[cgiapp] Authz with Authen, something is backwards here...

B. Estrade estrabd at gmail.com
Thu Jun 14 15:20:50 EDT 2012 

I've been trying to figure out how to affect the order in which these
prerun hooks are processed, and it's escaping me. For now, I just have
to settle to let the runmodes that have no real authz restrictions to
not even be protected (e.g., landing pages) and to just be okay with
those authz pages that are protected with authz to throw my 401
warning.  I am not really sure what other sort of strategy is good. I
don't want a logged in user to get redirect to the login just because
of an auth violation. I suppose I could redirect them to one of the
non-authz'd runmodes. Thoughts?

On Thu, Jun 14, 2012 at 09:44:32AM -0500, B. Estrade wrote:
> On Thu, Jun 14, 2012 at 10:12:40AM +1000, Cees Hek wrote:
> > Hi Brett,
> > 
> > Authorization is not purely related to authentication.  For example
> > you could authorize access based on an IP Address, or based on the
> > time of the day.  So we can't automatically decline a request just
> > because they are not logged in.
> 
> You're right. I know there is integration on the level that the
> default call for a $username to the
> Authorization::Driver::X::authorize_user will look for an
> authenticated username.
> 
> > 
> > But as you say, your authentication checks should have caught this
> > before it got this far.  Perhaps there is a problem with the order in
> > which you configured things which will influence the order in which
> > the authen and authz callbacks get triggered.
> 
> I guess this is where I need to look.  Thank you,
> 
> Brett
> 
> > 
> > Cheers,
> > 
> > Cees
> > 
> > On Thu, Jun 14, 2012 at 6:03 AM, B. Estrade <estrabd at gmail.com> wrote:
> > > On Wed, Jun 13, 2012 at 02:58:28PM -0500, B. Estrade wrote:
> > >> I am finding that if I have a runmode that is protected via
> > >> authentication and authorization, the authen doesn't happen before the
> > >> authz is validated.
> > >>
> > >> In otherwords, I want a authen to happen first; if it fails, redirect
> > >> to the login. If authen is okay, proceseed to authz.
> > >>
> > >> Right now I have this unsettling bit of code in my authz driver's
> > >> authorize_user method:
> > >>
> > >> sub authorize_user {
> > >>     my $self = shift;    my ($username, $required_permission) = @_;
> > >>     return 1 if (!$username or $required_permission);
> > >>
> > >
> > > I mean:
> > >
> > > sub authorize_user {
> > >    my $self = shift;
> > >    my ($username, $required_permission) = @_;
> > >    return 1 if (!$username);
> > >
> > > ....
> > >
> > >> ....
> > >>
> > >> I figure that if there is no $username, then authen has failed. But,
> > >> because of the ordering of calls, it appears that if this is the case,
> > >> I have to succeed authorize_user and rely on authen to redirect the
> > >> login - this seems backwards. Authen should fail before anything is
> > >> checked with authz. What am I doing wrong?
> > >>
> > >> Thank you,
> > >> Brett
> > >>
> > >> #####  CGI::Application community mailing list  ################
> > >> ##                                                            ##
> > >> ##  To unsubscribe, or change your message delivery options,  ##
> > >> ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> > >> ##                                                            ##
> > >> ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> > >> ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> > >> ##                                                            ##
> > >> ################################################################
> > >>
> > >
> > > #####  CGI::Application community mailing list  ################
> > > ##                                                            ##
> > > ##  To unsubscribe, or change your message delivery options,  ##
> > > ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> > > ##                                                            ##
> > > ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> > > ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> > > ##                                                            ##
> > > ################################################################
> > >
> > 
> > #####  CGI::Application community mailing list  ################
> > ##                                                            ##
> > ##  To unsubscribe, or change your message delivery options,  ##
> > ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> > ##                                                            ##
> > ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> > ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> > ##                                                            ##
> > ################################################################
> > 
> > 
> 
> #####  CGI::Application community mailing list  ################
> ##                                                            ##
> ##  To unsubscribe, or change your message delivery options,  ##
> ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> ##                                                            ##
> ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> ##                                                            ##
> ################################################################
> 
>

More information about the cgiapp mailing list