PerlAuthenHandler and ErrorDocument 401

Hello.

I am having a configuration issue trying to use ErrorDocument directive with
a PerlAuthenHandler.

I don't think that this is related to bad mod_perl behavior more likely some
silly configuration error on my part :$ Anyway I am using the centos yum
package install for apache and mod_perl 2.0

I have a PerlAuthenHandler that I use in a virtual host config using the
directive. There is also a PerlTransHandler in place for the
virtual host, however I don't think the issue is related to that because the
same issue happens when I remove the TransHandler.

The config looks like this...



ServerName rest.mydomain.com
ServerAdmin fof@mydomain.com


use lib '/etc/ApacheConfig/trunk/perl5/';


DocumentRoot /vhosts/rest.mydomain.com/htdocs/
ScriptAlias /cgi-bin/ /vhosts/rest.mydomain.com/cgi-bin/
CustomLog /vhosts/rest.mydomain.com/logs/rest-accesslog combined
ErrorLog /vhosts/rest.mydomain.com/logs/rest-errorlog

PerlTransHandler +MyTransHandler


PerlAuthenHandler MyAuthenHandler
AuthType Basic
AuthName "REST Interface"
Require valid-user


ErrorDocument 401 /http/401.html

php_value display_errors No
php_value log_errors Yes
php_value trace_errors Yes



Now when I configure the Location directive to be / then the
PerlAuthenHandler seems to work fine however this conflicts with where I am
storing the custom 401.html page (i.e. it is under the same auth zone).

I therefore get the standard page for apache 401 errors with the following
added message.. "Additionally, a 401 Authorization Required error was
encountered while trying to use an ErrorDocument to handle the request."

Now I can understand this because the auth page has auth on it etc.

The actual directory I wish to protect is
/vhosts/rest.mydomain.com/htdocs/REST/ and so I put in the
config so that only this directory from my document root
(/vhosts/rest.mydomain.com/htdocs/) should have authentication right? well
no. I can't get the PerlAuthenHandler to work unless I specify
in the config instead of .

Am I using for the wrong reason in this case? Surely I am ..

anyway helpz plz..

ta
Geoff




--
View this message in context: http://www.nabble.com/PerlAuthenHandler-and-ErrorDocument-40 1-tp17330888p17330888.html
Sent from the mod_perl - General mailing list archive at Nabble.com.

Re: PerlAuthenHandler and ErrorDocument 401

T24gVHVlIDIwIE1heSAyMDA4LCBmb2Ygd3JvdGU6Cj4goKCgoKCgoKA8TG9j YXRpb24gLz4KPiCg
oKCgoKCgoKCgoKCgoKCgUGVybEF1dGhlbkhhbmRsZXIgTXlBdXRoZW5IYW5k bGVyCj4goKCgoKCg
oKCgoKCgoKCgoEF1dGhUeXBlIEJhc2ljCj4goKCgoKCgoKCgoKCgoKCgoEF1 dGhOYW1lICJSRVNU
IEludGVyZmFjZSIKPiCgoKCgoKCgoKCgoKCgoKCgUmVxdWlyZSB2YWxpZC11 c2VyCj4goKCgoKCg
oKA8L0xvY2F0aW9uPgo+Cj4goCCgIKAgoCBFcnJvckRvY3VtZW50IDQwMSAv aHR0cC80MDEuaHRt
bAoKVHJ5OgoKPEZpbGVzIC9odHRwLzQwMS5odG1sPgoJU2F0aXNmeSBhbnkK PC9GaWxlcz4KClRv
cnN0ZW4KCi0tCk5lZWQgcHJvZmVzc2lvbmFsIG1vZF9wZXJsIHN1cHBvcnQ/ Ckp1c3QgaGlyZSBt
ZTogdG9yc3Rlbi5mb2VydHNjaEBnbXgubmV0Cg==

Re: PerlAuthenHandler and ErrorDocument 401

Torsten Foertsch wrote:
>
> On Tue 20 May 2008, fof wrote:
>>
>> PerlAuthenHandler MyAuthenHandler
>> AuthType Basic
>> AuthName "REST Interface"
>> Require valid-user
>>
>>
>> ErrorDocument 401 /http/401.html
>
> Try:
>
>
> Satisfy any
>
>
> Torsten
>
> --
> Need professional mod_perl support?
> Just hire me: torsten.foertsch@gmx.net
>
>

Hey Torsten thanks for the reply but no that does not work either. I think
the real problem I am facing revolves around the reasons why the directory
/REST/ from my document root cannot be secured with a PerlAuthenHandler on
its own.

It does not matter if I set the Location as or /> in the VirtualHost configuration the PerlAuthenHandler still kicks in for
the root directory regardless. That is to say that
http://rest.mydomain.com/REST/abc.html and http://rest.mydomain.com/abc.html
are secured by the PerlAuthenHandler regardless of what I set the
path to.

