|
|
Line 1: |
Line 1: |
| [NB Primarily relevant to Apache servers using mod_ucam_webauth, though also relevant to other authentication mechanisms on Apache.]
| | Page deleted... |
|
| |
|
| One problem with Apache authentication (Basic Auth, Raven via mod_ucam_webauth, etc.) is that the configuration settings (AuthType etc.) are "inherited". In consequence, if you enable Raven authentication in a <Location /> block, it will apply e.g. to /error-pages, which may be a problem if you have custom error pages that should be shown for login failures (user cancelled logins, cookies not working, etc.).
| | After writing the original version of this page, I found that the problem I was solving was not actually the problem it appeared to be (the special authn/authz modules weren't really needed), and it was all a red herring. Hence deleting the page (to the extent that anything can be deleted in the wiki). |
|
| |
|
| Apache does not provide a built-in way to override inherited AuthType etc. - there's no "AuthType None" - so the only solution (that I've found) is to add a pair of "null" authentication and authorisation handlers and specify those.
| | [[User:jml4|jml4]] 14:52, 21 June 2006 (BST) |
| | |
| If the Apache server has been built with mod_perl support,
| |
| there is an easy Perl-based way to add such "null" handlers.
| |
| | |
| Just add (in perl.conf or equivalent if the Perl configuration is in a separate file, otherwise httpd.conf or wherever seems best)
| |
| | |
| <pre>
| |
| <perl>
| |
| {
| |
| package Ucam::Apache::AuthNull;
| |
| use strict;
| |
| use Apache::Constants qw(:common);
| |
| use Apache::Log;
| |
| | |
| sub handler
| |
| {
| |
| my $r = shift;
| |
| return DECLINED if lc($r->auth_type) ne 'ucam-authnull';
| |
| my $uri = $r->uri;
| |
| $r->log->debug("AuthNull for $uri");
| |
| return OK;
| |
| }
| |
| | |
| | |
| package Ucam::Apache::AuthzNull;
| |
| use strict;
| |
| use Apache::Constants qw(:common);
| |
| use Apache::Log;
| |
| | |
| sub handler
| |
| {
| |
| my $r = shift;
| |
| return DECLINED if lc($r->auth_type) ne 'ucam-authnull';
| |
| my $uri = $r->uri;
| |
| $r->log->debug("AuthZNull for $uri");
| |
| my $requires = $r->requires;
| |
| foreach my $req (@$requires)
| |
| {
| |
| my $value = lc($req->{'requirement'});
| |
| if ($value eq 'any-user') { $r->user('AuthNull'); return OK; }
| |
| else
| |
| {
| |
| $r->server->log->warn("AuthzNull: bad 'require' type $value");
| |
| return DECLINED; # maybe another module will say OK
| |
| }
| |
| }
| |
| return OK;
| |
| }
| |
| | |
| }
| |
| </perl>
| |
| | |
| PerlAuthenHandler Ucam::Apache::AuthNull
| |
| PerlAuthzHandler Ucam::Apache::AuthzNull
| |
| | |
| </pre>
| |
| | |
| and then in whichever file (e.g. http.conf) contains the access control details include
| |
| | |
| <pre>
| |
| <Location /error-pages>
| |
| Order deny,allow
| |
| Allow from all
| |
| # In order for Ucam-AuthNull to take precedence over Ucam-WebAuth (Raven),
| |
| # we appear to need Satisfy all (not any).
| |
| Satisfy all
| |
| Require any-user
| |
| AuthType Ucam-AuthNull
| |
| </Location>
| |
| </pre>
| |
| and the AuthType etc., should override any inherited Raven or Basic Auth configuration for URLs with the specified prefix (and similarly for directory-based access controls).
| |
| | |
| ==Caveats, cautions and other comments==
| |
| | |
| * I've only tried the above with the Apache 1.3.29 server that's included in SUSE's SLES9 Linux distribution, and in particular it would need adjustments for the Apache 2 version of mod_perl due to incompatible mod_perl changes.
| |
| | |
| * For reasons which I've not investigated, simply specifying "Satisfy any" does <b>not</b> have the expected effect of allowing access according to the address-based controls and involving the authentication module only if address-based access is denied. It only works with "Satisfy all".
| |
| | |
| * It's not clear whether the auth handler is required to set a username, or the potential consequences if it doesn't, so it returns dummy user "AuthNull".
| |
| | |
| * Rather than "Require valid-user", you must specify "Require any-user", chosen to make clear that it's not applying any restrictions. Any/all users (that meet address-based restrictions) will be allowed access.
| |
| | |
| * The main purpose of the debug-level logging calls is to provide a way of confirming that the handlers really are being invoked, if they don't seem to be working.
| |
| | |
| [[User:jml4|jml4]] 14:27, 21 June 2006 (BST) | |