Hello community,
here is the log from the commit of package perl-Apache-AuthCookie for openSUSE:Factory checked in at 2016-01-21 23:44:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-Apache-AuthCookie (Old)
and /work/SRC/openSUSE:Factory/.perl-Apache-AuthCookie.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-Apache-AuthCookie"
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-Apache-AuthCookie/perl-Apache-AuthCookie.changes 2015-12-29 12:59:38.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.perl-Apache-AuthCookie.new/perl-Apache-AuthCookie.changes 2016-01-22 01:09:48.000000000 +0100
@@ -1,0 +2,17 @@
+Tue Jan 19 09:34:24 UTC 2016 - coolo@suse.com
+
+- updated to 3.24
+ see /usr/share/doc/packages/perl-Apache-AuthCookie/Changes
+
+ 3.24 2016-01-13
+ - Update Apache 2.4 README, flesh out guts of Authz Provider notes.
+ - Improve Apache 2.4 README's AuthzProvider documentation
+ - Add POD to Apache2_4::AuthCookie
+ - Add FAQ to Apache2_4::AuthCookie documenation
+ - 2.4: document that PerlAddAuthzProvider is only needed for *custom* Requires directives.
+ - 2.4: make authz_handler recognize multiple usernames in the directive like
+ mod_authz_user does.
+ - add test case for internal authz_handler
+ - explicitly require Apache::Test 1.39 so that APACHE2_4 defines are set
+
+-------------------------------------------------------------------
Old:
----
Apache-AuthCookie-3.23.tar.gz
New:
----
Apache-AuthCookie-3.24.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-Apache-AuthCookie.spec ++++++
--- /var/tmp/diff_new_pack.XB2tIw/_old 2016-01-22 01:09:50.000000000 +0100
+++ /var/tmp/diff_new_pack.XB2tIw/_new 2016-01-22 01:09:50.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package perl-Apache-AuthCookie
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: perl-Apache-AuthCookie
-Version: 3.23
+Version: 3.24
Release: 0
%define cpan_name Apache-AuthCookie
Summary: Perl Authentication and Authorization via cookies
@@ -30,12 +30,12 @@
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: perl
BuildRequires: perl-macros
-BuildRequires: perl(Apache::Test) >= 1.35
+BuildRequires: perl(Apache::Test) >= 1.39
BuildRequires: perl(CGI) >= 3.12
BuildRequires: perl(Class::Load) >= 0.03
BuildRequires: perl(autobox) >= 1.1
BuildRequires: perl(mod_perl2) >= 1.999022
-Requires: perl(Apache::Test) >= 1.35
+Requires: perl(Apache::Test) >= 1.39
Requires: perl(CGI) >= 3.12
Requires: perl(Class::Load) >= 0.03
Requires: perl(autobox) >= 1.1
++++++ Apache-AuthCookie-3.23.tar.gz -> Apache-AuthCookie-3.24.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/Changes new/Apache-AuthCookie-3.24/Changes
--- old/Apache-AuthCookie-3.23/Changes 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/Changes 2016-01-14 00:16:15.000000000 +0100
@@ -1,5 +1,16 @@
Revision history for Apache::AuthCookie
+3.24 2016-01-13
+ - Update Apache 2.4 README, flesh out guts of Authz Provider notes.
+ - Improve Apache 2.4 README's AuthzProvider documentation
+ - Add POD to Apache2_4::AuthCookie
+ - Add FAQ to Apache2_4::AuthCookie documenation
+ - 2.4: document that PerlAddAuthzProvider is only needed for *custom* Requires directives.
+ - 2.4: make authz_handler recognize multiple usernames in the directive like
+ mod_authz_user does.
+ - add test case for internal authz_handler
+ - explicitly require Apache::Test 1.39 so that APACHE2_4 defines are set
+
3.23 2015-09-10
- Improve CGI mode param() handling to avoi CGI.pm's "param() called in list context" warning.
