Loading ...
Sorry, an error occurred while loading the content.

Re: [soaplite] BUG! mod_perl and SOAP::Lite

Expand Messages
  • Jeremy Scott
    Hi, thanks for the response... I actually ended up doing what you suggested but with a little bit of a twist. Dispatching to @INC is dangerous, but what I
    Message 1 of 2 , Aug 6, 2003
    • 0 Attachment
      Hi, thanks for the response...

      I actually ended up doing what you
      suggested but with a little bit of a twist.

      Dispatching to @INC is dangerous, but what
      I didn't show was how I mitigate that with
      security checks.

      (I had thought that my extra code caused the
      bug, but it didn't so I left it out for clarity.)

      I had another server that uses the "on_action"
      handler to read $ENV{REMOTE_ADDR},
      $ENV{REMOTE_USER} or a certificate subject,
      and the called soapaction method.

      With these three pieces of information, a
      custom routine (in the on_action handler)
      does an authorization check against an LDAP
      server with custom application schema.
      (Is this user from ip allowed to run the method?)

      If they're not authorized, it dies with a soap fault.
      If they are, it goes ahead and dispatches.

      So what I did was turn my cgi into an Apache
      module by using Apache::SOAP as a template.
      I added the 'on_action' option to Apache::SOAP
      along with some other custom code and called it
      Apache::UWDS. Also, this runs over SSL and each
      client has an SSL certificate with a subject that
      represents their user name.

      Here's the config. Note the evil <Perl> tags.

      <Location "/cert">
      SSLVerifyClient require
      SSLOptions +StdEnvVars
      SetHandler perl-script
      PerlHandler Apache::UWDS
      <Perl>
      push @{ $Location{"/cert"}->{PerlSetVar}}, [
      dispatch_to => join(",",@INC) ];
      </Perl>
      </Location>


      So, now I have a secure and easy to administer
      webservice platform. All I do is install the perl
      modules I want people to access on the webservers,
      give them client certificates, and add an application
      entry to our LDAP server with the module::methods
      they're allowed to call and it's done. No messing with
      the webserver for new modules/new users! :)

      I ran this code last night, and it ran 300,000 soap
      calls without leaking memory/blowing up, crashing the
      LDAP server etc... I use ResourcePool for making the
      LDAP connections.



      > Luckily there is a very simple solution ... mod_soap
      > which is documented in the SOAP::Lite
      > pods (perldoc SOAP::Lite ... or
      > http://www.soaplite.com). This will register yoru
      > SOAP server
      > as a pure mod_perl handler and take care of the
      > dispatching for you. All you need to do is
      > configure the httpd.conf file to point in the right
      > direction.
      >
      > Also this means you won't have to/be able to do the
      > very scary and dangerous
      > ->dispatch_to(@INC) ...
      >
      > -Chris
      >


      __________________________________
      Do you Yahoo!?
      Yahoo! SiteBuilder - Free, easy-to-use web site design software
      http://sitebuilder.yahoo.com
    Your message has been successfully submitted and would be delivered to recipients shortly.