Mailing List Archive

On May 11, 2020, at 8:58 AM, Scott Alexander <Scott.Alexander@humak.fi> wrote:
> I've included using https://manpages.debian.org/unstable/libapache2-authcookie-perl/Apache2_4::AuthCookie.3pm.en.html as an example
>
> # In httpd.conf or .htaccess:
> PerlModule Sample::Apache2::AuthCookieHandler
> PerlSetVar WhatEverPath / .....
>
> to my ssl.conf file
>
> No changes made to httpd.conf or ssl.conf.

Those two statements seem to be conflicting? I keep my authentication/authorization information in httpd.conf, personally.

> When trying to access the page I get the errors above.

That sample configuration from the POD assumes that you are subclassing Apache2::AuthCookie and that the name of your subclass is Sample::Apache2::AuthCookieHandler. It's meant to be illustrative. I'm guessing you don't actually have such a subclass. Try just removing the "Sample::" part. You can probably also find working examples in the tests in the "t" subdirectory.

> I've read this https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod
> which unfortunately doesn't make sense to me.

That POD is meant for people developing (or porting from Apache 2.2.x) their own Perl modules for doing authentication and authorization under Apache 2.4.x. AuthCookie already handles all of this for you, assuming you only need or use AuthCookie. It might apply if you are subclassing from AuthCookie and you get into the gritty details, such as implementing your own AuthzProvider. Check out Apache2_4::AuthCookieDBI for an example of that.

https://metacpan.org/pod/Apache2_4::AuthCookieDBI

Regards,
Ed

Hi,

Thanks for your answer, but for me this is confusing.

I have

Apache2_4::AuthCookie is up to date. (3.30)
Apache2::AuthCookie is up to date. (3.30)
Server version: Apache/2.4.6 (CentOS)
Server built: Apr 2 2020 13:13:23

at the end of /etc/httpd/conf.d/ssl.conf there is include /systems/achilles/config/mine_auth_cookie_mod_perl_server_apache2.conf

my @inc has /systems/achilles/lib
and I have /systems/achilles/lib/Apache2/AuthCookieHandler.pm
and /systems/achilles/lib/Apache2_4/AuthCookieHandler.pm

in both AuthCookieHandler.pm I've renamed the package line to eg
package Apache2_4::AuthCookieHandler;


In the directory I want to protect should I have

AuthType Apache2::AuthCookieHandler
AuthName WhatEver
PerlAuthenHandler Apache2::AuthCookieHandler->authenticate
Require valid-user

or

AuthType Apache2_4::AuthCookieHandler
AuthName WhatEver
PerlAuthenHandler Apache2_4::AuthCookieHandler->authenticate
Require valid-user

And then what subs/methods I need to add into which AuthCookieHandler.pm ?

in startup.pl should I have both or just one?

use Apache2::AuthCookie ;
use Apache2_4::AuthCookie ;

I am not porting from 2.2. I have used Shibboleth until now to protect directories but this project I can not use Shibboleth.



Terveisin/Regards

Scott Alexander

scott.alexander@humak.fi<mailto:scott.alexander@humak.fi>

________________________________
From: Edward J. Sabol <edwardjsabol@gmail.com>
Sent: 12 May 2020 00:58
To: Scott Alexander <Scott.Alexander@humak.fi>
Cc: mod_perl list <modperl@perl.apache.org>
Subject: Re: Apache2:AuthCookie With httpd 2.4

On May 11, 2020, at 8:58 AM, Scott Alexander <Scott.Alexander@humak.fi> wrote:
> I've included using https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmanpages.debian.org%2Funstable%2Flibapache2-authcookie-perl%2FApache2_4%3A%3AAuthCookie.3pm.en.html&amp;data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&amp;sdata=XwSR%2FO7jCwZrZLuYRSWWhp%2Fwz7tCtWkCzjs0fTRTIDk%3D&amp;reserved=0 as an example
>
> # In httpd.conf or .htaccess:
> PerlModule Sample::Apache2::AuthCookieHandler
> PerlSetVar WhatEverPath / .....
>
> to my ssl.conf file
>
> No changes made to httpd.conf or ssl.conf.

Those two statements seem to be conflicting? I keep my authentication/authorization information in httpd.conf, personally.

> When trying to access the page I get the errors above.

That sample configuration from the POD assumes that you are subclassing Apache2::AuthCookie and that the name of your subclass is Sample::Apache2::AuthCookieHandler. It's meant to be illustrative. I'm guessing you don't actually have such a subclass. Try just removing the "Sample::" part. You can probably also find working examples in the tests in the "t" subdirectory.

