how to invalid an SSL session ?
I am writing some modules to do authentication in a reverse proxy scenario. In a userid-password authentication mechanism I can invalid an authentication session using $r->note_basic_auth_failure();return Apache::AUTH_REQUIRED; In this way I can invalid the authentication session and promt the user once more with the user-id password dialog. Is there a way to reach the same result using SSL session ? In this case the client authenticates itself providing a digital certificate (this is done using the "SSLVerifyClient require" directive), but I dont't know how to invalid the SSL session and how to prompt the user with the certificate dialog. Can anyone help ? thanks Andrea
Re: Pushing OutputHandler using PerlFixupHandler
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[...]
Stas Bekman wrote:
|
| I suppose it'd be nice to mention those in
| http://perl.apache.org/docs/2.0/user/handlers/filters.html
| patches are welcome :)
|
[...]
Here's a proposed patch for the docs. I didn't manage to create diff
using the svn diff -u. Is this command apropiate for svn? My client
tells me that -u means update and is not accepted by subcommand diff. Is
this an error in the docs?
http://perl.apache.org/download/docs.html#Submitting_documentation_patches
Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCQApDkVPeOFLgZFIRAqyiAKCb5ZkSqYl6p2YVVeAYXEG443pQeQCeLEQG
jvzjtMnHU4KSoVqtp79Stsw=
=rG7B
-END PGP SIGNATURE-
Index: src/docs/2.0/api/Apache/RequestUtil.pod
===
--- src/docs/2.0/api/Apache/RequestUtil.pod (Revision 158584)
+++ src/docs/2.0/api/Apache/RequestUtil.pod (Arbeitskopie)
@@ -890,6 +890,11 @@
$ok = $r->push_handlers($hook_name => \&handler);
$ok = $r->push_handlers($hook_name => ['Foo::Bar::handler', \&handler2]);
+Please note: To push input/output filters you have to use
+C> methods
+Cadd_input_filter($callback)> and
+Cadd_output_filter($callback)>.
+
=over 4
=item obj: C<$r>
Index: src/docs/2.0/user/handlers/filters.pod
===
--- src/docs/2.0/user/handlers/filters.pod (Revision 158584)
+++ src/docs/2.0/user/handlers/filters.pod (Arbeitskopie)
@@ -909,9 +909,29 @@
C>.
+=head2 Adding OutFilters dynamically
+If you have the need to add output filters dymically during the request.
+mod_perl 2.0 offers you the possibility to push filter callbacks during
+the request is processed:
+ package MyApache::AddFilterDyn;
+
+ use Apache::RequestRec;
+ use Apache::Const qw(:common);
+ use Apache::Filter;
+ use MyApache::FilterObfuscate;
+ sub handler {
+my $r = shift;
+
+$r->add_output_filter(\&MyApache::FilterObfuscate::handler);
+
+return Apache::OK;
+ }
+
+ 1;
+
=head2 HTTP Request vs. Connection Filters
mod_perl 2.0 supports connection and HTTP request filtering. mod_perl
Re: Pushing OutputHandler using PerlFixupHandler
Tom Schindl wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[...]
Stas Bekman wrote:
|
| I suppose it'd be nice to mention those in
| http://perl.apache.org/docs/2.0/user/handlers/filters.html
| patches are welcome :)
|
[...]
Here's a proposed patch for the docs. I didn't manage to create diff
using the svn diff -u. Is this command apropiate for svn? My client
tells me that -u means update and is not accepted by subcommand diff. Is
this an error in the docs?
http://perl.apache.org/download/docs.html#Submitting_documentation_patches
Yeah, the remnants of the cvs notes :( I thin 'svn diff' does the unified
diff by default. I've fixed that. Thanks Tom.
