Warnier <aw@ice-sa.com
> <mailto:aw@ice-sa.com> <mailto:aw@ice-sa.com <mailto:aw@ice-sa.com>>> wrote:
>
> Hi.
>
> I don't have anything very precise to tell you, but here is what I know :
> The AAA part has been significantly changed in Apache httpd 2.4, as compared
> to 2.2.
> Therefore I suspect - but I am not sure - that some corresponding changes had
> to be
> made in mod_perl, to adapt to these changes.
> One of the changes that I see when looking at the Apache 2.4 vs 2.2 on-line
> documentation (for Apache, not for mod_perl), concerns the syntax - and who
> handles -
> the "Require" directives.
>
> I also believe that the on-line mod_perl documentation does not yet reflect these
> changes, and it seems a bit hard to find an up-to-date documentation yet.
>
> But anyway, I just found this on CPAN :
> https://metacpan.org/source/MSCHOUT/Apache-AuthCookie-3.23/lib/Apache2_4/AuthCookie.pm
>
> That - along with the module name - seems to show a way to obtain the
> "Require" that
> you need. Why don't you give it a try ?
>
> Another way that I can think of, would be to use the Apache2::Directive module
> (http://perl.apache.org/docs/2.0/api/Apache2/Directive.html), to obtain the
> Require
> via the server's configuration tree.
> That should be independent of the specific Apache version being used.
>
>
> On 20.12.2015 03 <tel:20.12.2015%2003> <tel:20.12.2015%2003>:35, Sergei
> Gerasenko wrote:
>
> Hello,
>
> I’m using mod_perl-2.0.8-10 and I’ve been googling for days for this info
> w/o any
> luck.
>
> I need to access the value for the Require directive in the apache
> configs. I need
> to access that info in my authorization handler (PerlAuthzHandler). It
> used to be
> that $r->requires provided that information, but it’s gone now according
> to the
> changelog. It has been replaced with register_auth_provider and according
> to this:
>
> perl -MModPerl::MethodLookup -e print_method register_auth_provider
> To use method 'register_auth_provider' add:
> use Apache2::RequestUtil ();
>
> … it should be in Apache2::RequestUtil. But I can’t find anything about that
> method in the description of Apache2::RequestUtil. Further, I get “undefined
> method” when I try to even mention it in my handler.
>
> I must be missing something really simple? Can somebody point me to a
> full example
> of using that method?
>
> Thanks!
>
> Sergei
>
>
>
>
>

It didn’t happen that way unfortunately. The handler was called once for each require. Maybe I was doing something wrong.

> On Dec 22, 2015, at 5:19 PM, André Warnier (tomcat) <aw@ice-sa.com> wrote:
>
> The way in which I understand the pod and the code, is that you don't have to do anything to get the requires as a list/array : they just come that way.
> The first element of the array seems to be the "keyword" (like "user" in "Require user xxx yyy" etc.), and the following list elements are then "xxx", "yyy", etc).

I've installed and configured the AuthCookie module. I can now say with
certainty that authz_handler is called multiple times for each "require".
So, if you say:

require user u1
require user u2

The handler will be called twice.

On the other hand, if you have 'require user u1 u2', then the 'requires'
argument is not an array but the string "u1 u2", which needs to be split.

I don't know, maybe it's my mod_perl version 2.0.8). Just reporting back
what I found.

On Tue, Dec 22, 2015 at 5:19 PM, André Warnier (tomcat) <aw@ice-sa.com>
wrote:

