Loading ...
Sorry, an error occurred while loading the content.

Overriding PerlAuthenHandler in sub-directories

Expand Messages
  • Ferrari Geoffrey
    Hi, If I have activated a PerlAuthenHandler for a directory in httpd.conf with ... PerlAuthenHandler My::Handler How can I
    Message 1 of 5 , Jan 10, 2005
    • 0 Attachment
      Hi,

      If I have activated a PerlAuthenHandler for a directory in httpd.conf
      with

      <Location /foo>
      ...
      PerlAuthenHandler My::Handler
      </Location>

      How can I deactivate this PerlAuthenHandler for a subdirectory, such as
      /foo/bar ?

      The online mod_perl docs explain that PerlHandlers can be deactivated
      for subdirectories by setting PerlHandler default-handler (when
      SetHandler has been set to perl-script), but either my problem lies
      elsewhere, or it is not possible to have:

      <Location /foo/bar>
      ....
      PerlAuthenHandler default-handler # nor indeed
      'PerlAuthenHandler none'
      </Location>.

      All advice gratefully received. (I'm trying to set up authentication
      using Apache::AuthCookie. Since I want to avoid clunky URLs like
      www.example.com/protected/... I want to activate authentication for the
      root directory. The only problem is that the login form where the user
      types in his username and password has to be submitted to a location
      below root (e.g. /LOGIN), which of course, can't be done until the user
      has logged in...)

      Regards,

      Geoffrey Ferrari
    • Ferrari Geoffrey
      Hi Sean, adding a .htaccess file might help, but I m looking to see if there isn t a better solution. The main problem is that /foo/bar will actually be a
      Message 2 of 5 , Jan 10, 2005
      • 0 Attachment
        Hi Sean,

        adding a .htaccess file might help, but I'm looking to see if there
        isn't a better solution. The main problem is that /foo/bar will
        actually be a virtual location, that is, it will be controlled by a
        <Location> directive in httpd.conf and will call the script to check
        the user's name and password. As such, /foo/bar will not actually map
        to a sub-directory on disk.

        Second, the question arises what exactly would go into the .htaccess
        file? Presumably, if a PerlAuthenHandler can be overridden for a
        subdirectory using a .htaccess fie, there must be way to override it
        directly in httpd.conf.

        Thanks for the suggestion, though.

        Geoffrey


        On 10 Jan 2005, at 13:30, Sean Davis wrote:

        > Does adding a .htaccess file to /foo/bar help your situation?
        >
        > Sean
        >
        > On Jan 10, 2005, at 7:56 AM, Ferrari Geoffrey wrote:
        >
        >> Hi,
        >>
        >> If I have activated a PerlAuthenHandler for a directory in httpd.conf
        >> with
        >>
        >> <Location /foo>
        >> ...
        >> PerlAuthenHandler My::Handler
        >> </Location>
        >>
        >> How can I deactivate this PerlAuthenHandler for a subdirectory, such
        >> as /foo/bar ?
        >>
        >> The online mod_perl docs explain that PerlHandlers can be deactivated
        >> for subdirectories by setting PerlHandler default-handler (when
        >> SetHandler has been set to perl-script), but either my problem lies
        >> elsewhere, or it is not possible to have:
        >>
        >> <Location /foo/bar>
        >> ....
        >> PerlAuthenHandler default-handler # nor indeed
        >> 'PerlAuthenHandler none'
        >> </Location>.
        >>
        >> All advice gratefully received. (I'm trying to set up authentication
        >> using Apache::AuthCookie. Since I want to avoid clunky URLs like
        >> www.example.com/protected/... I want to activate authentication for
        >> the root directory. The only problem is that the login form where the
        >> user types in his username and password has to be submitted to a
        >> location below root (e.g. /LOGIN), which of course, can't be done
        >> until the user has logged in...)
        >>
        >> Regards,
        >>
        >> Geoffrey Ferrari
        >
        >
      • Martin Moss
        I was looking into this a while back, and came across several posts that described using a PerlAccessHandler to determine if PerlAuthenHandler should be set or
        Message 3 of 5 , Jan 10, 2005
        • 0 Attachment
          I was looking into this a while back, and came across
          several posts that described using a PerlAccessHandler
          to determine if PerlAuthenHandler should be set or
          not.

          You could then setup PerlSetVar Require_Auth '0' in
          any sublocations that didn't need Auth. your
          AccessHandler would then do a set-handlers call and
          get it to return OK for an AuthHandler (I've tried to
          dig out the syntax but I can't find it)..

          I tried it briefly and couldn't get it to work at all,
          but I got the impression that this was down to the
          really quirky setup I was trying to do it on.

