[cgiapp] Authz with Authen, something is backwards here...

Cees Hek ceeshek at gmail.com
Wed Jun 13 20:12:40 EDT 2012


Hi Brett,

Authorization is not purely related to authentication.  For example
you could authorize access based on an IP Address, or based on the
time of the day.  So we can't automatically decline a request just
because they are not logged in.

But as you say, your authentication checks should have caught this
before it got this far.  Perhaps there is a problem with the order in
which you configured things which will influence the order in which
the authen and authz callbacks get triggered.

Cheers,

Cees

On Thu, Jun 14, 2012 at 6:03 AM, B. Estrade <estrabd at gmail.com> wrote:
> On Wed, Jun 13, 2012 at 02:58:28PM -0500, B. Estrade wrote:
>> I am finding that if I have a runmode that is protected via
>> authentication and authorization, the authen doesn't happen before the
>> authz is validated.
>>
>> In otherwords, I want a authen to happen first; if it fails, redirect
>> to the login. If authen is okay, proceseed to authz.
>>
>> Right now I have this unsettling bit of code in my authz driver's
>> authorize_user method:
>>
>> sub authorize_user {
>>     my $self = shift;    my ($username, $required_permission) = @_;
>>     return 1 if (!$username or $required_permission);
>>
>
> I mean:
>
> sub authorize_user {
>    my $self = shift;
>    my ($username, $required_permission) = @_;
>    return 1 if (!$username);
>
> ....
>
>> ....
>>
>> I figure that if there is no $username, then authen has failed. But,
>> because of the ordering of calls, it appears that if this is the case,
>> I have to succeed authorize_user and rely on authen to redirect the
>> login - this seems backwards. Authen should fail before anything is
>> checked with authz. What am I doing wrong?
>>
>> Thank you,
>> Brett
>>
>> #####  CGI::Application community mailing list  ################
>> ##                                                            ##
>> ##  To unsubscribe, or change your message delivery options,  ##
>> ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
>> ##                                                            ##
>> ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
>> ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
>> ##                                                            ##
>> ################################################################
>>
>
> #####  CGI::Application community mailing list  ################
> ##                                                            ##
> ##  To unsubscribe, or change your message delivery options,  ##
> ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> ##                                                            ##
> ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> ##                                                            ##
> ################################################################
>


More information about the cgiapp mailing list