setting a server variable - modperl

This is a discussion on setting a server variable - modperl ; Hi, I'm new to mod_perl and I'm having some difficulty understanding a few things. I'd like to write an Apache module which authenticates a request based on the URL. I only want the module to deny invalid requests and allow ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: setting a server variable

  1. setting a server variable


    Hi,

    I'm new to mod_perl and I'm having some difficulty understanding a few things.
    I'd like to write an Apache module which authenticates a request based on the URL.
    I only want the module to deny invalid requests and allow valid requests to be processed as normal.

    A more specific example would be like:

    Request URL: http://myhost.com/REALLY-SECURE-TOKEN/file2download
    Module logic: if REALLY-SECURE-TOKEN is valid, allow the request to continue - else, stop request with an error

    External application logic: if request got here without error then
    find the file2download and write it to the output stream - else, show
    custom error


    I think the best way to do this is something like:

    1) Write a module which evaluates the URL and places a variable in the request's scope
    2)
    Use mod_rewrite to evaluate the newly set variable and pass execution
    to the proper place with any error code that might have been placed in
    the variable

    I've been reading books, howto's, and on-line documentation for the past two days and I still have no idea where to begin.
    Any advice would be greatly appreciated.

    Thanks,

    Ty






  2. Re: setting a server variable



    tyju tiui wrote:
    > Hi,
    >
    > I'm new to mod_perl and I'm having some difficulty understanding a few things.
    > I'd like to write an Apache module which authenticates a request based on the URL.
    > I only want the module to deny invalid requests and allow valid requests to be processed as normal.
    >
    > A more specific example would be like:
    >
    > Request URL: http://myhost.com/REALLY-SECURE-TOKEN/file2download
    > Module logic: if REALLY-SECURE-TOKEN is valid, allow the request to continue - else, stop request with an error
    >
    > External application logic: if request got here without error then
    > find the file2download and write it to the output stream - else, show
    > custom error
    >
    >
    > I think the best way to do this is something like:
    >
    > 1) Write a module which evaluates the URL and places a variable in the request's scope
    > 2)
    > Use mod_rewrite to evaluate the newly set variable and pass execution
    > to the proper place with any error code that might have been placed in
    > the variable
    >

    With mod_perl, it might not be so complicated.
    What you probably want is a PerlAccessHandler module.
    This will check if the request URL is ok (valid token).
    If it is, it returns Apache2::Const::OK, and Apache will continue
    processing the request (e.g., sending the file).
    If the token is not ok, it returns Apache2::Const::FORBIDDEN, and Apache
    will (automatically) return an error page telling the user he is not
    allowed to do that.

    Look there for an explanation and an example :
    http://perl.apache.org/docs/2.0/user...lAccessHandler

    In your case, forget the Apache2::Connection and the IP-linked stuff,
    and replace it with your code to check the URL.
    In the Apache configuration, you would have something like this :


    .. general rules for allowing things like html pages, gifs etc..


    # where your files are
    SetHandler mod_perl
    PerlAccessHandler MyModule
    ....



    And that's basically it.
    Now, if this is your first mod_perl Apache add-on module, you'll have to
    figure out some more stuff, but it's fun.

    André


  3. Re: setting a server variable

    On Fri, 13 Jun 2008 19:56:14 -0700 (PDT)
    tyju tiui wrote:

    >
    > Hi,
    >
    > I'm new to mod_perl and I'm having some difficulty understanding a
    > few things. I'd like to write an Apache module which authenticates a
    > request based on the URL. I only want the module to deny invalid
    > requests and allow valid requests to be processed as normal.
    >
    > A more specific example would be like:
    >
    > Request URL: http://myhost.com/REALLY-SECURE-TOKEN/file2download
    > Module logic: if REALLY-SECURE-TOKEN is valid, allow the request
    > to continue - else, stop request with an error
    > External application logic: if request got here without error then
    > find the file2download and write it to the output stream - else, show
    > custom error
    >
    >
    > I think the best way to do this is something like:
    >
    > 1) Write a module which evaluates the URL and places a variable in
    > the request's scope
    > 2)
    > Use mod_rewrite to evaluate the newly set variable and pass execution
    > to the proper place with any error code that might have been placed in
    > the variable
    >
    > I've been reading books, howto's, and on-line documentation for the
    > past two days and I still have no idea where to begin. Any advice
    > would be greatly appreciated.


    My advice would be to change your URLs to be:

    http://myhost.com/securefiles/REALLY...TOKEN/filename

    Then write a handler that does something along these lines:

    use Apache2::RequestRec;
    use Apache2::RequestUtil;
    use Apache2::RequestIO;

    sub handler {
    my $r = shift;

    # Get the parts of the URI we are interested in
    my $uri = $r->uri;
    my $root = $r->location;

    $uri =~ s!^$root!!; # Strip off http://myhose.com/securefiles
    $uri =~ s!//!/!og; # Remove any double slashes
    $uri =~ s!^/!!o; # Remove the first slash

    # Now that we're left with just REALLY-SECURE-KEY/filename,
    # split it up
    my ( $secure_key, $filename ) = split( '/', $uri );

    # Verify the secure key
    if( verify( $secure_key ) ) {
    $r->sendfile( $filename );
    return( Apache2::Const::OK );
    }
    else {
    return( Apache2::Const::FORBIDDEN );
    }

    }

    }

    It would be configured as:


    SetHandler modperl
    PerlResponseHandler YourHandlerNameHere


    You could also do this as an AuthHandler as was previously
    mentioned, but for something this simple I don't see much
    point in breaking it up unless you're going to use these
    secure keys for many different things.

    -------------------------------------------------------
    Frank Wiles, Revolution Systems, LLC.
    Personal : frank@wiles.org http://www.wiles.org
    Work : frank@revsys.com http://www.revsys.com


+ Reply to Thread