Re: [MP2]: setting group for a request (require group ...)
am 23.06.2008 09:25:59 von titetluc
------=_Part_22617_26525190.1214205959253
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Geoffrey, Andr=E9,
Thank you for your answer.
Conclusion: I will have to:
. write my own PerlAuthzHandler
. define a new directive to define my group
Thanks again
2008/6/19 Andr=E9 Warnier :
> Hi.
>
> I believe that the issue below is more in the way of thinking about this,
> than a real technical issue.
>
> You don't need to involve Apache in the group part.
> I don't think that Apache, per se, even has a field "group" in his intern=
al
> Request structure.
> That is probably why you do not find any API to set or read it.
>
> Let my explain how I understand it :
>
> Authentication consists of finding out who the user is.
> To simplify, we could say that this consists of getting and verifying his
> user-id.
> But, at the same time, we could collect some additional attributes about
> him, like his email address, or a list of groups of which he is a member.
> The application /may/ want to authenticate users in order to (later) also
> authorise them or not to do something. But not necessarily; it could als=
o
> be only for the purpose of logging who accessed the page.
>
> Anyway, now your Authentication module has done it's job, it has
> authenticated the user and saved his user-id. It does not really care wha=
t
> this user-id will be used for, that is not it's job.
>
> The module returns OK, and Apache continues.
>
> ----- end of authentication ----
>
> .... some time passes
>
> ----- start of authorization ---
>
> This consists of verifying if this resource that is requested can be
> returned, depending on some criteria.
> Usually, it will depend on the userid, or some characteristic of the user=
..
> But not necessarily : it could also depend on a secret key that is inclu=
ded
> in a cookie, for example (if the key is there, the resource is granted, a=
nd
> otherwise not).
> If this check is succesful, the authorization returns OK. If it is not, =
it
> returns not-OK.
>
> ---- end of authorization ---
>
> Apache checks the return code. If it is OK, Apache serves the page. If =
it
> is not-OK, Apache returns a "forbidden" page.
>
> --- end of request ---
>
> Now, in your case, you want
> a) to authenticate the user
> b) later, to authorize access to a resource, in function of some
> characteristic of that user (is he member of one of the authorized groups=
)
>
> You have already done (a), with a PerlAuthenHandler, and you have stored
> the user-id in the request, so you can get at it later.
>
> If you add a PerlAuthzHandler for authorization, then what your handler h=
as
> to do is :
>
> 1. find out which groups are authorized to access this resource.
> That could be by getting the contents of the "require" clause of the Apac=
he
> configuration, or by getting the value of some "PerlSetVar" in the same
> section (e.g. PerlSetVar AuthorizedGroups "group1,group2")
> (in your module, you would get this value as
> $OKgroups =3D $r->dir_config("AuthorizedGroups");
>
> 2. find out if this userid (stored in the request) is a member of one of
> these groups.
> For that, you need some additional information about the user, not just h=
is
> user-id. This you could do using a "group" file, like Apache does in it'=
s
> Basic authentication scheme (AuthGroupFile xxxx), and read it and parse i=
t
> when you need to, and then compare the result to $OKgroups.
> But that would be inefficient.
>
> Since in (a) you are already accessing some information about the user (t=
o
> verify his userid), I would at the same time collect information about wh=
ich
> groups he belongs to, and save that somewhere in the Request object, for
> example with something like
> $r->pnotes('groups' =3D> $groups);
>
> Then later, your module (b) can get it back, with
> $groups =3D $r->pnotes('groups');
> and compare this to the authorized groups.
>
> I hope this helps.
> Andr=E9
>
>
>
> titetluc titetluc wrote:
>
>> Hello all,
>>
>> I am writing a mod_perl authentication module (My::Auth).
>>
>> This module sets the user using the Apache2::RequestRec::user method.
>>
>> package My::Auth;
>> sub {
>> ....
>> $r->user('getting the user in my module internal structure');
>> return OK;
>> }
>>
>> In the Apache configuration file, I can use the configuration
>>
>>
>> PerlAuthHandler My::Auth
>> Require user user1
>> ....
>>
>>
>> I would like to use my module in another configuration where group is
>> checked
>>
>>
>> PerlAuthHandler My::Auth
>> Require group group1
>> ....
>>
>>
>> I can not find any mod_perl API method (Apache2::RequestRec::group ?) to
>> set
>> the group. I only found Apache2::RequestRec::require method, but this
>> method
>> only read the require configuration.
>>
>> One way to solve the problem is the modify the My::Auth::handler method =
:
>>
>> package My::Auth;
>> sub {
>> ....
>> $r->user('getting the user in my module internal structure');
>> my $requires =3D $r->requires;
>>
>> # here the code to verify authorization
>>
>> return OK;
>> }
>>
>> but I think this is a workaround:
>> . My::Auth::handler is an AUTHENTICATION handler
>> . the code to verify the AUTHORIZATION should have to be executed by th=
e
>> httpd core.
