Re: [cgiapp] authentication -- is this the best way to do it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] authentication -- is this the best way to do it?

Subject: Re: [cgiapp] authentication -- is this the best way to do it?
Date: Thu, 06 Jan 2005 19:47:02 -0500
From: Michael Peters <suppressed>

William McKee wrote:

This seems to be working well but my question is is there a better way?



Hi Jaldhar,

In my experiences with Perl and C::A, I've discovered that there's
always a better way. The question is whether it's worth the effort to
pursue. Against the advice of the C::A creator, I and many others on the
list have successfully used this method of authenticating and
authorizing access to runmodes.

However, I have begun to take Jesse's advice to use Apache's (or
whatever webserver you are using) built-in support for authen/authz
phases to reduce the amount of code I write. I use Apache::Cookie which
works fine for authentication (determining that a user is who s/he says
s/he is) but I have not used it to do authorization (granting access to
pages based on rights).

I usually do the same thing. And like you said, it usually reduces theamount of code that I write as well. But I do both authentication andauthorization.

In some respects, the method you've described seems easier to me for
handling authorization. Cees suggestion from the Wiki[1] is to break out
runmodes into separate modules to handle authorization. It's workable
but sometimes seems a bit redundant.

I try to combine these two approaches. For instance, by usingCGI::Application::Dispatch I have urls that look like this:


  /app/admin_users/search

Which translates into using the Admin::Users application module (inwhich I place all functionality relating to users that an admin woulduse) with the run mode 'search'.

I can then do something like this in my httpd.conf file to protectaccess to that module:


  <LocationMatch "/app/admin_.*">
      Require group admin
  </LocationMatch>

This would mean that all of my application modules in the Admin::*namespace would be protected without having to do anything else. Now allI would have to do is right the PerlAuthenHandler and PerlAuthzHandlerto determine who the user is and then if they are in the 'admin' group.

And if I wanted to protect some method, or group of methods in adifferent application module, then I could do the following:


  <LocationMatch "/app/public_stuff/admin_.*">
      Require group admin
  </LocationMatch>

This would mean that all run modes in the Public::Stuff applicationmodule that begin with 'admin_' would also be protected.


Hope that gives you even more ideas.


--
Michael Peters
Developer
Plus Three, LP


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
             http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

Follow-Ups:
- Re: [cgiapp] authentication -- is this the best way to do it?
  - From: Jaldhar H. Vyas

References:
- [cgiapp] authentication -- is this the best way to do it?
  - From: Jaldhar H. Vyas
- Re: [cgiapp] authentication -- is this the best way to do it?
  - From: William McKee

Prev by Date: Re: [cgiapp] authentication -- is this the best way to do it?
Next by Date: Re: [cgiapp] Run mode confusion (+)
Previous by thread: Re: [cgiapp] authentication -- is this the best way to do it?
Next by thread: Re: [cgiapp] authentication -- is this the best way to do it?
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.