> I've read this https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmetacpan.org%2Fpod%2Fdistribution%2FApache-AuthCookie%2FREADME.apache-2.4.pod&amp;data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&amp;sdata=SyqV%2FQzJyud4W6ENIgEY9nk%2F9uBzBGf7p6gmShAqivc%3D&amp;reserved=0
> which unfortunately doesn't make sense to me.

That POD is meant for people developing (or porting from Apache 2.2.x) their own Perl modules for doing authentication and authorization under Apache 2.4.x. AuthCookie already handles all of this for you, assuming you only need or use AuthCookie. It might apply if you are subclassing from AuthCookie and you get into the gritty details, such as implementing your own AuthzProvider. Check out Apache2_4::AuthCookieDBI for an example of that.

https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmetacpan.org%2Fpod%2FApache2_4%3A%3AAuthCookieDBI&amp;data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&amp;sdata=ew5g7VpZFmfs%2FHN9NAdA9YqHtLY11o36UBl9ljp0zN0%3D&amp;reserved=0

Regards,
Ed

Hi.
Just some tips, to simplify the issue, below in the text :


On 14.05.2020 06:09, Scott Alexander wrote:
> Hi,
>
> Thanks for your answer, but for me this is confusing.
>
> I have
>
> Apache2_4::AuthCookie is up to date. (3.30)
> Apache2::AuthCookie is up to date. (3.30) <--- you do not need this with Apache 2.4
> Server version: Apache/2.4.6 (CentOS)
> Server built:   Apr  2 2020 13:13:23
>
> at the end of /etc/httpd/conf.d/ssl.conf there is include
> /systems/achilles/config/mine_auth_cookie_mod_perl_server_apache2.conf
>
> my @inc has /systems/achilles/lib
> and I have /systems/achilles/lib/Apache2/AuthCookieHandler.pm
> and /systems/achilles/lib/Apache2_4/AuthCookieHandler.pm
>
> in both AuthCookieHandler.pm I've renamed the package line to eg
> package Apache2_4::AuthCookieHandler;
>
>
> In the directory I want to protect should I have
>

Not with Apache 2.4 :

> AuthType Apache2::AuthCookieHandler
> AuthName WhatEver
> PerlAuthenHandler Apache2::AuthCookieHandler->authenticate
> Require valid-user
>
> or
>

this is what you need with Apache 2.4 :

> AuthType Apache2_4::AuthCookieHandler
> AuthName WhatEver
> PerlAuthenHandler Apache2_4::AuthCookieHandler->authenticate
> Require valid-user
>
> And then what subs/methods I need to add into which AuthCookieHandler.pm ?
>
> in startup.pl should I have both or just one?
>

> use Apache2::AuthCookie ; <-- you do not need this
> use Apache2_4::AuthCookie ; <-- this is correct for Apache 2.4
>

> I am not porting from 2.2. I have used Shibboleth until now to protect directories but
> this project I can not use Shibboleth.
>

And how exactly do you want the user to authenticate ? via a login page where they enter
their id and password ?
And what is the way in which you are going to check that these id and password are correct ?
(in other words : where are the user ids and passwords stored ?)
And how many different users are you planning to have ?


>
>
> Terveisin/Regards
> **
> *Scott Alexander*
>
> scott.alexander@humak.fi <mailto:scott.alexander@humak.fi>
>
> ------------------------------------------------------------------------------------------
> *From:* Edward J. Sabol <edwardjsabol@gmail.com>
> *Sent:* 12 May 2020 00:58
> *To:* Scott Alexander <Scott.Alexander@humak.fi>
> *Cc:* mod_perl list <modperl@perl.apache.org>
> *Subject:* Re: Apache2:AuthCookie With httpd 2.4
> On May 11, 2020, at 8:58 AM, Scott Alexander <Scott.Alexander@humak.fi> wrote:
>> I've included using https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmanpages.debian.org%2Funstable%2Flibapache2-authcookie-perl%2FApache2_4%3A%3AAuthCookie.3pm.en.html&amp;data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&amp;sdata=XwSR%2FO7jCwZrZLuYRSWWhp%2Fwz7tCtWkCzjs0fTRTIDk%3D&amp;reserved=0
> as an example
>>
>> # In httpd.conf or .htaccess:
>> PerlModule Sample::Apache2::AuthCookieHandler
>> PerlSetVar WhatEverPath / .....
>>
>> to my ssl.conf file
>>
>> No changes made to httpd.conf or ssl.conf.
>
> Those two statements seem to be conflicting? I keep my authentication/authorization
> information in httpd.conf, personally.
>
>> When trying to access the page I get the errors above.
>
> That sample configuration from the POD assumes that you are subclassing
> Apache2::AuthCookie and that the name of your subclass is
> Sample::Apache2::AuthCookieHandler. It's meant to be illustrative. I'm guessing you don't
> actually have such a subclass. Try just removing the "Sample::" part. You can probably
> also find working examples in the tests in the "t" subdirectory.
>
>> I've read this https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmetacpan.org%2Fpod%2Fdistribution%2FApache-AuthCookie%2FREADME.apache-2.4.pod&amp;data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&amp;sdata=SyqV%2FQzJyud4W6ENIgEY9nk%2F9uBzBGf7p6gmShAqivc%3D&amp;reserved=0
>> which unfortunately doesn't make sense to me.
>
> That POD is meant for people developing (or porting from Apache 2.2.x) their own Perl
> modules for doing authentication and authorization under Apache 2.4.x. AuthCookie already
> handles all of this for you, assuming you only need or use AuthCookie. It might apply if
> you are subclassing from AuthCookie and you get into the gritty details, such as
> implementing your own AuthzProvider. Check out Apache2_4::AuthCookieDBI for an example of
> that.
>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmetacpan.org%2Fpod%2FApache2_4%3A%3AAuthCookieDBI&amp;data=02%7C01%7C%7Cfdafa4a140a44a1c47ed08d7f5f66767%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637248310956933568&amp;sdata=ew5g7VpZFmfs%2FHN9NAdA9YqHtLY11o36UBl9ljp0zN0%3D&amp;reserved=0
>
> Regards,
> Ed
>