- add support for Apache 2.4 via mod_perl 1.09.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/MANIFEST new/Apache-AuthCookie-3.24/MANIFEST
--- old/Apache-AuthCookie-3.23/MANIFEST 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/MANIFEST 2016-01-14 00:16:15.000000000 +0100
@@ -32,6 +32,7 @@
t/htdocs/docs/index.html
t/htdocs/docs/login.pl
t/htdocs/docs/logout.pl
+t/htdocs/docs/myuser/get_me.html
t/htdocs/docs/protected/echo_user.pl
t/htdocs/docs/protected/get_me.html
t/htdocs/docs/stimeout/get_me.html
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/META.yml new/Apache-AuthCookie-3.24/META.yml
--- old/Apache-AuthCookie-3.23/META.yml 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/META.yml 2016-01-14 00:16:15.000000000 +0100
@@ -19,4 +19,4 @@
bugtracker: http://rt.cpan.org/Public/Dist/Display.html?Name=Apache-AuthCookie
homepage: http://search.cpan.org/dist/Apache-AuthCookie/
repository: git://github.com/mschout/apache-authcookie.git
-version: '3.23'
+version: '3.24'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/Makefile.PL new/Apache-AuthCookie-3.24/Makefile.PL
--- old/Apache-AuthCookie-3.23/Makefile.PL 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/Makefile.PL 2016-01-14 00:16:15.000000000 +0100
@@ -11,7 +11,7 @@
'NAME' => 'Apache::AuthCookie',
'VERSION_FROM' => 'lib/Apache/AuthCookie.pm',
'PREREQ_PM' => {
- 'Apache::Test' => 1.35,
+ 'Apache::Test' => 1.39,
'Test::More' => 0,
'CGI' => 0,
'Class::Load' => 0.03,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/README.apache-2.4.pod new/Apache-AuthCookie-3.24/README.apache-2.4.pod
--- old/Apache-AuthCookie-3.23/README.apache-2.4.pod 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/README.apache-2.4.pod 2016-01-14 00:16:15.000000000 +0100
@@ -25,7 +25,7 @@
=item Apache::Test
You need Apache::Test version 1.39 or later. Previous versions do not define
-the constant APACHE2_4 which is needed for the test suite.
+the constant C which is needed for the test suite.
=item Your AuthCookie Subclass
@@ -44,7 +44,8 @@
=item Apache2::Const::AUTHZ_DENIED_NO_USER
-return this constant if C<< $r->user >> is empty/undefined.
+return this constant if C<< $r->user >> is empty/undefined and you do not wish
+to allow anonymous access.
=item Apache2::Const::AUTHZ_DENIED
@@ -54,6 +55,16 @@
return this constant if C<< $r->user >> is authorized for the current request
+=item Apache2::Const::AUTHZ_GENERAL_ERROR
+
+return this constant to indicate an error processing authz requirements.
+
+=item Apache2::Const::AUTHZ_NEUTRAL
+
+return this constant to indicate a neutral response. It is assumed that
+another authz provider will be checked in a parent/sibling scope that will
+return granted or denied.
+
=back
=back
@@ -64,33 +75,150 @@
=item *
-Replace all C<PerlAuthzHandler> entries with top level C<PerlAddAuthzProvider> entries.
+Remove all C<PerlAuthzHandler> entries. C<PerlAuthzHandler> does not exist in Apache 2.4.
-C<PerlAuthzHandler> is gone in Apache 2.4. It has been replaced with
-C<PerlAddAuthzProvider>. C<PerlAddAUthzProvider> methods are expected to
-return one of C, C, or C.
-Other return values are not valid. Be sure you have ported your authz methods
-to return the appropriate constant!
+=item *
+
+Depending on what your C<Require> directives say, you may need to add one or
+more top level C<PerlAddAuthzProvider> entires and implement a handler for each
+one.
+
+If your C<Require> directives are simply C<valid-user> or C then you
+do not need to do this. Apache already provides an authz provider that handles
+C<user> and C<valid-user> requirements for you in C.
+
+C<AuthCookie> does provide a C for these requirements for
+backwards compatibility with previous versions, but the one provided by Apache
+is preferred.
=item *
-Add a C<PerlAddAuthzProvider> directive that calls C
+If you are C<Require>'ing anything other than C<valid-user> or C then
+you will need to write your own Authz Provider method and register it with Apache.
-E.g.:
+Authz Providers are the Apache 2.4 equivalent of a C<PerlAuthzHandler> method.
+Each one implements a specific requirement. E.g.:
- PerlAddAuthzProvider user Sample::Apache2::AuthCookieHandler->authz_handler
+ PerlAddAuthzProvider species My::AuthCookieHandler->authz_species
-Note that you can use something other than C<user>. e.g.: C<my-user> if you
-have other authentication modules in use that are responsible for
-C directives.
+Will be called to handle a
-=item *
+ Require species klingon
+
+Directive.
+
+It is important to know that Authz Providers are called B<twice> for
+a request. First, the authz provider is called before authentication has been
+processed to check for anonymous access. In this method call, C<< $r->user >>
+is not set. You are expected to return one of:
-Remove All Instances of PerlAuthzHandler that call authorize()
+=over 4
+
+=item AUTHZ_GRANTED
+
+Access is granted and no further authn/authz processing will occur for this
+request.
+
+=item AUTHZ_DENIED
+
+=item AUTHZ_NEUTRAL
-E.g.: remove all all instances of:
+The response is C (unless neutral is overridden by another
+provider)
- PerlAuthzHandler Your::AuthCookie::Handler->authorize
+=item AUTHZ_DENIED_NO_USER
+
+Authentication is processed, C<< $r->user >> will be set with the current
+username and your authz provider will be called again.
