Hi.
I am trying to figure out what Apache2::Const return codes /can/ be returned by a mod_perl
/authentication/ method under Apache 2.4+, and what consequences each of these return
codes has, in terms of what Apache does next.
(And also, where to find a commented list of the Apache "AHxxxx" error messages)
Does anyone know where I could find this information, other than perhaps the Apache httpd
source code ? (and if only there, where ?)
I have done multiple searches in Google, but nothing really relevant shows up (lots of
"receipes" there for specific cases, but no general explanation).
I have also consulted :
- the cpan Apache2::Const documentation which lists all the return codes, but without
comments as to what they're used for or where they are applicable.
- the mod_perl2 documentation
(http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlAuthenHandler) /may/ be
somewhat outdated, as it is in other respects for the Apache 2.4 AAA API.
Thanks in advance
(long) Context:
With a lot of inspiration and cut-and-paste from Apache2::AuthCookie (thanks Michael
Schout, also for the 2.4 doc add-on), I have written a mod_perl AAA framework
(aka "PerlAddAuthzProvider xxx Our::Own::Module->authz_user" ),
adapted to the particular needs of our applications, and which is/should be able to work
in conjunction with most built-in or third-party add-on Apache authentication modules
(such as mod_authnz_ldap, mod_shib2, etc). (This because each of our corporate customers
each have their own web-AAA infrastructure, and we need to be compatible with all of them).
Now I have the case where the authentication method itself (aka "PerlAuthenHandler
Our::Own::Module::XXX->authenticate") is one which we need to develop ourselves, because
the customer's corporate framework is somewhat "non-standard" itself.
Thus, our authenticate() method calls the customer's back-end method, and looks at what it
returns.
The back-end external framework can sometimes fail to authenticate a user, and returns a
specific response in such a case. Our authenticate() method catches this, and should then
itself return an appropriate return code, such that Apache 2.4 next calls the (our)
authz_user() method again, which can then e.g. deny/allow access to the resource.
If authenticate() returns Apache2::Const::HTTP_UNAUTHORIZED, then it seems that Apache
immediately aborts the request and returns a 401 Unauthorised response to the browser.
(In any case, it does /not/ call the perl AuthzProvider again).
(That is not really what I want; I'd like it to call authz_user() anyway, and let
authz_user() decide what happens next).
If authenticate() returns Apache2::Const::OK, then there is no Apache log message; but
when it calls authz_user() next, that authz_user() should be able to find out that the
authentication failed.
Or should I just leave $r->user empty in that case and check on that ? is that what the
other (standard) authentication modules do ?
If authenticate() returns Apache2::Const::DECLINE, Apache subsequently prints a message in
the server error log, such as :
[Thu May 09 20:52:31.197841 2019] [authn_core:error] [pid 9139] [client xxxx:4038]
AH01796: AuthType OUR::OWN::MOD configured without corresponding module ..
(and it does not call the AuthzProvider again either).
(I think that I understand why it does that, since the only authentication method
configured is mine, and it returns DECLINED)
Or else, what could authenticate() return ?
I can of course do several trials returning different things and see what works, but I
would prefer to know the official do's and don'ts and the Apache 2.4 logic behind them.
I am trying to figure out what Apache2::Const return codes /can/ be returned by a mod_perl
/authentication/ method under Apache 2.4+, and what consequences each of these return
codes has, in terms of what Apache does next.
(And also, where to find a commented list of the Apache "AHxxxx" error messages)
Does anyone know where I could find this information, other than perhaps the Apache httpd
source code ? (and if only there, where ?)
I have done multiple searches in Google, but nothing really relevant shows up (lots of
"receipes" there for specific cases, but no general explanation).
I have also consulted :
- the cpan Apache2::Const documentation which lists all the return codes, but without
comments as to what they're used for or where they are applicable.
- the mod_perl2 documentation
(http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlAuthenHandler) /may/ be
somewhat outdated, as it is in other respects for the Apache 2.4 AAA API.
Thanks in advance
(long) Context:
With a lot of inspiration and cut-and-paste from Apache2::AuthCookie (thanks Michael
Schout, also for the 2.4 doc add-on), I have written a mod_perl AAA framework
(aka "PerlAddAuthzProvider xxx Our::Own::Module->authz_user" ),
adapted to the particular needs of our applications, and which is/should be able to work
in conjunction with most built-in or third-party add-on Apache authentication modules
(such as mod_authnz_ldap, mod_shib2, etc). (This because each of our corporate customers
each have their own web-AAA infrastructure, and we need to be compatible with all of them).
Now I have the case where the authentication method itself (aka "PerlAuthenHandler
Our::Own::Module::XXX->authenticate") is one which we need to develop ourselves, because
the customer's corporate framework is somewhat "non-standard" itself.
Thus, our authenticate() method calls the customer's back-end method, and looks at what it
returns.
The back-end external framework can sometimes fail to authenticate a user, and returns a
specific response in such a case. Our authenticate() method catches this, and should then
itself return an appropriate return code, such that Apache 2.4 next calls the (our)
authz_user() method again, which can then e.g. deny/allow access to the resource.
If authenticate() returns Apache2::Const::HTTP_UNAUTHORIZED, then it seems that Apache
immediately aborts the request and returns a 401 Unauthorised response to the browser.
(In any case, it does /not/ call the perl AuthzProvider again).
(That is not really what I want; I'd like it to call authz_user() anyway, and let
authz_user() decide what happens next).
If authenticate() returns Apache2::Const::OK, then there is no Apache log message; but
when it calls authz_user() next, that authz_user() should be able to find out that the
authentication failed.
Or should I just leave $r->user empty in that case and check on that ? is that what the
other (standard) authentication modules do ?
If authenticate() returns Apache2::Const::DECLINE, Apache subsequently prints a message in
the server error log, such as :
[Thu May 09 20:52:31.197841 2019] [authn_core:error] [pid 9139] [client xxxx:4038]
AH01796: AuthType OUR::OWN::MOD configured without corresponding module ..
(and it does not call the AuthzProvider again either).
(I think that I understand why it does that, since the only authentication method
configured is mine, and it returns DECLINED)
Or else, what could authenticate() return ?
I can of course do several trials returning different things and see what works, but I
would prefer to know the official do's and don'ts and the Apache 2.4 logic behind them.