Index: src/docs/2.0/api/Apache/RequestUtil.pod
===
--- src/docs/2.0/api/Apache/RequestUtil.pod (Revision 158584)
+++ src/docs/2.0/api/Apache/RequestUtil.pod (Arbeitskopie)
@@ -890,6 +890,11 @@
$ok = $r->push_handlers($hook_name => \&handler);
$ok = $r->push_handlers($hook_name => ['Foo::Bar::handler', \&handler2]);
+Please note: To push input/output filters you have to use
+C> methods
+Cadd_input_filter($callback)> and
+Cadd_output_filter($callback)>.
+
=over 4
Better to add an xref L<>, but I'll do that.
=item obj: C<$r>
Index: src/docs/2.0/user/handlers/filters.pod
===
--- src/docs/2.0/user/handlers/filters.pod (Revision 158584)
+++ src/docs/2.0/user/handlers/filters.pod (Arbeitskopie)
@@ -909,9 +909,29 @@
C>.
+=head2 Adding OutFilters dynamically
+If you have the need to add output filters dymically during the request.
+mod_perl 2.0 offers you the possibility to push filter callbacks during
+the request is processed:
+ package MyApache::AddFilterDyn;
+
+ use Apache::RequestRec;
this is not used by the module as far as I can see.
+ use Apache::Const qw(:common);
why importing constants when you don't use them in the imported form?
+ use Apache::Filter;
+ use MyApache::FilterObfuscate;
+ sub handler {
+my $r = shift;
+
+$r->add_output_filter(\&MyApache::FilterObfuscate::handler);
+
+return Apache::OK;
+ }
and finally the config section is lucking. Otherwise users will not know
when this handler is run :)
Thanks Tom.
--
__
Stas BekmanJAm_pH --> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
Filter on top of a CGI script
Hello, I've got a filter which replaces references to a particular hostname with another name, to allow testing of a new server. The filter is very simple, and works great for static files (thanks in part to some earlier help from this list!) But, I can't get it to work for CGI scripts. If I put: ScriptAlias /cgi-bin /home/flinthomes/cgi-perl AllowOverride None SetHandler perl-script PerlSetVar Filter On PerlHandler Apache::RegistryFilter Apache::SiteMoved PerlSendHeader On Options +ExecCGI allow from all it displays the text of the Perl script. I don't want the script to run under mod_perl since I'm still debugging it on the new host; I want Apache to run it as usual, then filter its output through the Apache::SiteMoved handler. Is there a way to tell Apache and mod_perl to do that? Thanks! ScottG.
Re: Pushing OutputHandler using PerlFixupHandler
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stas Bekman wrote:
| Tom Schindl wrote:
|
[...]
|
| and finally the config section is lucking. Otherwise users will not know
| when this handler is run :)
|
| Thanks Tom.
|
Ok. Here it is including the config-sections and without the unneeded
imports :-)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCQGTNkVPeOFLgZFIRAiV5AKC6cLJwuoHinHzuduhcz3xMotGe1gCcCHJg
09TciU3rC3RazvIrkbE7nIU=
=/oBZ
-END PGP SIGNATURE-
Index: src/docs/2.0/user/handlers/filters.pod
===
--- src/docs/2.0/user/handlers/filters.pod (Revision 158635)
+++ src/docs/2.0/user/handlers/filters.pod (Arbeitskopie)
@@ -909,9 +909,35 @@
C>.
+=head2 Adding OutFilters dynamically
+If you have the need to add output filters dymically during the request.
