Hi.

I am trying to figure out what Apache2::Const return codes /can/ be returned by a mod_perl /authentication/ method under Apache 2.4+, and what consequences each of these return codes has, in terms of what Apache does next.
(And also, where to find a commented list of the Apache "AHxxxx" error messages)

Does anyone know where I could find this information, other than perhaps the Apache httpd source code ? (and if only there, where ?)

I have done multiple searches in Google, but nothing really relevant shows up (lots of "receipes" there for specific cases, but no general explanation).
I have also consulted :
- the cpan Apache2::Const documentation which lists all the return codes, but without comments as to what they're used for or where they are applicable. - the mod_perl2 documentation (http://perl.apache.org/docs/2.0/user/handlers/http.html#PerlAuthenHandler) /may/ be somewhat outdated, as it is in other respects for the Apache 2.4 AAA API.

Thanks in advance

(long) Context:

With a lot of inspiration and cut-and-paste from Apache2::AuthCookie (thanks Michael Schout, also for the 2.4 doc add-on), I have written a mod_perl AAA framework
(aka "PerlAddAuthzProvider xxx Our::Own::Module->authz_user" ),
adapted to the particular needs of our applications, and which is/should be able to work in conjunction with most built-in or third-party add-on Apache authentication modules (such as mod_authnz_ldap, mod_shib2, etc). (This because each of our corporate customers each have their own web-AAA infrastructure, and we need to be compatible with all of them).

Now I have the case where the authentication method itself (aka "PerlAuthenHandler Our::Own::Module::XXX->authenticate") is one which we need to develop ourselves, because the customer's corporate framework is somewhat "non-standard" itself. Thus, our authenticate() method calls the customer's back-end method, and looks at what it returns. The back-end external framework can sometimes fail to authenticate a user, and returns a specific response in such a case. Our authenticate() method catches this, and should then itself return an appropriate return code, such that Apache 2.4 next calls the (our) authz_user() method again, which can then e.g. deny/allow access to the resource.

If authenticate() returns Apache2::Const::HTTP_UNAUTHORIZED, then it seems that Apache immediately aborts the request and returns a 401 Unauthorised response to the browser.
(In any case, it does /not/ call the perl AuthzProvider again).
(That is not really what I want; I'd like it to call authz_user() anyway, and let authz_user() decide what happens next).

If authenticate() returns Apache2::Const::OK, then there is no Apache log message; but when it calls authz_user() next, that authz_user() should be able to find out that the authentication failed. Or should I just leave $r->user empty in that case and check on that ? is that what the other (standard) authentication modules do ?

If authenticate() returns Apache2::Const::DECLINE, Apache subsequently prints a message in the server error log, such as : [Thu May 09 20:52:31.197841 2019] [authn_core:error] [pid 9139] [client xxxx:4038] AH01796: AuthType OUR::OWN::MOD configured without corresponding module ..
(and it does not call the AuthzProvider again either).
(I think that I understand why it does that, since the only authentication method configured is mine, and it returns DECLINED)

Or else, what could authenticate() return ?

I can of course do several trials returning different things and see what works, but I would prefer to know the official do's and don'ts and the Apache 2.4 logic behind them.

Reply via email to