[MP2]: setting group for a request (require group ...) - modperl

This is a discussion on [MP2]: setting group for a request (require group ...) - modperl ; Hello all, I am writing a mod_perl authentication module (My::Auth). This module sets the user using the Apache2::RequestRec::user method. package My::Auth; sub { .... $r->user('getting the user in my module internal structure'); return OK; } In the Apache configuration file, ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: [MP2]: setting group for a request (require group ...)

  1. [MP2]: setting group for a request (require group ...)

    Hello all,

    I am writing a mod_perl authentication module (My::Auth).

    This module sets the user using the Apache2::RequestRec::user method.

    package My::Auth;
    sub {
    ....
    $r->user('getting the user in my module internal structure');
    return OK;
    }

    In the Apache configuration file, I can use the configuration


    PerlAuthHandler My::Auth
    Require user user1
    .....


    I would like to use my module in another configuration where group is
    checked


    PerlAuthHandler My::Auth
    Require group group1
    .....


    I can not find any mod_perl API method (Apache2::RequestRec::group ?) to set
    the group. I only found Apache2::RequestRec::require method, but this method
    only read the require configuration.

    One way to solve the problem is the modify the My::Auth::handler method :

    package My::Auth;
    sub {
    ....
    $r->user('getting the user in my module internal structure');
    my $requires = $r->requires;

    # here the code to verify authorization

    return OK;
    }

    but I think this is a workaround:
    . My::Auth::handler is an AUTHENTICATION handler
    . the code to verify the AUTHORIZATION should have to be executed by the
    httpd core.

    How can I manage authorization in this case ?

    Thanks


  2. Re: [MP2]: setting group for a request (require group ...)


    > I would like to use my module in another configuration where group is
    > checked
    >
    >
    > PerlAuthHandler My::Auth
    > Require group group1
    > ....
    >

    >
    > I can not find any mod_perl API method (Apache2::RequestRec::group ?) to set
    > the group.


    that's right.

    you have control over the user via the httpd (and thus mod_perl) API,
    just as the user does via a dialogue box in their browser. but
    mod_authz_owner maps that user to a group via standard unix gid methods.

    I have no idea how this works on win32

    > I only found Apache2::RequestRec::require method, but this method
    > only read the require configuration.
    >
    > One way to solve the problem is the modify the My::Auth::handler method :
    >
    > package My::Auth;
    > sub {
    > ....
    > $r->user('getting the user in my module internal structure');
    > my $requires = $r->requires;
    >
    > # here the code to verify authorization
    >
    > return OK;
    > }
    >
    > but I think this is a workaround:
    > . My::Auth::handler is an AUTHENTICATION handler


    yes - is the user who they say they are.

    > . the code to verify the AUTHORIZATION should have to be executed by the
    > httpd core.


    exactly

    your wanting to do something with group is an authz function, not an
    authen function.

    >
    > How can I manage authorization in this case ?


    the 'Require group foo' directive explicity means you want unix user ->
    unix group mapping done in the authz phase. if you want something from
    this different write your own PerlAuthzHandler. see recipe 3.16 here

    http://www.modperlcookbook.org/chapters/ch13.pdf

    it's mod_perl 1.0 based, but the ideas are the same, and the techniques
    and API nearly identical.

    HTH

    --Geoff


  3. Re: [MP2]: setting group for a request (require group ...)

    Geoffrey, André,
    Thank you for your answer.

    Conclusion: I will have to:
    . write my own PerlAuthzHandler
    . define a new directive to define my group

    Thanks again


    2008/6/19 André Warnier :