+
+=back
+
+The second time the authz provider is called, C<< $r->user >> is set and you
+are expected to return one of:
+
+=over 4
+
+=item AUTHZ_GRANTED
+
+The request is allowed
+
+=item AUTHZ_DENIED
+
+The request is forbidden
+
+=item AUTHZ_NEUTRAL
+
+The request is forbidden, unless another authz provider returns
+C. Consult the apache documentation about authorization merging
+for more info.
+
+=back
+
+You could also return C from any of these to indicate an
+error processing authz directives and halt processing immediately.
+
+One way to think about these response codes what kind of Require satisfies is
+in effect:
+
+=over 4
+
+=item RequireAll/RequireNone
+
+In this case the priority of responses is:
+
+=over 4
+
+=item AUTHZ_GENERAL_ERROR
+
+Processing stops immediately
+
+=item AUTHZ_DENIED
+
+Processing stops immediately, no siblings are processed. Request is denied.
+
+=item AUTHZ_DENIED_NO_USER
+
+Process Authentication and try again
+
+=item AUTHZ_GRANTED
+
+Continue processing siblings.
+
+=item AUTZ_NEUTRAL
+
+Continue processing siblings.
+
+=back
+
+=item RequireAny
+
+In this case the priority of responses is:
+
+=over 4
+
+=item AUTHZ_GENERAL_ERROR
+
+Processing stops immediately
+
+=item AUTHZ_GRANTED
+
+Processing stops immediately, no siblings are processed. Request is allowed.
+
+=item AUTHZ_DENIED_NO_USER
+
+Process Authentication and try again
+
+=item AUTHZ_DENIED
+
+Continue processing siblings.
+
+=item AUTZ_NEUTRAL
+
+Continue processing siblings.
+
+=back
+
+=back
=back
@@ -102,35 +230,34 @@
=item authorize() has been removed
-In C, C is replaced by C.
-C has a different return type from C<authorize>. Apache expects
-a return value of one of C, C, or
-C.
+You need to use a C<PerlAddAuthzProvider> and write an appropriate handler as
+described above instead. Note that you do not need a C<PerlAddAuthzProvider>
+for C<user> or C<valid-user> requirements. Apache already handles those
+internally.
=item ${auth_name}Satisfy
Satisfy support is removed as it is no longer needed with Apache 2.4.
-You can handle other non-user requirements with RequireAll, and additional
-AuthzProvider handlers:
+You are expected to use C<RequireAll> or C<RequireAny> instead.
e.g.:
- PerlAddAuthzProvider user Your::AuthCookieHandler->authz_handler
PerlAddAuthzProvider species Your::AuthCookieHandler->authz_species_handler
<RequireAll>
Require valid-user
- Require species gerbil
+ Require species klingon
</RequireAll>
-see: https://httpd.apache.org/docs/2.4/howto/auth.html#reqaccessctrl
+see: Lhttps://httpd.apache.org/docs/2.4/howto/auth.html#reqaccessctrl
=item Unauthorized User HTTP Response Code
-In Apache 2.4, in mod_authz_core, if no authz_handlers return C,
-then C is returned. In previous versions, C
-was returned. You can get the old behaviour if you want it with:
+In Apache 2.4, in C, if no authz handlers return C,
+then C is returned. In previous versions of Apache,
+C was returned. You can get the old behaviour if you want it
+with:
AuthzSendForbiddenOnFailure On
@@ -144,19 +271,20 @@
Why is my authz method called twice per request?
-This is normal behaviour under Apache 2.4. You are expected to return
-CApache2::Const::AUTHZ_DENIED_NO_USER IF C<< $r->user >> has not yet been
-set. Your authz handler will be called a second time after the user has been
-authenticated.
-
-=back
+This is normal behaviour under Apache 2.4. This is to accomodate for
+authorization of anonymous access. You are expected to return
+CApache2::Const::AUTHZ_DENIED_NO_USER IF C<< $r->user >> has not yet been set
+if you want authentication to proceed. Your authz handler will be called a
+second time after the user has been authenticated.
-=head1 TODO
+=item *
-=over 4
+My log shows an entry like:
-=item *
+ authorization result of Require ...: denied (no + # authenticated user yet)
-add support for mod_auth_socache if possible
+These are normal. This happens because the authz provider returned
+C and the authz provider will be called again after
+authentication happens.