HI,

Users will login via a form.

Users and their passwords are saved to a mysql database. Getting a hadle to teh db and checking is fine.

Expected users about 500.

I understand I must make a

sub authen_cred which creates a session key

and

sub authen_ses_key to find user from session and return it.

is the sub authenticate what looks for a user and if no user returns what?


Then in /systems/achilles/lib/Apache2_4/AuthCookieHandler.pm

I have a sub authenticate but what should I return now in ssl_error_log I get "No authentication done but request not allowed without authentication for "

If I remove sub authenticate then I get a 403 forbidden and none of the other subs get called.

package Apache2_4::AuthCookieHandler;

use strict;
use Apache2::AuthCookieHandler;
use Apache2::Const qw(AUTHZ_DENIED_NO_USER);
use Apache2::RequestRec;
use Apache::AuthCookie::Util qw(is_blank);
use vars qw(@ISA);

@ISA = qw(Apache2::AuthCookieHandler);

my %Dwarves = map { $_ => 1 }
qw(bashful doc dopey grumpy happy sleepy sneezy programmer);

# authz under apache 2.4 is very different from previous versions
sub dwarf {
my ($self, $r) = @_;

$r->server->log_error("dwarf entry");
my $user = $r->user;
if (is_blank($user)) {
$r->server->log_error("No user authenticted yet");
return Apache2::Const::AUTHZ_DENIED_NO_USER;
}
elsif (defined $Dwarves{$user}) {
$r->server->log_error("$user is a dwarf");
return Apache2::Const::AUTHZ_GRANTED;
}
else {
$r->server->log_error("$user is not a dwarf");
return Apache2::Const::AUTHZ_DENIED;
}
}

sub authenticate {
my $self = shift;
my $r = shift;

$r->server->log_error("LINE 42 2.4");


return WHAT HERE ?
}

sub login {
my $self = shift;
my $r = shift;

$r->server->log_error("LINE 53 2.4");

}

1;


Terveisin/Regards

Scott Alexander


scott.alexander@humak.fi<mailto:scott.alexander@humak.fi>

________________________________
From: Andr? Warnier (tomcat/perl) <aw@ice-sa.com>
Sent: 14 May 2020 14:40
To: modperl@perl.apache.org <modperl@perl.apache.org>
Subject: Re: Apache2:AuthCookie With httpd 2.4

Hi.
Just some tips, to simplify the issue, below in the text :


On 14.05.2020 06:09, Scott Alexander wrote:
> Hi,
>
> Thanks for your answer, but for me this is confusing.
>
> I have
>
> Apache2_4::AuthCookie is up to date. (3.30)
> Apache2::AuthCookie is up to date. (3.30) <--- you do not need this with Apache 2.4
> Server version: Apache/2.4.6 (CentOS)
> Server built: Apr 2 2020 13:13:23
>
> at the end of /etc/httpd/conf.d/ssl.conf there is include
> /systems/achilles/config/mine_auth_cookie_mod_perl_server_apache2.conf
>
> my @inc has /systems/achilles/lib
> and I have /systems/achilles/lib/Apache2/AuthCookieHandler.pm
> and /systems/achilles/lib/Apache2_4/AuthCookieHandler.pm
>
> in both AuthCookieHandler.pm I've renamed the package line to eg
> package Apache2_4::AuthCookieHandler;
>
>
> In the directory I want to protect should I have
>