+mod_perl 2.0 offers you the possibility to push filter callbacks during
+the request is processed. If want for example add an outfilter during the
+Fixup-Phase the your config would look the following:
+
+PerlFixupHandler MyApache::AddFilterDyn
+
+And your module could look like this:
+
+ package MyApache::AddFilterDyn;
+
+ use Apache::Const -compile => qw(OK);
+ use Apache::Filter;
+ use MyApache::FilterObfuscate;
+
+ sub handler {
+my $r = shift;
+
+$r->add_output_filter(\&MyApache::FilterObfuscate::handler);
+
+return Apache::OK;
+ }
+
+ 1;
+
=head2 HTTP Request vs. Connection Filters
mod_perl 2.0 supports connection and HTTP request filtering. mod_perl
Re: Pushing OutputHandler using PerlFixupHandler
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
and now without a typo :-(
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCQGbGkVPeOFLgZFIRAttrAJ9NsndbNWSgoDWCyxbSRbB7RnsFUgCghGh7
VNR3MxH4ksdK5nHH8KhzMnw=
=SsgX
-END PGP SIGNATURE-
Index: src/docs/2.0/user/handlers/filters.pod
===
--- src/docs/2.0/user/handlers/filters.pod (Revision 158635)
+++ src/docs/2.0/user/handlers/filters.pod (Arbeitskopie)
@@ -909,9 +909,35 @@
C>.
+=head2 Adding OutFilters dynamically
+If you have the need to add output filters dymically during the request.
+mod_perl 2.0 offers you the possibility to push filter callbacks during
+the request is processed. If want for example add an outfilter during the
+Fixup-Phase your config would look the following:
+
+PerlFixupHandler MyApache::AddFilterDyn
+
+And your module could look like this:
+
+ package MyApache::AddFilterDyn;
+
+ use Apache::Const -compile => qw(OK);
+ use Apache::Filter;
+ use MyApache::FilterObfuscate;
+
+ sub handler {
+my $r = shift;
+
+$r->add_output_filter(\&MyApache::FilterObfuscate::handler);
+
+return Apache::OK;
+ }
+
+ 1;
+
=head2 HTTP Request vs. Connection Filters
mod_perl 2.0 supports connection and HTTP request filtering. mod_perl
Re: Pushing OutputHandler using PerlFixupHandler
Tom Schindl wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
and now without a typo :-(
Looks good, Tom. One question though: Why not just do:
PerlOutputFilterHandler Beso::OutFilterHandler
or did you mean the patch to be just a demonstration of how to add a
filter if you are already inside some pre-response phase handler?
+
+PerlFixupHandler MyApache::AddFilterDyn
+
[...]
+ sub handler {
+my $r = shift;
+
+$r->add_output_filter(\&MyApache::FilterObfuscate::handler);
+
+return Apache::OK;
--
__
Stas BekmanJAm_pH --> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
Re: Pushing OutputHandler using PerlFixupHandler
Tom Schindl wrote: Exactly as the title of the section should explain: "Adding OutFilters dynamically" ;-) Thanks Tom. Both patches are now committed with a few tweaks and extensions. (will be online within 6h) -- __ Stas BekmanJAm_pH --> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
Re: Pushing OutputHandler using PerlFixupHandler
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stas Bekman wrote:
| Tom Schindl wrote:
|
|> -BEGIN PGP SIGNED MESSAGE-
|> Hash: SHA1
|>
|> and now without a typo :-(
|
|
| Looks good, Tom. One question though: Why not just do:
|
|
| PerlOutputFilterHandler Beso::OutFilterHandler
|
|
| or did you mean the patch to be just a demonstration of how to add a
| filter if you are already inside some pre-response phase handler?
|
Exactly as the title of the section should explain:
"Adding OutFilters dynamically" ;-)
|> +
|> +PerlFixupHandler MyApache::AddFilterDyn +
|
| [...]
|
|> + sub handler {
|> +my $r = shift;
|> +
|> +$r->add_output_filter(\&MyApache::FilterObfuscate::handler);
|> +
|> +return Apache::OK;
|
|
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCQHOmkVPeOFLgZFIRAqEOAKCoC+D4bfkoe1XyhOgbsGp45nJScwCfQgyu
bkWIHyKhyR2bjZBuNCbTbCU=
=ELI8
-END PGP SIGNATURE-
trouble with Authen::SASL::Cyrus, GSSAPI, and mod_perl
[ Disclaimer: I'm new to mod_perl, but fairly comfortable with perl. ]
Has anyone successfully used this combination?