> The way in which I understand the pod and the code, is that you don't have
> to do anything to get the requires as a list/array : they just come that
> way.
> The first element of the array seems to be the "keyword" (like "user" in
> "Require user xxx yyy" etc.), and the following list elements are then
> "xxx", "yyy", etc).
>
> On 22.12.2015 19:55, Sergei Gerasenko wrote:
>
>> The only thing I don't get how to do is to make apache collect all of the
>> requires into an
>> array and pass it to the authz handler. The way it works right now is
>> that the authz
>> handler is ran for every require.
>>
>> You will notice that Apache2_4/AuthCookie.pm expects the 3rd param to be
>> an array, which
>> is puzzling. Maybe the module does some magic on aggregating the requires
>> into an array.
>> Haven't looked at that yet.
>>
>> On Tue, Dec 22, 2015 at 11:06 AM, A. Warnier <aw@ice-sa.com <mailto:
>> aw@ice-sa.com>> wrote:
>>
>> Hi Sergei.
>> My turn to thank you for providing the information below (and also to
>> Michael Schout
>> of course). That will also be invaluable to me, when I get around to
>> update my own
>> mod_perl AAA modules.
>>
>> On 22.12.2015 17:57, Sergei Gerasenko wrote:
>>
>> Yep, I can see what I should do now. For the benefit of others
>> here are the
>> differences:
>>
>> OLD STYLE
>> =========
>>
>> <Location blah>
>> PerlAuthzHandler YOUR_MODULE->YOUR_METHOD
>> require user fred
>> require group fred
>> </Location>```
>>
>>
>> Then in your YOUR_METHOD you would do something like:
>>
>> my $requires = $r->requires
>> process your requires ..
>>
>>
>> ​NEW STYLE:
>> ​==========​
>>
>> PerlAddAuthzProvider user YOUR_MODULE->YOUR_USER_AUTHZ_METHOD
>> PerlAddAuthzProvider group YOUR_MODULE->YOUR_GROUP_AUTHZ_METHOD
>>
>> <Location blah>
>> require user fred
>> required group fred
>> </Location>```
>>
>>
>> And in your YOUR_MODULE:
>>
>> sub YOUR_USER_AUTHZ_METHOD {
>> my ($self, $r, @requires) = @_;
>> }
>>
>> sub YOUR_GROUP_AUTHZ_METHOD {
>> my ($self, $r, @requires) = @_;
>> }
>>
>> Thanks, André for helping me finally solve this problem. From
>> your link on
>> Apache-AuthCookie, I also found this:
>> ​ ​
>>
>> http://search.cpan.org/~mschout/Apache-AuthCookie-3.23/README.apache-2.4.pod
>> and
>> in there
>> I read under APACHE 2.4 PORTING NOTES.
>>
>>
>> ​Thanks again,​
>> ​ ​
>> Sergei
>>
>> On Tue, Dec 22, 2015 at 2:19 AM, André Warnier <aw@ice-sa.com
>> <mailto:aw@ice-sa.com> <mailto:aw@ice-sa.com <mailto:
>> aw@ice-sa.com>>> wrote:
>>
>> Hi.
>>
>> I don't have anything very precise to tell you, but here is
>> what I know :
>> The AAA part has been significantly changed in Apache httpd
>> 2.4, as compared
>> to 2.2.
>> Therefore I suspect - but I am not sure - that some
>> corresponding changes had
>> to be
>> made in mod_perl, to adapt to these changes.
>> One of the changes that I see when looking at the Apache 2.4
>> vs 2.2 on-line
>> documentation (for Apache, not for mod_perl), concerns the
>> syntax - and who
>> handles -
>> the "Require" directives.
>>
>> I also believe that the on-line mod_perl documentation does
>> not yet reflect these
>> changes, and it seems a bit hard to find an up-to-date
>> documentation yet.
>>
>> But anyway, I just found this on CPAN :
>>
>> https://metacpan.org/source/MSCHOUT/Apache-AuthCookie-3.23/lib/Apache2_4/AuthCookie.pm
>>
>> That - along with the module name - seems to show a way to
>> obtain the
>> "Require" that
>> you need. Why don't you give it a try ?
>>
>> Another way that I can think of, would be to use the
>> Apache2::Directive module
>> (http://perl.apache.org/docs/2.0/api/Apache2/Directive.html),
>> to obtain the
>> Require
>> via the server's configuration tree.
>> That should be independent of the specific Apache version
>> being used.
>>
>>
>> On 20.12.2015 03 <tel:20.12.2015%2003>
>> <tel:20.12.2015%2003>:35, Sergei
>> Gerasenko wrote:
>>
>> Hello,
>>
>> I’m using mod_perl-2.0.8-10 and I’ve been googling for
>> days for this info
>> w/o any
>> luck.
>>
>> I need to access the value for the Require directive in
>> the apache
>> configs. I need
>> to access that info in my authorization handler
>> (PerlAuthzHandler). It
>> used to be
>> that $r->requires provided that information, but it’s
>> gone now according
>> to the
>> changelog. It has been replaced with
>> register_auth_provider and according
>> to this:
>>
>> perl -MModPerl::MethodLookup -e print_method
>> register_auth_provider
>> To use method 'register_auth_provider' add:
>> use Apache2::RequestUtil ();
>>
>> … it should be in Apache2::RequestUtil. But I can’t find
>> anything about that
>> method in the description of Apache2::RequestUtil.
>> Further, I get “undefined
>> method” when I try to even mention it in my handler.
>>
>> I must be missing something really simple? Can somebody
>> point me to a
>> full example
>> of using that method?
>>
>> Thanks!
>>
>> Sergei
>>
>>
>>
>>
>>
>>
>