>>
>> How can I manage authorization in this case ?
>>
>> Thanks
>>
>>
------=_Part_22617_26525190.1214205959253
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Geoffrey, Andr=E9,
Thank you for your answer.
Conclusion: I will =
have to:
. write my own PerlAuthzHandler
. define a new =
directive to define my group
Thanks again
mail_quote">
2008/6/19 Andr=E9 Warnier <aw@ice-sa.co=
m>:
olid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi.=
I believe that the issue below is more in the way of thinking about this, t=
han a real technical issue.
You don't need to involve Apache in the group part.
I don't think that Apache, per se, even has a field "group" i=
n his internal Request structure.
That is probably why you do not find any API to set or read it.
Let my explain how I understand it :
Authentication consists of finding out who the user is.
To simplify, we could say that this consists of getting and verifying his u=
ser-id.
But, at the same time, we could collect some additional attributes about hi=
m, like his email address, or a list of groups of which he is a member.
The application /may/ want to authenticate users in order to (later) also a=
uthorise them or not to do something. But not necessarily; it could a=
lso be only for the purpose of logging who accessed the page.
Anyway, now your Authentication module has done it's job, it has authen=
ticated the user and saved his user-id. It does not really care what this u=
ser-id will be used for, that is not it's job.
The module returns OK, and Apache continues.
----- end of authentication ----
..... some time passes
----- start of authorization ---
This consists of verifying if this resource that is requested can be return=
ed, depending on some criteria.
Usually, it will depend on the userid, or some characteristic of the user. =
But not necessarily : it could also depend on a secret key that is in=
cluded in a cookie, for example (if the key is there, the resource is grant=
ed, and otherwise not).
If this check is succesful, the authorization returns OK. If it is no=
t, it returns not-OK.
---- end of authorization ---
Apache checks the return code. If it is OK, Apache serves the page. &=
nbsp;If it is not-OK, Apache returns a "forbidden" page.
--- end of request ---
Now, in your case, you want
a) to authenticate the user
b) later, to authorize access to a resource, in function of some characteri=
stic of that user (is he member of one of the authorized groups)
You have already done (a), with a PerlAuthenHandler, and you have stored th=
e user-id in the request, so you can get at it later.
If you add a PerlAuthzHandler for authorization, then what your handler has=
to do is :
1. find out which groups are authorized to access this resource.
That could be by getting the contents of the "require" clause of =
the Apache configuration, or by getting the value of some "PerlSetVar&=
quot; in the same section (e.g. PerlSetVar AuthorizedGroups "group1,gr=
oup2")
(in your module, you would get this value as
$OKgroups =3D $r->dir_config("AuthorizedGroups");
2. find out if this userid (stored in the request) is a member of one of th=
ese groups.
For that, you need some additional information about the user, not just his=
user-id. This you could do using a "group" file, like Apac=
he does in it's Basic authentication scheme (AuthGroupFile xxxx), and r=
ead it and parse it when you need to, and then compare the result to $OKgro=
ups.
But that would be inefficient.
Since in (a) you are already accessing some information about the user (to =
verify his userid), I would at the same time collect information about whic=
h groups he belongs to, and save that somewhere in the Request object, for =
example with something like
$r->pnotes('groups' =3D> $groups);
Then later, your module (b) can get it back, with
$groups =3D $r->pnotes('groups');
and compare this to the authorized groups.
I hope this helps.
Andr=E9
titetluc titetluc wrote:
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello all,
I am writing a mod_perl authentication module (My::Auth).
This module sets the user using the Apache2::RequestRec::user method.
package My::Auth;
sub {
....
$r->user('getting the user in my module internal structure'=
;);
return OK;
}
In the Apache configuration file, I can use the configuration
<Location /test_user>
PerlAuthHandler My::Auth
Require user user1
.....
</Location>
I would like to use my module in another configuration where group is
checked
<Location /test_group>
PerlAuthHandler My::Auth
Require group group1
.....
</Location>
I can not find any mod_perl API method (Apache2::RequestRec::group ?) to se=
t
the group. I only found Apache2::RequestRec::require method, but this metho=
d
only read the require configuration.
One way to solve the problem is the modify the My::Auth::handler method :
r>
package My::Auth;
sub {
....
$r->user('getting the user in my module internal structure'=
;);
my $requires =3D $r->requires;
# here the code to verify authorization
return OK;
}
but I think this is a workaround:
. My::Auth::handler is an AUTHENTICATION handler
. the code to verify the AUTHORIZATION should have to be executed by =
the
httpd core.
How can I manage authorization in this case ?
Thanks
------=_Part_22617_26525190.1214205959253--