I've written a number of scripts that use the Authen::SASL::Cyrus xs
module (this module extends Authen::SASL, linking to libsasl and thereby
gaining access to the authentication mechanisms supported by libsasl).
Using Authen::SASL::Cyrus allows me to easily write scripts that can do
SASL/GSSAPI authentication to various services (LDAP and IMAP, for
instance). It would be appealing to use this module under mod_perl for
many reasons (not the least of which is performance).
These scripts can be readily ported to run with apache mod_cgi but they
run into trouble when running under mod_perl. The heart of the matter
is that the Cyrus SASL library (libsasl) and the underlying
kerberos5/GSSAPI library derive the location of the user's credentials
(i.e. their kerberos ticket) from one of two places: the value of the
environment variable KRB5CCNAME or /tmp/krb5cc_$UIDNUMBER.
A bit of background, I have a single sign on system (an apache module)
that can get a kerberos ticket for an authenticated user, populating the
value of the KRB5CCNAME environment variable with the location of the
kerberos ticket.
In a nutshell, when I run my script as a CGI it forks (and finds the
value of $ENV{KRB5CCNAME}) and is able to do GSSAPI authentication to an
LDAP server as $ENV{REMOTE_USER} using the ticket in $ENV{KRB5CCNAME}.
But the same script under ModPerl::Registry fails because apache's not
using the credential cache specified in $ENV{KRB5CCNAME}; it's trying to
use the default credential cache for the apache user.
Is there a way to configure mod_perl such that when a script/handler
runs it always uses the run time value of $ENV{KRB5CCNAME}?
Using subprocess_env doesn't seem to be the solution since I'm not
dealing with a spawned sub process, the whole reason I'd like to use
mod_perl in this context is to get away from that model.
Suggestions or advice would be very much appreciated.
Ben
Re: Filter on top of a CGI script
Hi Scott, As far as I understand, your handler Apache::SiteMoved does all the dirty work for you on Apache-1, replacing the hostname. Additionally, you want your CGI script to remain as a CGI for some reason. In this case you can happily live with no Filter chain. Just take the input of your handler through the pipe. Hope this helps, Slava http://www.lastmileisp.com/ On Tue, 2005-03-22 at 14:12, Scott Gifford wrote: > Hello, > > I've got a filter which replaces references to a particular hostname > with another name, to allow testing of a new server. The filter is > very simple, and works great for static files (thanks in part to some > earlier help from this list!) > > But, I can't get it to work for CGI scripts. If I put: > > ScriptAlias /cgi-bin /home/flinthomes/cgi-perl > > AllowOverride None > > > SetHandler perl-script > PerlSetVar Filter On > PerlHandler Apache::RegistryFilter Apache::SiteMoved > PerlSendHeader On > > > Options +ExecCGI > allow from all > > > it displays the text of the Perl script. > > I don't want the script to run under mod_perl since I'm still > debugging it on the new host; I want Apache to run it as usual, then > filter its output through the Apache::SiteMoved handler. > > Is there a way to tell Apache and mod_perl to do that? > > Thanks! > > ScottG.
Re: Filter on top of a CGI script
Thanks for you response, Slava. More below... Slava Bizyayev <[EMAIL PROTECTED]> writes: > Hi Scott, > > As far as I understand, your handler Apache::SiteMoved does all the > dirty work for you on Apache-1, replacing the hostname. Yes. > Additionally, you want your CGI script to remain as a CGI for some > reason. Yes. I'll install it under mod_perl when it's working and debugged on the new server. > In this case you can happily live with no Filter chain. Just take > the input of your handler through the pipe. >From a pipe where? In my CGI script? I actually managed to fix this by stealing a bunch of code from Apache::Dynagzip, which basically re-implements the CGI handler in Perl. It seems kind of hackish, but it works! At least well enough to get me through this testing. Thanks! ScottG.