* Sergei Gerasenko <gerases@gmail.com> wrote:

> Date: Wed, 23 Dec 2015 11:16:33 -0600
> From: Sergei Gerasenko <gerases@gmail.com>
> To: mod_perl list <modperl@perl.apache.org>
> Subject: Re: $r->requires and register_auth_provider
>
> I've installed and configured the AuthCookie module. I can now say with
> certainty that authz_handler is called multiple times for each "require".
> So, if you say:
>
> require user u1
> require user u2
>
> The handler will be called twice.
>
> On the other hand, if you have 'require user u1 u2', then the 'requires'
> argument is not an array but the string "u1 u2", which needs to be split.
>
> I don't know, maybe it's my mod_perl version 2.0.8). Just reporting back
> what I found.

This is due to a change in behaviour in Apache 2.4. The AAA handler gets run at each AAA requirement directive, by way of subrequests.

Yeah, one may say this is not as efficient as before, but the benefit of it is additional functionality: more granular control.

Apache 2.4 doc will be helpful to you.


Regards,



Jie



> On Tue, Dec 22, 2015 at 5:19 PM, André Warnier (tomcat) <aw@ice-sa.com>
> wrote:
>
> > The way in which I understand the pod and the code, is that you don't have
> > to do anything to get the requires as a list/array : they just come that
> > way.
> > The first element of the array seems to be the "keyword" (like "user" in
> > "Require user xxx yyy" etc.), and the following list elements are then
> > "xxx", "yyy", etc).
> >
> > On 22.12.2015 19:55, Sergei Gerasenko wrote:
> >
> >> The only thing I don't get how to do is to make apache collect all of the
> >> requires into an
> >> array and pass it to the authz handler. The way it works right now is
> >> that the authz
> >> handler is ran for every require.
> >>
> >> You will notice that Apache2_4/AuthCookie.pm expects the 3rd param to be
> >> an array, which
> >> is puzzling. Maybe the module does some magic on aggregating the requires
> >> into an array.
> >> Haven't looked at that yet.
> >>
> >> On Tue, Dec 22, 2015 at 11:06 AM, A. Warnier <aw@ice-sa.com <mailto:
> >> aw@ice-sa.com>> wrote:
> >>
> >> Hi Sergei.
> >> My turn to thank you for providing the information below (and also to
> >> Michael Schout
> >> of course). That will also be invaluable to me, when I get around to
> >> update my own
> >> mod_perl AAA modules.
> >>
> >> On 22.12.2015 17:57, Sergei Gerasenko wrote:
> >>
> >> Yep, I can see what I should do now. For the benefit of others
> >> here are the
> >> differences:
> >>
> >> OLD STYLE
> >> =========
> >>
> >> <Location blah>
> >> PerlAuthzHandler YOUR_MODULE->YOUR_METHOD
> >> require user fred
> >> require group fred
> >> </Location>```
> >>
> >>
> >> Then in your YOUR_METHOD you would do something like:
> >>
> >> my $requires = $r->requires
> >> process your requires ..
> >>
> >>
> >> ​NEW STYLE:
> >> ​==========​
> >>
> >> PerlAddAuthzProvider user YOUR_MODULE->YOUR_USER_AUTHZ_METHOD
> >> PerlAddAuthzProvider group YOUR_MODULE->YOUR_GROUP_AUTHZ_METHOD
> >>
> >> <Location blah>
> >> require user fred
> >> required group fred
> >> </Location>```
> >>
> >>
> >> And in your YOUR_MODULE:
> >>
> >> sub YOUR_USER_AUTHZ_METHOD {
> >> my ($self, $r, @requires) = @_;
> >> }
> >>
> >> sub YOUR_GROUP_AUTHZ_METHOD {
> >> my ($self, $r, @requires) = @_;
> >> }
> >>
> >> Thanks, André for helping me finally solve this problem. From
> >> your link on
> >> Apache-AuthCookie, I also found this:
> >> ​ ​
> >>
> >> http://search.cpan.org/~mschout/Apache-AuthCookie-3.23/README.apache-2.4.pod
> >> and
> >> in there
> >> I read under APACHE 2.4 PORTING NOTES.
> >>
> >>
> >> ​Thanks again,​
> >> ​ ​
> >> Sergei
> >>
> >> On Tue, Dec 22, 2015 at 2:19 AM, André Warnier <aw@ice-sa.com
> >> <mailto:aw@ice-sa.com> <mailto:aw@ice-sa.com <mailto:
> >> aw@ice-sa.com>>> wrote:
> >>
> >> Hi.
> >>
> >> I don't have anything very precise to tell you, but here is
> >> what I know :
> >> The AAA part has been significantly changed in Apache httpd
> >> 2.4, as compared
> >> to 2.2.
> >> Therefore I suspect - but I am not sure - that some
> >> corresponding changes had
> >> to be
> >> made in mod_perl, to adapt to these changes.
> >> One of the changes that I see when looking at the Apache 2.4
> >> vs 2.2 on-line
> >> documentation (for Apache, not for mod_perl), concerns the
> >> syntax - and who
> >> handles -
> >> the "Require" directives.
> >>
> >> I also believe that the on-line mod_perl documentation does
> >> not yet reflect these
> >> changes, and it seems a bit hard to find an up-to-date
> >> documentation yet.
> >>
> >> But anyway, I just found this on CPAN :
> >>
> >> https://metacpan.org/source/MSCHOUT/Apache-AuthCookie-3.23/lib/Apache2_4/AuthCookie.pm
> >>
> >> That - along with the module name - seems to show a way to
> >> obtain the
> >> "Require" that
> >> you need. Why don't you give it a try ?
> >>
> >> Another way that I can think of, would be to use the
> >> Apache2::Directive module
> >> (http://perl.apache.org/docs/2.0/api/Apache2/Directive.html),
> >> to obtain the
> >> Require
> >> via the server's configuration tree.
> >> That should be independent of the specific Apache version
> >> being used.
> >>
> >>
> >> On 20.12.2015 03 <tel:20.12.2015%2003>
> >> <tel:20.12.2015%2003>:35, Sergei
> >> Gerasenko wrote:
> >>
> >> Hello,
> >>
> >> I’m using mod_perl-2.0.8-10 and I’ve been googling for
> >> days for this info
> >> w/o any
> >> luck.
> >>
> >> I need to access the value for the Require directive in
> >> the apache
> >> configs. I need
> >> to access that info in my authorization handler
> >> (PerlAuthzHandler). It
> >> used to be
> >> that $r->requires provided that information, but it’s
> >> gone now according
> >> to the
> >> changelog. It has been replaced with
> >> register_auth_provider and according
> >> to this:
> >>
> >> perl -MModPerl::MethodLookup -e print_method
> >> register_auth_provider
> >> To use method 'register_auth_provider' add:
> >> use Apache2::RequestUtil ();
> >>
> >> … it should be in Apache2::RequestUtil. But I can’t find
> >> anything about that
> >> method in the description of Apache2::RequestUtil.
> >> Further, I get “undefined
> >> method” when I try to even mention it in my handler.
> >>
> >> I must be missing something really simple? Can somebody
> >> point me to a
> >> full example
> >> of using that method?
> >>
> >> Thanks!
> >>
> >> Sergei
> >>
> >>
> >>
> >>
> >>
> >>
> >