=back
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/SIGNATURE new/Apache-AuthCookie-3.24/SIGNATURE
--- old/Apache-AuthCookie-3.23/SIGNATURE 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/SIGNATURE 2016-01-14 00:16:15.000000000 +0100
@@ -14,30 +14,30 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-SHA1 4fb2e9aca110ad4efaa9acba8e71d6bfb510ffff Changes
+SHA1 9fba73a06915fdf43a0e5a3809f174b5e860b182 Changes
SHA1 cb36dd242de6d18cd64c4b55444347ebf09e43e7 LICENSE
-SHA1 a308ff70c88e605fc3ca9a756d08f9003c536b94 MANIFEST
+SHA1 4c0c99ee3b19ecbc08f30491799faa2ac9ecebf8 MANIFEST
SHA1 0ff75e1a6186d7274e76387884eca541fdd5ca4a MANIFEST.SKIP
-SHA1 d8d592009b6ed9fc6f7007385e5bb0d5740fce39 META.yml
-SHA1 5b5d0d04447e4814ff7b91584e094175ac84e141 Makefile.PL
+SHA1 5ffafb81bd4fa549d1b9954477bdd30255a44299 META.yml
+SHA1 7a2275cdc405f9585d15d08ff8edeeed8e6558de Makefile.PL
SHA1 b9945378262a25db34dcdba06da956a52876188b README
-SHA1 b9a7c4716c9ac0f47b8a3e1ca8d0c18141595f5e README.apache-2.4.pod
+SHA1 0fbbaf3a8362d5356d104ce148db9e3d07e1c7bf README.apache-2.4.pod
SHA1 ccbc46a0385aabadd1e6f4a22f8d4ebb11b44901 README.modperl2
-SHA1 de860466abecb2f3be5deb75a7e5eb23a1af43ed lib/Apache/AuthCookie.pm
-SHA1 714a5abef95062cde56356bfcd5110fbbb562f21 lib/Apache/AuthCookie/Autobox.pm
-SHA1 59d7b1093b226bf896ddcea875accb55c40fc6c2 lib/Apache/AuthCookie/FAQ.pod
-SHA1 2bf8c686f85bbe52bcc5cf4236d8b8369a9dc031 lib/Apache/AuthCookie/Params.pm
-SHA1 22d88939f72b0c934dd54b3f895c7670a9e4afdf lib/Apache/AuthCookie/Params/Base.pm
-SHA1 d80828eb8fbb44f06e1262d5cdb0be136e7dd5f7 lib/Apache/AuthCookie/Params/CGI.pm
-SHA1 d37b201d846510b6197375260494c3b5857d562d lib/Apache/AuthCookie/Util.pm
-SHA1 33a0abcd4da5dcc8703c93ba0b6e99361c5624fe lib/Apache2/AuthCookie.pm
-SHA1 04a38982e21cd55af8b4730bf3adcbabefcbe47a lib/Apache2/AuthCookie/Base.pm
-SHA1 6945012b16cefcffb2c793b3a7bc19e6622a200c lib/Apache2/AuthCookie/Params.pm
-SHA1 c1b92f9f5956f6263e9a9c7bc1f977a167629fed lib/Apache2_4/AuthCookie.pm
+SHA1 b5885da476dded21d874ddaf62eeab9afa4ef660 lib/Apache/AuthCookie.pm
+SHA1 6cbdbebc1b4a1ce90f9ded7bf5c31f19c19f4e1b lib/Apache/AuthCookie/Autobox.pm
+SHA1 3fc5539118a30496b9c9a2659aa4ecba010d37f7 lib/Apache/AuthCookie/FAQ.pod
+SHA1 f05973756eaa606d62965641ce181ef877061bde lib/Apache/AuthCookie/Params.pm
+SHA1 8da245e78647a7d6f6319190b29571166b63ea34 lib/Apache/AuthCookie/Params/Base.pm
+SHA1 7565fa5fb1bbd2ac8776e0f48950b067ef6b3974 lib/Apache/AuthCookie/Params/CGI.pm
+SHA1 b79b109eb9e83eae771f84150e9e29a6cafa0c97 lib/Apache/AuthCookie/Util.pm
+SHA1 8893d614abb8a99907204bb493ef7508d5b6e769 lib/Apache2/AuthCookie.pm
+SHA1 cfc494f7d1b3047f365fda488a57e9d31080b0b7 lib/Apache2/AuthCookie/Base.pm
+SHA1 05f74437cc15aa913fda411cfeafd82613a2dc02 lib/Apache2/AuthCookie/Params.pm
+SHA1 ca36db816d36bbe96f8b84f6481bf11b50234905 lib/Apache2_4/AuthCookie.pm
SHA1 3ac8de46e7bba83f6969caec3c9c14cbd99881cb t/Skeleton/AuthCookieHandler.pm
SHA1 b1f854e6edecbdd44fc7b8db719e0fe21d9340d1 t/TEST.PL