This is the part that is puzzling me the most. I think if I solve that then
the other stuff will just work. I am going to try removing the
PerlAuthenHandler and simply secure the directory with a htpasswd thus
taking mod_perl out of the picture. This will tell me if some Apache setting
in the main server config is being inherited by my virtual host and stuffing
things up and if it is a mod_perl problem.

Any other suggestions would be appreciated :)

Let ya know how I go.

Geoff T
--
View this message in context: http://www.nabble.com/PerlAuthenHandler-and-ErrorDocument-40 1-tp17330888p17353562.html
Sent from the mod_perl - General mailing list archive at Nabble.com.

Re: PerlAuthenHandler and ErrorDocument 401

fof wrote:
> I am going to try removing the PerlAuthenHandler and simply secure the
> directory with a htpasswd thus taking mod_perl out of the picture. This
> will tell me if some Apache setting in the main server config is being
> inherited by my virtual host and stuffing things up and if it is a
> mod_perl problem.
>
> Any other suggestions would be appreciated :)
>
> Let ya know how I go.
>
>

ok just to let you know I have tried my above experiment (taking mod_perl
authentication out of the equation) and everything works as one would
expect. So this means it is related to mod_perl's behavior or how I am using
it.

I have had problems before when mod_perl seems to override various behavior
in Apache. For example when using a PerlAuthenHandler it seemed to wipe out
the standard DirectoryIndex directive which the main webserver had set to
index.htm etc. This caused a problem when visiting the root directory as it
would not serve up the default index page. To fix this I had to add a
PerlFixUpHandler which restored some default settings.

Is this a similar problem/issue?

--
View this message in context: http://www.nabble.com/PerlAuthenHandler-and-ErrorDocument-40 1-tp17330888p17353912.html
Sent from the mod_perl - General mailing list archive at Nabble.com.

Re: PerlAuthenHandler and ErrorDocument 401

On Wed 21 May 2008, fof wrote:
> I have had problems before when mod_perl seems to override various behavior
> in Apache. For example when using a PerlAuthenHandler it seemed to wipe out
> the standard DirectoryIndex directive which the main webserver had set to
> index.htm etc. This caused a problem when visiting the root directory as it
> would not serve up the default index page. To fix this I had to add a
> PerlFixUpHandler which restored some default settings.

A Perl authentication handler if correctly designed does not interfere with a
DirectoryIndex. It should also work smoothly inside a Location or Directory
block or from a .htaccess file. So I suspect your problem lies in the code of
your handler. (Are you fiddling with $r->filename or depending on
$r->location?) But without insight in that code I think nobody can help.

Torsten

--
Need professional mod_perl support?
Just hire me: torsten.foertsch@gmx.net

Re: PerlAuthenHandler and ErrorDocument 401

Torsten Foertsch wrote:
>
> On Wed 21 May 2008, fof wrote:
>> I have had problems before when mod_perl seems to override various
>> behavior
>> in Apache. For example when using a PerlAuthenHandler it seemed to wipe
>> out
>> the standard DirectoryIndex directive which the main webserver had set to
>> index.htm etc. This caused a problem when visiting the root directory as
>> it
>> would not serve up the default index page. To fix this I had to add a
>> PerlFixUpHandler which restored some default settings.
>
> A Perl authentication handler if correctly designed does not interfere
> with a
> DirectoryIndex. It should also work smoothly inside a Location or
> Directory
> block or from a .htaccess file. So I suspect your problem lies in the code
> of
> your handler. (Are you fiddling with $r->filename or depending on
> $r->location?) But without insight in that code I think nobody can help.
>
> Torsten
>
>

Hi Torsten,

Thanks again for your reply. You might be right, I am probably not doing
things correctly although I don't believe I am doing anything fancy. I can't
see where I might be fiddling with the objects you mentioned.

I have uploaded my MyAuthenHandler.pm and the modules it relies on for
configuration perhaps if you have time you could peruse the code and let me
know if I am doing anything wrong for this type of operation.

Thanks again for your help on this.

http://www.nabble.com/file/p17356582/MyAuthenHandler.pm MyAuthenHandler.pm
http://www.nabble.com/file/p17356582/MyModPerlUtility.pm MyModPerlUtility.pm
http://www.nabble.com/file/p17356582/MyModPerlDBUtility.pm
MyModPerlDBUtility.pm
--
View this message in context: http://www.nabble.com/PerlAuthenHandler-and-ErrorDocument-40 1-tp17330888p17356582.html
Sent from the mod_perl - General mailing list archive at Nabble.com.