    > Hi.
    >
    > I believe that the issue below is more in the way of thinking about this,
    > than a real technical issue.
    >
    > You don't need to involve Apache in the group part.
    > I don't think that Apache, per se, even has a field "group" in his internal
    > Request structure.
    > That is probably why you do not find any API to set or read it.
    >
    > Let my explain how I understand it :
    >
    > Authentication consists of finding out who the user is.
    > To simplify, we could say that this consists of getting and verifying his
    > user-id.
    > But, at the same time, we could collect some additional attributes about
    > him, like his email address, or a list of groups of which he is a member.
    > The application /may/ want to authenticate users in order to (later) also
    > authorise them or not to do something. But not necessarily; it could also
    > be only for the purpose of logging who accessed the page.
    >
    > Anyway, now your Authentication module has done it's job, it has
    > authenticated the user and saved his user-id. It does not really care what
    > this user-id will be used for, that is not it's job.
    >
    > The module returns OK, and Apache continues.
    >
    > ----- end of authentication ----
    >
    > .... some time passes
    >
    > ----- start of authorization ---
    >
    > This consists of verifying if this resource that is requested can be
    > returned, depending on some criteria.
    > Usually, it will depend on the userid, or some characteristic of the user..
    > But not necessarily : it could also depend on a secret key that is included
    > in a cookie, for example (if the key is there, the resource is granted, and
    > otherwise not).
    > If this check is succesful, the authorization returns OK. If it is not, it
    > returns not-OK.
    >
    > ---- end of authorization ---
    >
    > Apache checks the return code. If it is OK, Apache serves the page. If it
    > is not-OK, Apache returns a "forbidden" page.
    >
    > --- end of request ---
    >
    > Now, in your case, you want
    > a) to authenticate the user
    > b) later, to authorize access to a resource, in function of some
    > characteristic of that user (is he member of one of the authorized groups)
    >
    > You have already done (a), with a PerlAuthenHandler, and you have stored
    > the user-id in the request, so you can get at it later.
    >
    > If you add a PerlAuthzHandler for authorization, then what your handler has
    > to do is :
    >
    > 1. find out which groups are authorized to access this resource.
    > That could be by getting the contents of the "require" clause of the Apache
    > configuration, or by getting the value of some "PerlSetVar" in the same
    > section (e.g. PerlSetVar AuthorizedGroups "group1,group2")
    > (in your module, you would get this value as
    > $OKgroups = $r->dir_config("AuthorizedGroups");
    >
    > 2. find out if this userid (stored in the request) is a member of one of
    > these groups.
    > For that, you need some additional information about the user, not just his
    > user-id. This you could do using a "group" file, like Apache does in it's
    > Basic authentication scheme (AuthGroupFile xxxx), and read it and parse it
    > when you need to, and then compare the result to $OKgroups.
    > But that would be inefficient.
    >
    > Since in (a) you are already accessing some information about the user (to
    > verify his userid), I would at the same time collect information about which
    > groups he belongs to, and save that somewhere in the Request object, for
    > example with something like
    > $r->pnotes('groups' => $groups);
    >
    > Then later, your module (b) can get it back, with
    > $groups = $r->pnotes('groups');
    > and compare this to the authorized groups.
    >
    > I hope this helps.
    > André
    >
    >
    >
    > titetluc titetluc wrote:
    >
    >> Hello all,
    >>
    >> I am writing a mod_perl authentication module (My::Auth).
    >>
    >> This module sets the user using the Apache2::RequestRec::user method.
    >>
    >> package My::Auth;
    >> sub {
    >> ....
    >> $r->user('getting the user in my module internal structure');
    >> return OK;
    >> }
    >>
    >> In the Apache configuration file, I can use the configuration
    >>
    >>
    >> PerlAuthHandler My::Auth
    >> Require user user1
    >> ....
    >>

    >>
    >> I would like to use my module in another configuration where group is
    >> checked
    >>
    >>
    >> PerlAuthHandler My::Auth
    >> Require group group1
    >> ....
    >>

    >>
    >> I can not find any mod_perl API method (Apache2::RequestRec::group ?) to
    >> set
    >> the group. I only found Apache2::RequestRec::require method, but this
    >> method
    >> only read the require configuration.
    >>
    >> One way to solve the problem is the modify the My::Auth::handler method :
    >>
    >> package My::Auth;
    >> sub {
    >> ....
    >> $r->user('getting the user in my module internal structure');
    >> my $requires = $r->requires;
    >>
    >> # here the code to verify authorization
    >>
    >> return OK;
    >> }
    >>
    >> but I think this is a workaround:
    >> . My::Auth::handler is an AUTHENTICATION handler
    >> . the code to verify the AUTHORIZATION should have to be executed by the
    >> httpd core.
    >>
    >> How can I manage authorization in this case ?
    >>
    >> Thanks
    >>
    >>



  4. Re: [MP2]: setting group for a request (require group ...)



    titetluc titetluc wrote:
    > Geoffrey, André,
    > Thank you for your answer.
    >
    > Conclusion: I will have to:
    > . write my own PerlAuthzHandler


    yes

    > . define a new directive to define my group


    no - you can overload the Requires directive. the example I pointed you
    to shows you how:

    http://www.modperlcookbook.org/code/...k/AuthzRole.pm

    if you return OK or AUTH_REQUIRED the configured httpd authz handler
    will not be run, leaving your PerlAuthzHandler in control of the authz
    phase.

    HTH

    --Geoff


+ Reply to Thread