On 12/23/15 11:16 AM, Sergei Gerasenko wrote:

> On the other hand, if you have 'require user u1 u2', then the 'requires'
> argument is not an array but the string "u1 u2", which needs to be split.

For what its worth, I have released AuthCookie v3.24 with a fix to the
(AuthCookie) built in authz provider that handles "Require user"
directives that now behaves more like the one in apache core. That is,
it splits the string on whitespace and processes each username in turn,
returning AUTHZ_GRANTED at the first match. This is exactly what
mod_authz_user does.

It is worth noting that although previous versions of AuthCookie said
you must use:

PerlAddAuthzProvider user Your::AuthCookie::Handler->authz_handler

This is not actually true. If you do not specify a "user" authz
provider, then the one provided by mod_authz_user will be used instead
(and is preferrable).

One other thing to be aware of in terms of how AAA works in Apache 2.4
is that your authz provider methods will *always* be called twice.
First your authz provider will be called before authentication has been
processed ($r->user is not set). This is to provide the opportunity to
allow anonymous access. If you return AUTHZ_DENIED_NO_USER, then
authentication will proceed and your authz_provider will be called a
second time with $r->user set to the authenticated username.

I have fleshed out the documentation for this in README.apache-2.4.pod
in the AuthCookie dist, as well as in the Apache2_4::AuthCookie POD
documentation.

The AuthCookie documentation probably could be better, and I think by
the next release I'll absorb/copy most of what is in the
README.apache-2.4 document into the module POD itself.


Regards,
Michael Schout