SHA1 290c96de9cbeafe5cc6ad7f3a47d706e740ba28f t/autobox.t
-SHA1 5bdda8342212ecb7450da1e7c34ec42ff99146fd t/conf/extra.conf.in
+SHA1 14b2d1c4e40ea7477059c6b792e31592b15120a4 t/conf/extra.conf.in
SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/authall/get_me.html
SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/authany/get_me.html
SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/cookiename/get_me.html
@@ -46,19 +46,20 @@
SHA1 ff64131e263980ea9575b71dc05c5aa2063e135d t/htdocs/docs/index.html
SHA1 0dba04a9de174ab9881cfe575d1d23bb5fc588a8 t/htdocs/docs/login.pl
SHA1 b9eca1b328da7d703abaec2d6a6d5751866843ac t/htdocs/docs/logout.pl
+SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/myuser/get_me.html
SHA1 b37a85d16cbb2342b407f2ba70b8a61aa1ca67bb t/htdocs/docs/protected/echo_user.pl
SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/protected/get_me.html
SHA1 2156ea84b69ca7fef7b73d72a06c07cb145da7a9 t/htdocs/docs/stimeout/get_me.html
SHA1 d8a8ea1ebe037a4dea4ad8d1c5b0704b2d43e854 t/lib/Sample/Apache/AuthCookieHandler.pm
SHA1 b17b0f3ee3a6643cd57c0d9946c4aa62b0d9e3bb t/lib/Sample/Apache2/AuthCookieHandler.pm
SHA1 2fe3e04dd78f4e0ea8322f6482153bee96585b9a t/lib/Sample/Apache2_4/AuthCookieHandler.pm
-SHA1 e24b180df613b201f9b4b9945af3b56549df223b t/real.t
+SHA1 97d4f24fa12ac67b785863fefcb491fcf8836af9 t/real.t
SHA1 61cea839dd94aaaeb301ccac9b83cde4c5c91b42 t/signature.t
SHA1 e91bf0ef7d63322eaf15ca7d9907c6db47ce90ca t/startup.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-iEYEARECAAYFAlXxtwQACgkQ+CqvSzp9LOyCfgCePYmJ7pcURQ0YQ3OnG3JciB9d
-s8gAmgO+buvx/KVwsu+BpEGOL1bhKMBp
-=JIIU
+iEYEARECAAYFAlaW2r8ACgkQ+CqvSzp9LOznBwCfVyvPHeoEKntFe34bphvP2cOh
+bHEAn0jRy+56CvxnZpE0adpINHCgBTbI
+=N7RO
-----END PGP SIGNATURE-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/Autobox.pm new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/Autobox.pm
--- old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/Autobox.pm 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/Autobox.pm 2016-01-14 00:16:15.000000000 +0100
@@ -1,5 +1,5 @@
package Apache::AuthCookie::Autobox;
-$Apache::AuthCookie::Autobox::VERSION = '3.23';
+$Apache::AuthCookie::Autobox::VERSION = '3.24';
# ABSTRACT: Autobox Extensions for AuthCookie
use strict;
@@ -14,7 +14,7 @@
}
package Apache::AuthCookie::Autobox::Scalar;
-$Apache::AuthCookie::Autobox::Scalar::VERSION = '3.23';
+$Apache::AuthCookie::Autobox::Scalar::VERSION = '3.24';
sub is_blank {
return defined $_[0] && ($_[0] =~ /\S/) ? 0 : 1;
}
@@ -31,7 +31,7 @@
=head1 VERSION
-version 3.23
+version 3.24
=head1 SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/FAQ.pod new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/FAQ.pod
--- old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/FAQ.pod 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/FAQ.pod 2016-01-14 00:16:15.000000000 +0100
@@ -1,6 +1,6 @@
# make Dist::Zilla happy.
package Apache::AuthCookie::FAQ;
-$Apache::AuthCookie::FAQ::VERSION = '3.23';
+$Apache::AuthCookie::FAQ::VERSION = '3.24';