          Anyway not much help, but perhaps give you something
          to search google on,

          Marty

          --- Ferrari Geoffrey
          <geoffrey.ferrari@...> wrote:
          > Hi Sean,
          >
          > adding a .htaccess file might help, but I'm looking
          > to see if there
          > isn't a better solution. The main problem is that
          > /foo/bar will
          > actually be a virtual location, that is, it will be
          > controlled by a
          > <Location> directive in httpd.conf and will call the
          > script to check
          > the user's name and password. As such, /foo/bar will
          > not actually map
          > to a sub-directory on disk.
          >
          > Second, the question arises what exactly would go
          > into the .htaccess
          > file? Presumably, if a PerlAuthenHandler can be
          > overridden for a
          > subdirectory using a .htaccess fie, there must be
          > way to override it
          > directly in httpd.conf.
          >
          > Thanks for the suggestion, though.
          >
          > Geoffrey
          >
          >
          > On 10 Jan 2005, at 13:30, Sean Davis wrote:
          >
          > > Does adding a .htaccess file to /foo/bar help your
          > situation?
          > >
          > > Sean
          > >
          > > On Jan 10, 2005, at 7:56 AM, Ferrari Geoffrey
          > wrote:
          > >
          > >> Hi,
          > >>
          > >> If I have activated a PerlAuthenHandler for a
          > directory in httpd.conf
          > >> with
          > >>
          > >> <Location /foo>
          > >> ...
          > >> PerlAuthenHandler My::Handler
          > >> </Location>
          > >>
          > >> How can I deactivate this PerlAuthenHandler for a
          > subdirectory, such
          > >> as /foo/bar ?
          > >>
          > >> The online mod_perl docs explain that
          > PerlHandlers can be deactivated
          > >> for subdirectories by setting PerlHandler
          > default-handler (when
          > >> SetHandler has been set to perl-script), but
          > either my problem lies
          > >> elsewhere, or it is not possible to have:
          > >>
          > >> <Location /foo/bar>
          > >> ....
          > >> PerlAuthenHandler default-handler # nor
          > indeed
          > >> 'PerlAuthenHandler none'
          > >> </Location>.
          > >>
          > >> All advice gratefully received. (I'm trying to
          > set up authentication
          > >> using Apache::AuthCookie. Since I want to avoid
          > clunky URLs like
          > >> www.example.com/protected/... I want to activate
          > authentication for
          > >> the root directory. The only problem is that the
          > login form where the
          > >> user types in his username and password has to be
          > submitted to a
          > >> location below root (e.g. /LOGIN), which of
          > course, can't be done
          > >> until the user has logged in...)
          > >>
          > >> Regards,
          > >>
          > >> Geoffrey Ferrari
          > >
          > >
          >
          >





          ___________________________________________________________
          ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
        • Sean Davis
          ... Ah, yes...there is an example of code that can link authentication and authorization phases via push_handlers here (http://modperl.com:9000/book/chapters/
          Message 4 of 5 , Jan 10, 2005
          • 0 Attachment
            On Jan 10, 2005, at 8:54 AM, Martin Moss wrote:

            > I was looking into this a while back, and came across
            > several posts that described using a PerlAccessHandler
            > to determine if PerlAuthenHandler should be set or
            > not.
            >
            > You could then setup PerlSetVar Require_Auth '0' in
            > any sublocations that didn't need Auth. your
            > AccessHandler would then do a set-handlers call and
            > get it to return OK for an AuthHandler (I've tried to
            > dig out the syntax but I can't find it)..
            >
            > I tried it briefly and couldn't get it to work at all,
            > but I got the impression that this was down to the
            > really quirky setup I was trying to do it on.
            >
            > Anyway not much help, but perhaps give you something
            > to search google on,
            >

            Ah, yes...there is an example of code that can link authentication and
            authorization phases via push_handlers here
            (http://modperl.com:9000/book/chapters/
            ch6.html#Binding_Authentication_to_Author). Could the same work for
            you? You could then combine access, authen, and authz in one package
            and push the appropriate headers based on your access needs and
            variables set in httpd.conf.

            Sean
          • Geoffrey Young
            ... if you want requests to /foo/bar to succeed unchecked then PerlAuthenHandler sub { return OK } should do the trick. ...
            Message 5 of 5 , Jan 10, 2005
            • 0 Attachment
              Ferrari Geoffrey wrote:
              > Hi,
              >
              > If I have activated a PerlAuthenHandler for a directory in httpd.conf with
              >
              > <Location /foo>
              > ...
              > PerlAuthenHandler My::Handler
              > </Location>
              >
              > How can I deactivate this PerlAuthenHandler for a subdirectory, such as
              > /foo/bar ?

              if you want requests to /foo/bar to succeed unchecked then

              <Location /foo/bar>
              PerlAuthenHandler 'sub { return OK }'
              </Location>

              should do the trick.

              >
              > The online mod_perl docs explain that PerlHandlers can be deactivated
              > for subdirectories by setting PerlHandler default-handler (when
              > SetHandler has been set to perl-script), but either my problem lies
              > elsewhere, or it is not possible to have:
              >
              > <Location /foo/bar>
              > ....
              > PerlAuthenHandler default-handler # nor indeed
              > 'PerlAuthenHandler none'
              > </Location>.

              default-handler is the default content handler (the one that sends a flat
              file to your browser) so that's really not what you want (nor will it work :)

              if what you _really_ want is apache's default auth checker use the example I
              gave above but return DECLINED instead. OK will essentially turn off
              authentication, while DECLINED will invoke .htpasswd-type checking.

              you need to understand the mechanism here. the Requires directive is
              enabling authentication for a given request, but there is no way to turn it
              off once it has been enabled for a request, or to un-scope it within nested
              configurations. so, what you need to do is use your PerlAuthenHandler to
              control what happens next - either perform some authentication, allow apache
              to perform some authentication, or perform none at all.

              HTH

              --Geoff
            Your message has been successfully submitted and would be delivered to recipients shortly.