Not with Apache 2.4 :

> AuthType Apache2::AuthCookieHandler
> AuthName WhatEver
> PerlAuthenHandler Apache2::AuthCookieHandler->authenticate
> Require valid-user
>
> or
>

this is what you need with Apache 2.4 :

> AuthType Apache2_4::AuthCookieHandler
> AuthName WhatEver
> PerlAuthenHandler Apache2_4::AuthCookieHandler->authenticate
> Require valid-user
>
> And then what subs/methods I need to add into which AuthCookieHandler.pm ?
>
> in startup.pl should I have both or just one?
>

> use Apache2::AuthCookie ; <-- you do not need this
> use Apache2_4::AuthCookie ; <-- this is correct for Apache 2.4
>

> I am not porting from 2.2. I have used Shibboleth until now to protect directories but
> this project I can not use Shibboleth.
>

And how exactly do you want the user to authenticate ? via a login page where they enter
their id and password ?
And what is the way in which you are going to check that these id and password are correct ?
(in other words : where are the user ids and passwords stored ?)
And how many different users are you planning to have ?


>
>
> Terveisin/Regards
> **
> *Scott Alexander*
>
> scott.alexander@humak.fi <mailto:scott.alexander@humak.fi>
>
> ------------------------------------------------------------------------------------------
> *From:* Edward J. Sabol <edwardjsabol@gmail.com>
> *Sent:* 12 May 2020 00:58
> *To:* Scott Alexander <Scott.Alexander@humak.fi>
> *Cc:* mod_perl list <modperl@perl.apache.org>
> *Subject:* Re: Apache2:AuthCookie With httpd 2.4
> On May 11, 2020, at 8:58 AM, Scott Alexander <Scott.Alexander@humak.fi> wrote:
>> I've included using https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmanpages.debian.org%2Funstable%2Flibapache2-authcookie-perl%2FApache2_4%3A%3AAuthCookie.3pm.en.html&amp;data=02%7C01%7C%7Ccdbbc0aa22f9475f865b08d7f7fbb14a%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637250532694682960&amp;sdata=i%2BubRiml7K8%2B3s8kLtcpY3blwpCmrNkM6Z337p07%2Bi4%3D&amp;reserved=0
> as an example
>>
>> # In httpd.conf or .htaccess:
>> PerlModule Sample::Apache2::AuthCookieHandler
>> PerlSetVar WhatEverPath / .....
>>
>> to my ssl.conf file
>>
>> No changes made to httpd.conf or ssl.conf.
>
> Those two statements seem to be conflicting? I keep my authentication/authorization
> information in httpd.conf, personally.
>
>> When trying to access the page I get the errors above.
>
> That sample configuration from the POD assumes that you are subclassing
> Apache2::AuthCookie and that the name of your subclass is
> Sample::Apache2::AuthCookieHandler. It's meant to be illustrative. I'm guessing you don't
> actually have such a subclass. Try just removing the "Sample::" part. You can probably
> also find working examples in the tests in the "t" subdirectory.
>
>> I've read this https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmetacpan.org%2Fpod%2Fdistribution%2FApache-AuthCookie%2FREADME.apache-2.4.pod&amp;data=02%7C01%7C%7Ccdbbc0aa22f9475f865b08d7f7fbb14a%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637250532694682960&amp;sdata=tiVA1Oic5tVnRV7BAaVaGkcCeW7tukWkt1925QBLSdA%3D&amp;reserved=0
>> which unfortunately doesn't make sense to me.
>
> That POD is meant for people developing (or porting from Apache 2.2.x) their own Perl
> modules for doing authentication and authorization under Apache 2.4.x. AuthCookie already
> handles all of this for you, assuming you only need or use AuthCookie. It might apply if
> you are subclassing from AuthCookie and you get into the gritty details, such as
> implementing your own AuthzProvider. Check out Apache2_4::AuthCookieDBI for an example of
> that.
>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmetacpan.org%2Fpod%2FApache2_4%3A%3AAuthCookieDBI&amp;data=02%7C01%7C%7Ccdbbc0aa22f9475f865b08d7f7fbb14a%7Ca30a558eb6084b2c8f39a7fa426fa49d%7C0%7C0%7C637250532694682960&amp;sdata=igwPJCk%2Buknkk4cEuMBGoYljInf2k5zVJf0z5CH8t9c%3D&amp;reserved=0
>
> Regards,
> Ed
>