[cgiapp] Authentication/Authorization prerun interaction

Lyle Brooks brooks at deseret.com
Tue Jan 10 13:40:45 EST 2012 

I am attempting to use both

CGI::Application::Plugin::Authentication
and
CGI::Application::Plugin::Authorization

and when I attempt to restrict a runmode to require authorization (and
authentication), it produces a result I find counter-intuitive.

I was wondering if anyone had similar experiences.

The conditions occurs when I restrict a runmode to an authorized
group, and attempt to access it the first time (without authenticating).

What I think "should" happen is that when I attempt to access the
runmode, I should be redirected to a login form to be authenticated.

However, what actually occurs is that I get a "Forbidden" page.

When I dug down into the code, it seems this is due to how the Plugin
modules interact with the prerun mode.

When the request comes in, the prerun_callbacks that the Authentication
and Authorization registered are called before the requested runmode
code is executed....all good so far.

The Authentication plugin will set the prerun_mode to "authen_login"
by default.  The effect of this, as I understand it,
is to substitute the "authen_login" runmode for the requested runmode,
which effectively requires the user to authenticate.  So far so good.

Then the Authorization plugin callback is run.  In this section
of code, it checks get_current_runmode() which returns the original
requested runmode....not the "authen_login" runmode set by the upstream
authentication plugin.

And at this point, the authorization plugin judges the request to
be unauthorized, and it will then make a call to the "redirect_to_forbidding"
runmode which returns the "Forbidden" page I mentioned earlier.
So the Authorization plugin ends up taking action, before the prerun_mode
(set the the Authentication plugin) can be acted on ....later down the 
request cycle.

So if the login form (instead of a forbidden page) should be returned,
what should be the appropriate remedy?

Should setting the prerun_mode() also set $self->{__CURRENT_RUNMODE}
inside of CGI::Application?

or

Should CGI::Application::Plugin::Authorization::prerun_callback be
modified to check the setting of prerun_mode() before get_current_runmode()?

I hope that is understandable.  Any ideas other could share would
be appreciated.

More information about the cgiapp mailing list