# ABSTRACT: Frequently Asked Questions about Apache::AuthCookie.
1;
@@ -15,7 +15,7 @@
=head1 VERSION
-version 3.23
+version 3.24
=head1 DESCRIPTION
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/Params/Base.pm new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/Params/Base.pm
--- old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/Params/Base.pm 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/Params/Base.pm 2016-01-14 00:16:15.000000000 +0100
@@ -1,5 +1,5 @@
package Apache::AuthCookie::Params::Base;
-$Apache::AuthCookie::Params::Base::VERSION = '3.23';
+$Apache::AuthCookie::Params::Base::VERSION = '3.24';
# ABSTRACT: Internal CGI AuthCookie Params Base Class
use strict;
@@ -44,7 +44,7 @@
=head1 VERSION
-version 3.23
+version 3.24
=head1 SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/Params/CGI.pm new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/Params/CGI.pm
--- old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/Params/CGI.pm 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/Params/CGI.pm 2016-01-14 00:16:15.000000000 +0100
@@ -1,5 +1,5 @@
package Apache::AuthCookie::Params::CGI;
-$Apache::AuthCookie::Params::CGI::VERSION = '3.23';
+$Apache::AuthCookie::Params::CGI::VERSION = '3.24';
# ABSTRACT: Internal CGI Params Subclass
use strict;
@@ -32,7 +32,7 @@
=head1 VERSION
-version 3.23
+version 3.24
=head1 SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/Params.pm new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/Params.pm
--- old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/Params.pm 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/Params.pm 2016-01-14 00:16:15.000000000 +0100
@@ -1,5 +1,5 @@
package Apache::AuthCookie::Params;
-$Apache::AuthCookie::Params::VERSION = '3.23';
+$Apache::AuthCookie::Params::VERSION = '3.24';
# ABSTRACT: AuthCookie Params Driver for mod_perl 1.x
use strict;
@@ -44,7 +44,7 @@
=head1 VERSION
-version 3.23
+version 3.24
=head1 SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/Util.pm new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/Util.pm
--- old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie/Util.pm 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie/Util.pm 2016-01-14 00:16:15.000000000 +0100
@@ -1,5 +1,5 @@
package Apache::AuthCookie::Util;
-$Apache::AuthCookie::Util::VERSION = '3.23';
+$Apache::AuthCookie::Util::VERSION = '3.24';
# ABSTRACT: Internal Utility Functions for AuthCookie
use strict;
@@ -96,7 +96,7 @@
=head1 VERSION
-version 3.23
+version 3.24
=head1 SOURCE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie.pm new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie.pm
--- old/Apache-AuthCookie-3.23/lib/Apache/AuthCookie.pm 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/lib/Apache/AuthCookie.pm 2016-01-14 00:16:15.000000000 +0100
@@ -1,5 +1,5 @@
package Apache::AuthCookie;
-$Apache::AuthCookie::VERSION = '3.23';
+$Apache::AuthCookie::VERSION = '3.24';
# ABSTRACT: Perl Authentication and Authorization via cookies
use strict;
@@ -549,7 +549,7 @@
=head1 VERSION
-version 3.23
+version 3.24
=head1 SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/lib/Apache2/AuthCookie/Base.pm new/Apache-AuthCookie-3.24/lib/Apache2/AuthCookie/Base.pm
--- old/Apache-AuthCookie-3.23/lib/Apache2/AuthCookie/Base.pm 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/lib/Apache2/AuthCookie/Base.pm 2016-01-14 00:16:15.000000000 +0100
@@ -1,5 +1,5 @@
package Apache2::AuthCookie::Base;
-$Apache2::AuthCookie::Base::VERSION = '3.23';
+$Apache2::AuthCookie::Base::VERSION = '3.24';
use strict;
use mod_perl2 '1.99022';
use Carp;
@@ -450,7 +450,7 @@
=head1 VERSION
-version 3.23
+version 3.24
=head1 SOURCE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/lib/Apache2/AuthCookie/Params.pm new/Apache-AuthCookie-3.24/lib/Apache2/AuthCookie/Params.pm
--- old/Apache-AuthCookie-3.23/lib/Apache2/AuthCookie/Params.pm 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/lib/Apache2/AuthCookie/Params.pm 2016-01-14 00:16:15.000000000 +0100
@@ -1,5 +1,5 @@
package Apache2::AuthCookie::Params;
-$Apache2::AuthCookie::Params::VERSION = '3.23';
+$Apache2::AuthCookie::Params::VERSION = '3.24';
# ABSTRACT: AuthCookie Params Driver for mod_perl 2.x
use strict;
@@ -40,7 +40,7 @@
=head1 VERSION
-version 3.23
+version 3.24
=head1 SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/lib/Apache2/AuthCookie.pm new/Apache-AuthCookie-3.24/lib/Apache2/AuthCookie.pm
--- old/Apache-AuthCookie-3.23/lib/Apache2/AuthCookie.pm 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/lib/Apache2/AuthCookie.pm 2016-01-14 00:16:15.000000000 +0100
@@ -1,5 +1,5 @@
package Apache2::AuthCookie;
-$Apache2::AuthCookie::VERSION = '3.23';
+$Apache2::AuthCookie::VERSION = '3.24';
# ABSTRACT: Perl Authentication and Authorization via cookies
use strict;
@@ -113,11 +113,11 @@
=head1 VERSION
-version 3.23
+version 3.24
=head1 SYNOPSIS
-Make sure your mod_perl is at least 1.24, with StackedHandlers,
+Make sure your mod_perl is at least 2.0.0-RC5, with StackedHandlers,
MethodHandlers, Authen, and Authz compiled in.
