perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Schout <>
Subject Re: [a bit OT] AuthCookieDBI and Apache 2.4
Date Thu, 21 Feb 2019 17:46:06 GMT
On 2/21/19 3:41 AM, André Warnier (tomcat) wrote:

> 1) the "authz" function is now called *first* (before any authentication
> module has been called - even non-perl add-on ones),
> and
> 2) it *can* be called 2 or more times during the same request cycle
> and

Yes, and this allows you to do "Anonymous" authorization.  If you don't
want to do that, you simply do

  return Apache2::Const::AUTHZ_DENIED_NO_USER unless defined $r->user

at the top of your Authz provider.  The second time the handler is
called, $r->user will be set so that you can authorize "authenticated"

But this is indeed one of the major things that confuses people when
moving to 2.4.

Another common thing I've seen people do is return an invalid
Apache2::Const value from an Authz provider.  You must return one of a
very specific list of values from the provider (See the
README.apache-2.4 in AuthCookie which discusses this).

> 5) there seems to be no real mod_perl-level (or even Apache-httpd-level)
> documentation available, which explains the above in a general context,
> rather than for any specific perl module.
> A good explanation is provided by Michael Schout in

I pieced this together, if my memory is correct, from apache mailing
list posts, as well as reading the source code of apache itself.  I'm
not sure I found any definitive guide on the changes when I did this,
and it involved a good deal of research at the time.

I had hoped to see all of this codified into some kind of general
mod_perl migration guide for Apache 2.4, similar to what happened when
we all had to migrate from Apache 1.3 to Apache 2.  Something similar to
what is on [1].  But I am unsure if that site is even
maintained any longer.

Anyway, another example of an authz provider is in AuthCookie [2], where
I re-implemented apache's core authz provider, before realizing it was
not needed.


Michael Schout

View raw message