A better way to handle multiple client authentication?

Right now I have an application set up for multiple clients: clientA,
clientB, clientC.

Each client has their own users.

The way I have it setup is clientA goes to http://www.site.com/clientA
and is presented with a login screen which is triggered by an .htaccess
file in a directory called /clientA. The .htaccess file directs Apache
to perform DBI-based authentication using Apache::AuthDBI.

PerlSetVar Auth_DBI_data_source DBI:mysql:clientA

This works great, but I am aware of the limitations and I would like to
set up some rules in the Apache config that accomplish this all without
..htaccess files in every directory for every client (gonna get tricky
around 100,000 clients for sure!)

Is this even possible? Can I do something like:

RewriteRule ^/(.+)/$ PerlSetVar Auth_DBI_data_source DBI:mysql:$1

Or do I have to create my own authentication module?

Thanks for any direction... And sorry if this is better for the Apache
mailing list, I'm always a bit uncertain which group I should ask first...

Tosh

--
McIntosh Cooey - Twelve Hundred Group LLC - http://www.1200group.com/

Re: A better way to handle multiple client authentication?

The documentation alludes to the variable 'pwd_whereclause'. If this
variable is set it will be used in the passwd query. I would try and
set it per client so that the query gets an additional where clause:

SELECT pwd_field FROM pwd_table WHERE uid_field = user AND client = clientA

^^^^^^^^^^^^^^^^^^^^^^^^

I havn't actually tried this so I don't know if there are any caveats,
but from the docs at least it seems possible. The only trick is
making sure you can reset the pwd_whereclause with each different
client url, and make client an additional column in your pwd_table.

--
-wjt

Dynamically setting PerlVars in Apache per-request

WAS: A better way to handle multiple client authentication?

Yeah I use something similar in another application, but in this
application I actually need to change the Auth_DBI_data_source variable
since the "FROM pwd_table" would actually need to be "FROM
clientA.pwd_table" and I can't see how to set this on the fly. I could
probably also set the: Auth_DBI_pwd_table variable as well, but again
the per-request setting is what's throwing me off.

PerlSetVar Auth_DBI_data_source DBI:mysql:clientA
or
PerlSetVar Auth_DBI_pwd_table clientA.pwd_table

Which is why I thought:

RewriteRule ^/(.+)/$ PerlSetVar Auth_DBI_data_source DBI:mysql:$1

I was hoping a SetEnvIf or IfDefine would work but after reading more
about Apache configuration I see it won't.

Anyway, this is straying too far into Apache territory so I guess I will
just set those variables within a modified Apache::AuthDBI

I guess if anyone already knows an auth module that does that above that
would be awesome, or if anyone knows how to easily change PerlVars on
the fly within the Apache config/htaccess space that's be great,
otherwise it's a small change to the above module.

Thanks again!

Tosh


William T wrote:
> The documentation alludes to the variable 'pwd_whereclause'. If this
> variable is set it will be used in the passwd query. I would try and
> set it per client so that the query gets an additional where clause:
>
> SELECT pwd_field FROM pwd_table WHERE uid_field = user AND client = clientA
>
> ^^^^^^^^^^^^^^^^^^^^^^^^
>
> I havn't actually tried this so I don't know if there are any caveats,
> but from the docs at least it seems possible. The only trick is
> making sure you can reset the pwd_whereclause with each different
> client url, and make client an additional column in your pwd_table.
>
> --
> -wjt
>

--
McIntosh Cooey - Twelve Hundred Group LLC - http://www.1200group.com/

Re: Dynamically setting PerlVars in Apache per-request

My suggestion would be to subclass AuthDBI to make the constructor
fiddle with the dir_config entries that AuthDBI uses.

See the docs for dir_config (the perl interface to PerlSetVar variables:

http://perl.apache.org/docs/2.0/api/Apache2/ServerUtil.html# C_dir_config_

I have no idea how subclass friendly AuthDBI is or isn't.

Adam



Tosh Cooey wrote:
> WAS: A better way to handle multiple client authentication?
>
> Yeah I use something similar in another application, but in this
> application I actually need to change the Auth_DBI_data_source variable
> since the "FROM pwd_table" would actually need to be "FROM
> clientA.pwd_table" and I can't see how to set this on the fly. I could
> probably also set the: Auth_DBI_pwd_table variable as well, but again
> the per-request setting is what's throwing me off.
>
> PerlSetVar Auth_DBI_data_source DBI:mysql:clientA
> or
> PerlSetVar Auth_DBI_pwd_table clientA.pwd_table
>
> Which is why I thought:
>
> RewriteRule ^/(.+)/$ PerlSetVar Auth_DBI_data_source DBI:mysql:$1
>
> I was hoping a SetEnvIf or IfDefine would work but after reading more
> about Apache configuration I see it won't.
>
> Anyway, this is straying too far into Apache territory so I guess I will
> just set those variables within a modified Apache::AuthDBI
>
> I guess if anyone already knows an auth module that does that above that
> would be awesome, or if anyone knows how to easily change PerlVars on
> the fly within the Apache config/htaccess space that's be great,
> otherwise it's a small change to the above module.
>
> Thanks again!
>
> Tosh
>
>
> William T wrote:
>> The documentation alludes to the variable 'pwd_whereclause'. If this
>> variable is set it will be used in the passwd query. I would try and
>> set it per client so that the query gets an additional where clause:
>>
>> SELECT pwd_field FROM pwd_table WHERE uid_field = user AND client =
>> clientA
>>
>> ^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> I havn't actually tried this so I don't know if there are any caveats,
>> but from the docs at least it seems possible. The only trick is
>> making sure you can reset the pwd_whereclause with each different
>> client url, and make client an additional column in your pwd_table.
>>
>> --
>> -wjt
>>
>