Re: PerlAuthenHandler and ErrorDocument 401

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| I have uploaded my MyAuthenHandler.pm and the modules it relies on for
| configuration perhaps if you have time you could peruse the code and let me
| know if I am doing anything wrong for this type of operation.
|
| Thanks again for your help on this.
|
| http://www.nabble.com/file/p17356582/MyAuthenHandler.pm MyAuthenHandler.pm
| http://www.nabble.com/file/p17356582/MyModPerlUtility.pm MyModPerlUtility.pm
| http://www.nabble.com/file/p17356582/MyModPerlDBUtility.pm
| MyModPerlDBUtility.pm
In my experience and a few others on the list if you search the archives, its
almost never worth it to override with something unless you don't
have any 'assets' being served from this server which is an advisable idea.

Anyway, I think what you are after might be a fully baked AAA (3 httpd phases)
More examples are on perl.apache.org

Everything below is a snippet of a live site.

vhosts-ssl/site.conf:
- ---------------------

~ SetHandler modperl

~ AuthType Basic
~ AuthName "ISST"
~ Require valid-user

~ PerlAccessHandler ISST::Access
~ PerlAuthenHandler ISST::Authen

~ PerlResponseHandler ISST::Login


vhosts/site.conf:
- -----------------
RewriteEngine On
RewriteRule ^/timeline/login https://%{SERVER_NAME}/timeline/login [L,R]

PerlMapToStorageHandler ISST::MapToStorage
### AAA

~ AuthType Basic
~ AuthName "ISST"
~ Require valid-user

~ PerlAccessHandler ISST::Access
~ PerlAuthenHandler ISST::Authen
~ PerlAuthzHandler ISST::Authz



~ SetHandler modperl
~ PerlResponseHandler ISST::Login


ISST/Access.pm:
- ---------------
package ISST::Access;
use Apache2::RequestRec ();
use Apache2::Const -compile => qw(DECLINED REDIRECT OK);
use Apache2::Cookie ();

sub handler {
~ my $r = shift;

~ return Apache2::Const::DECLINED
if $r->uri =~ m#/timeline/(privacy|register)#;

~ ....

~ return Apache2::Const::OK;
}

ISST/Authen.pm:
- ---------------
package ISST::Authen;
use Apache2::RequestRec ();
use Apache2::Const -compile => qw(OK REDIRECT);
use Apache2::Cookie ();

sub handler {
~ my $r = shift;

~ ## can't used DECLINED or you get the REALM popup
~ return Apache2::Const::OK
if $r->uri =~ m#/timeline/(login|logout|register|privacy)#;

~ if (ISST::User->getLoggedIn($r)) {
~ return Apache2::Const::OK;
~ }
~ else {
~ $r->note_basic_auth_failure;
~ $r->headers_out->set(Location => ISST::Const::URL_LOGIN);
~ return Apache2::Const::REDIRECT;
~ }
}

ISST/Authz.pm:
- --------------
package ISST::Authz;
use Apache2::RequestRec ();
use Apache2::Const -compile => qw(DECLINED OK HTTP_UNAUTHORIZED);

sub handler {
~ my $r = shift;

~ return Apache2::Const::DECLINED
unless $r->uri =~ m#/timeline/(foo)#;

~ my $resource = $1;

~ my $user = ISST::User->getLoggedIn($r);

~ if ($user->isAllowed($resource)) {
~ return Apache2::Const::OK;
~ }
~ else {
~ return Apache2::Const::HTTP_UNAUTHORIZED;
~ }
}

ISST/MapToStorage.pm:
- ---------------------
package ISST::MapToStorage;
use Apache2::RequestRec ();
use Apache2::Const -compile => qw(DECLINED OK);

sub handler {
~ my $r = shift;

~ return Apache2::Const::OK if $r->uri =~ m|/timeline|;

~ return Apache2::Const::DECLINED;
}


- --
- ------------------------------------------------------------ ------------
Philip M. Gollucci (philip@ridecharge.com)
o:703.549.2050x206
Senior System Admin - Riderway, Inc.
http://riderway.com / http://ridecharge.com
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFINDEIdbiP+9ubjBwRAq31AJ9y7tGTBEvCdNWP11mWthol5RRTVQCd Evym
w8yXkT7TpPCm81kKfDBrv1Q=
=6jT8
-----END PGP SIGNATURE-----

Re: PerlAuthenHandler and ErrorDocument 401

Philip M. Gollucci wrote:
>
> In my experience and a few others on the list if you search the archives,
> its
> almost never worth it to override with something unless you
> don't
> have any 'assets' being served from this server which is an advisable
> idea.
>

Thanks for your response Philip although I am not 100% sure I understand
what you are getting at here. Are you suggesting that one should not use
because I am trying to serve a HTML document on a 401? is this
what you mean by an 'asset'?


Philip M. Gollucci wrote:
>
> Anyway, I think what you are after might be a fully baked AAA (3 httpd
> phases)
> More examples are on perl.apache.org
>

My module works? Am i missing a phase in what I am doing here?

Thanks for all your help BTW.
--
View this message in context: http://www.nabble.com/PerlAuthenHandler-and-ErrorDocument-40 1-tp17330888p17397588.html
Sent from the mod_perl - General mailing list archive at Nabble.com.