# In httpd.conf or .htaccess:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/lib/Apache2_4/AuthCookie.pm new/Apache-AuthCookie-3.24/lib/Apache2_4/AuthCookie.pm
--- old/Apache-AuthCookie-3.23/lib/Apache2_4/AuthCookie.pm 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/lib/Apache2_4/AuthCookie.pm 2016-01-14 00:16:15.000000000 +0100
@@ -1,44 +1,53 @@
package Apache2_4::AuthCookie;
-$Apache2_4::AuthCookie::VERSION = '3.23';
+$Apache2_4::AuthCookie::VERSION = '3.24';
use strict;
use base 'Apache2::AuthCookie::Base';
use Apache::AuthCookie::Autobox;
+use Apache2::Log;
use Apache2::Const -compile => qw(AUTHZ_GRANTED AUTHZ_DENIED AUTHZ_DENIED_NO_USER);
+# You really do not need this provider at all. This provides an implementation
+# for "Require user ..." directives, that is compatible with mod_authz_core
+# (with the exception that expressions are not supported). You should really
+# just let mod_authz_core be your "user" authz provider. Nevertheless, due to
+# the fact that AuthCookie was released for Apache 2.4 with documentation that
+# shows this is needed, we leave this implementation for backwards
+# compatibility.
sub authz_handler {
- my ($auth_type, $r, @requires) = @_;
-
- return Apache2::Const::AUTHZ_DENIED unless @requires;
-
- my $debug = $r->dir_config("AuthCookieDebug") || 0;
+ my ($auth_type, $r, $requires) = @_;
my $user = $r->user;
- $r->server->log_error("authz user=$user type=$auth_type req=@requires") if $debug >=3;
-
if ($user->is_blank) {
- # user not yet authenticated
- $r->server->log_error("No user authenticated", $r->uri);
+ # user is not yet authenticated
return Apache2::Const::AUTHZ_DENIED_NO_USER;
}
- foreach my $req (@requires) {
- $r->server->log_error("requirement := $req") if $debug >= 2;
+ if ($requires->is_blank) {
+ $r->server->log_error(q[Your 'Require user ...' config does not specify any users]);
+ return Apache2::Const::AUTHZ_DENIED;
+ }
- if (lc $req eq 'valid-user') {
+ my $debug = $r->dir_config("AuthCookieDebug") || 0;
+
+ $r->server->log_error("authz user=$user type=$auth_type req=$requires") if $debug >=3;
+
+ for my $valid_user (split /\s+/, $requires) {
+ if ($user eq $valid_user) {
return Apache2::Const::AUTHZ_GRANTED;
}
-
- return $req eq $user ? Apache2::Const::AUTHZ_GRANTED : Apache2::Const::AUTHZ_DENIED;
}
+ # log a message similar to mod_authz_user
+ $r->log->debug(sprintf
+ q[access to %s failed, reason: user '%s' does not meet 'require'ments for a ].
+ q[user to be allowed access], $r->uri, $r->user);
+
return Apache2::Const::AUTHZ_DENIED;
}
1;
-__END__
-
=pod
=head1 NAME
@@ -47,7 +56,567 @@
=head1 VERSION
-version 3.23
+version 3.24
+
+=head1 SYNOPSIS
+
+Make sure your mod_perl is at least 2.0.9, with StackedHandlers,
+MethodHandlers, Authen, and Authz compiled in.
+
+ # In httpd.conf or .htaccess:
+ PerlModule Sample::Apache2::AuthCookieHandler
+ PerlSetVar WhatEverPath /
+ PerlSetVar WhatEverLoginScript /login.pl
+
+ # The following line is optional - it allows you to set the domain
+ # scope of your cookie. Default is the current domain.
+ PerlSetVar WhatEverDomain .yourdomain.com
+
+ # Use this to only send over a secure connection
+ PerlSetVar WhatEverSecure 1
+
+ # Use this if you want user session cookies to expire if the user
+ # doesn't request a auth-required or recognize_user page for some
+ # time period. If set, a new cookie (with updated expire time)
+ # is set on every request.
+ PerlSetVar WhatEverSessionTimeout +30m
+
+ # to enable the HttpOnly cookie property, use HttpOnly.
+ # this is an MS extension. See:
+ # http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
+ PerlSetVar WhatEverHttpOnly 1
+
+ # Usually documents are uncached - turn off here
+ PerlSetVar WhatEverCache 1
+
+ # Use this to make your cookies persistent (+2 hours here)
+ PerlSetVar WhatEverExpires +2h
+
+ # Use to make AuthCookie send a P3P header with the cookie
+ # see http://www.w3.org/P3P/ for details about what the value
+ # of this should be
+ PerlSetVar WhatEverP3P "CP=\"...\""
+
+ # These documents require user to be logged in.
+
+ AuthType Sample::Apache2::AuthCookieHandler
+ AuthName WhatEver
+ PerlAuthenHandler Sample::Apache2::AuthCookieHandler->authenticate
+ Require valid-user
+ </Location>
+
+ # How to handle a custom requirement (non-user).
+ PerlAddAuthzProvider species Sample::Apache2::AuthCookieHandler->authz_species
+
+ Require species klingon
+ </Location>
+
+ # These documents don't require logging in, but allow it.
+
+ AuthType Sample::Apache2::AuthCookieHandler
+ AuthName WhatEver
+ PerlFixupHandler Sample::Apache2::AuthCookieHandler->recognize_user
+ </FilesMatch>
+
+ # This is the action of the login.pl script above.
