Apache-DBILogin
view release on metacpan or search on metacpan
DBILogin.pm view on Meta::CPAN
foreach my $group (split /\s+/, $require) {
$authz_result = is_member($r, $dbh, $group);
last if ( $authz_result == (MP2 ? Apache2::Const::OK : Apache::Constants::OK) );
if ( $authz_result == (MP2 ? Apache2::Const::HTTP_INTERNAL_SERVER_ERROR : Apache::Constants::HTTP_INTERNAL_SERVER_ERROR) ) {
$r->log_reason("user $user: $@", $r->uri);
return MP2 ? Apache2::Const::HTTP_INTERNAL_SERVER_ERROR : Apache::Constants::HTTP_INTERNAL_SERVER_ERROR;
}
}
if ( $authz_result == (MP2 ? Apache2::Const::HTTP_FORBIDDEN : Apache::Constants::HTTP_FORBIDDEN) ) {
my $explaination = <<END;
<HTML>
<HEAD><TITLE>Unauthorized</TITLE></HEAD>
<BODY>
<H1>Unauthorized</H1>
User must be member of one of these required groups: $require
</BODY>
</HTML>
END
$r->custom_response(MP2 ? Apache2::Const::HTTP_FORBIDDEN : Apache::Constants::HTTP_FORBIDDEN, $explaination);
$r->log_reason("user $user: not authorized", $r->uri);
}
}
}
$dbh->disconnect;
return $authz_result;
}
1;
__END__
=head1 NAME
Apache::DBILogin - authenticates and authorizes via a DBI connection
=head1 SYNOPSIS
#in .htaccess
AuthName MyAuth
AuthType Basic
PerlAuthenHandler Apache::DBILogin::authen
PerlSetVar Auth_DBI_data_source dbi:Oracle:SQLNetAlias
PerlAuthzHandler Apache::DBILogin::authz
allow from all
require group connect resource dba
satisfy all
#in startup.pl
package Apache::DBILogin;
# is_member function for authz handler
# expects request object, database handle, and group for which to test
# returns valid response code
sub is_member {
my ($r, $dbh, $group) = @_;
my $sth;
eval {
# no, Oracle doesn't support binding in SET ROLE statement
$sth = $dbh->prepare("SET ROLE $group") or die $DBI::errstr;
};
return ( MP2 ? Apache2::Const::HTTP_INTERNAL_SERVER_ERROR
: Apache::Constants::HTTP_INTERNAL_SERVER_ERROR ) if ( $@ );
return ( defined $sth->execute() ) ? (MP2 ? Apache2::Const::OK
: Apache::Constants::OK)
: (MP2 ? Apache2::Const::HTTP_FORBIDDEN
: Apache::Constants::HTTP_FORBIDDEN);
}
=head1 DESCRIPTION
Apache::DBILogin allows authentication and authorization against a
multi-user database.
It is intended to facilitate web-based transactions against a database server
as a particular database user. If you wish authenticate against a passwd
table instead, please see Edmund Mergl's Apache::AuthDBI module.
Group authorization is handled by your Apache::DBILogin::is_member()
function which you must define if you enable the authz handler.
The above example uses Oracle roles to assign group membership. A role is a
set of database privileges which can be assigned to users. Unfortunately,
roles are vendor specific. Under Oracle you can test membership with
"SET ROLE role_name" statement. You could also query the data dictionary,
DBA_ROLE_PRIVS, but under Oracle that requires explicit privilege.
Documentation patches for other databases are welcome.
=head1 ENVIRONMENT
Applications may access the clear text password as well as the data_source
via the environment variables B<HTTP_MODPERL_DBILOGIN_PASSWORD> and
B<HTTP_MODPERL_DBILOGIN_DATA_SOURCE>.
#!/usr/bin/perl -wT
use strict;
use CGI;
use DBI;
my $name = $ENV{REMOTE_USER};
my $password = $ENV{HTTP_MODPERL_DBILOGIN_PASSWORD};
my $data_source = $ENV{HTTP_MODPERL_DBILOGIN_DATA_SOURCE};
my $dbh = DBI->connect($data_source, $name, $password)
or die "$DBI::err: $DBI::errstr\n";
...
=head1 SECURITY
The database user's clear text passwd is made available in the
server's environment. Do you trust your developers?
=head1 BUGS
Probably lots, I'm not the best programmer in the world.
=head1 NOTES
Feel free to email me with comments, suggestions, flames. Its the
( run in 0.498 second using v1.01-cache-2.11-cpan-2398b32b56e )