Overriding Raven authentication for parts of a site: Difference between revisions

From RavenWiki
Jump to navigationJump to search
No edit summary
 
(Pre-"deletion" comments for page that turns out to have been a mistake)
Line 1: Line 1:
[NB Primarily relevant to Apache servers using mod_ucam_webauth, though also relevant to other authentication mechanisms on Apache.]
Page deleted...


One problem with Apache authentication (Basic Auth, Raven via mod_ucam_webauth, etc.) is that the configuration settings (AuthType etc.) are "inherited". In consequence, if you enable Raven authentication in a <Location /> block, it will apply e.g. to /error-pages, which may be a problem if you have custom error pages that should be shown for login failures (user cancelled logins, cookies not working, etc.).
After writing the original version of this page, I found that the problem I was solving was not actually the problem it appeared to be (the special authn/authz modules weren't really needed), and it was all a red herring. Hence deleting the page (to the extent that anything can be deleted in the wiki).


Apache does not provide a built-in way to override inherited  AuthType etc. - there's no "AuthType None" - so the only solution (that I've found) is to add a pair of "null" authentication and authorisation handlers and specify those.
[[User:jml4|jml4]] 14:52, 21 June 2006 (BST)
 
If the Apache server has been built with mod_perl support,
there is an easy Perl-based way to add such "null" handlers.
 
Just add (in perl.conf or equivalent if the Perl configuration is in a separate file, otherwise httpd.conf or wherever seems best)
 
<pre>
<perl>
{
    package Ucam::Apache::AuthNull;
    use strict;
    use Apache::Constants qw(:common);
    use Apache::Log;
 
    sub handler
    {
        my $r = shift;
        return DECLINED if lc($r->auth_type) ne 'ucam-authnull';
        my $uri = $r->uri;
        $r->log->debug("AuthNull for $uri");
        return OK;
    }
 
 
    package Ucam::Apache::AuthzNull;
    use strict;
    use Apache::Constants qw(:common);
    use Apache::Log;
 
    sub handler
    {
        my $r = shift;
        return DECLINED if lc($r->auth_type) ne 'ucam-authnull';
        my $uri = $r->uri;
        $r->log->debug("AuthZNull for $uri");
        my $requires = $r->requires;
        foreach my $req (@$requires)
        {
            my $value = lc($req->{'requirement'});
            if ($value eq 'any-user') { $r->user('AuthNull'); return OK; }
            else
            {
                $r->server->log->warn("AuthzNull: bad 'require' type $value");
                return DECLINED;        # maybe another module will say OK
            }
        }
        return OK;                     
    }
 
}
</perl>
 
PerlAuthenHandler Ucam::Apache::AuthNull
PerlAuthzHandler Ucam::Apache::AuthzNull
 
</pre>
 
and then in whichever file (e.g. http.conf) contains the access control details include
 
<pre>
<Location /error-pages>
Order deny,allow
Allow from all
# In order for Ucam-AuthNull to take precedence over Ucam-WebAuth (Raven),
# we appear to need Satisfy all (not any).
Satisfy all
Require any-user
AuthType Ucam-AuthNull
</Location>
</pre>
and the AuthType etc., should override any inherited Raven or Basic Auth configuration for URLs with the specified prefix (and similarly for directory-based access controls).
 
==Caveats, cautions and other comments==
 
* I've only tried the above with the Apache 1.3.29 server that's included in SUSE's SLES9 Linux distribution, and in particular it would need adjustments for the Apache 2 version of mod_perl due to incompatible mod_perl changes.
 
* For reasons which I've not investigated, simply specifying "Satisfy any" does <b>not</b> have the expected effect of allowing access according to the address-based controls and involving the authentication module only if address-based access is denied. It only works with "Satisfy all".
 
* It's not clear whether the auth handler is required to set a username, or the potential consequences if it doesn't, so it returns dummy user "AuthNull".
 
* Rather than "Require valid-user", you must specify "Require any-user", chosen to make clear that it's not applying any restrictions. Any/all users (that meet address-based restrictions) will be allowed access.
 
* The main purpose of the debug-level logging calls is to provide a way of confirming that the handlers really are being invoked, if they don't seem to be working.
 
[[User:jml4|jml4]] 14:27, 21 June 2006 (BST)

Revision as of 13:52, 21 June 2006

Page deleted...

After writing the original version of this page, I found that the problem I was solving was not actually the problem it appeared to be (the special authn/authz modules weren't really needed), and it was all a red herring. Hence deleting the page (to the extent that anything can be deleted in the wiki).

jml4 14:52, 21 June 2006 (BST)