+ <Files LOGIN>
+ AuthType Sample::Apache2::AuthCookieHandler
+ AuthName WhatEver
+ SetHandler perl-script
+ PerlResponseHandler Sample::Apache2::AuthCookieHandler->login
+ </Files>
+
+=head1 DESCRIPTION
+
+This module is for C version 2 for C<Apache> version 2.4.x. If you
+are running mod_perl version 1, you need BApache::AuthCookie instead. If you
+are running C<Apache> 2.0.0-2.2.x, you need BApache2::AuthCookie instead.
+
+B allows you to intercept a user's first unauthenticated
+access to a protected document. The user will be presented with a custom form
+where they can enter authentication credentials. The credentials are posted to
+the server where AuthCookie verifies them and returns a session key.
+
+The session key is returned to the user's browser as a cookie. As a cookie, the
+browser will pass the session key on every subsequent accesses. AuthCookie will
+verify the session key and re-authenticate the user.
+
+All you have to do is write a custom module that inherits from AuthCookie.
+Your module is a class which implements two methods:
+
+=over 4
+
+=item C
+
+Verify the user-supplied credentials and return a session key. The session key
+can be any string - often you'll use some string containing username, timeout
+info, and any other information you need to determine access to documents, and
+append a one-way hash of those values together with some secret key.
+
+=item C
+
+Verify the session key (previously generated by C, possibly
+during a previous request) and return the user ID. This user ID will be fed to
+C<$r-E<gt>user()> to set Apache's idea of who's logged in.
+
+=back
+
+By using AuthCookie versus Apache's built-in AuthBasic you can design your own
+authentication system. There are several benefits.
+
+=over 4
+
+=item 1.
+
+The client doesn't *have* to pass the user credentials on every subsequent
+access. If you're using passwords, this means that the password can be sent on
+the first request only, and subsequent requests don't need to send this
+(potentially sensitive) information. This is known as "ticket-based"
+authentication.
+
+=item 2.
+
+When you determine that the client should stop using the credentials/session
+key, the server can tell the client to delete the cookie. Letting users "log
+out" is a notoriously impossible-to-solve problem of AuthBasic.
+
+=item 3.
+
+AuthBasic dialog boxes are ugly. You can design your own HTML login forms when
+you use AuthCookie.
+
+=item 4.
+
+You can specify the domain of a cookie using C<PerlSetVar> commands. For
+instance, if your AuthName is C<WhatEver>, you can put the command
+
+ PerlSetVar WhatEverDomain .yourhost.com
+
+into your server setup file and your access cookies will span all hosts ending
+in C<.yourhost.com>.
+
+=item 5.
+
+You can optionally specify the name of your cookie using the C<CookieName>
+directive. For instance, if your AuthName is C<WhatEver>, you can put the
+command
+
+ PerlSetVar WhatEverCookieName MyCustomName
+
+into your server setup file and your cookies for this AuthCookie realm will be
+named MyCustomName. Default is AuthType_AuthName.
+
+=back
+
+This is the flow of the authentication handler, less the details of the
+redirects. Two HTTP_MOVED_TEMPORARILY's are used to keep the client from
+displaying the user's credentials in the Location field. They don't really
+change AuthCookie's model, but they do add another round-trip request to the
+client.
+
+=for html <PRE>
+
+ (-----------------------) +---------------------------------+
+ ( Request a protected ) | AuthCookie sets custom error |
+ ( page, but user hasn't )---->| document and returns |
+ ( authenticated (no ) | HTTP_FORBIDDEN. Apache abandons |
+ ( session key cookie) ) | current request and creates sub |
+ (-----------------------) | request for the error document. |<-+
+ | Error document is a script that | |
+ | generates a form where the user | |
+ return | enters authentication | |
+ ^------------------->| credentials (login & password). | |
+ / \ False +---------------------------------+ |
+ / \ | |
+ / \ | |
+ / \ V |
+ / \ +---------------------------------+ |
+ / Pass \ | User's client submits this form | |
+ / user's \ | to the LOGIN URL, which calls | |
+ | credentials |<------------| AuthCookie->login(). | |
+ \ to / +---------------------------------+ |
+ \authen_cred/ |
+ \ function/ |
+ \ / |
+ \ / |
+ \ / +------------------------------------+ |
+ \ / return | Authen cred returns a session | +--+
+ V------------->| key which is opaque to AuthCookie.*| |
+ True +------------------------------------+ |
+ | |
+ +--------------------+ | +---------------+
+ | | | | If we had a |
+ V | V | cookie, add |
+ +----------------------------+ r | ^ | a Set-Cookie |
+ | If we didn't have a session| e |T / \ | header to |
+ | key cookie, add a | t |r / \ | override the |
+ | Set-Cookie header with this| u |u / \ | invalid cookie|
+ | session key. Client then | r |e / \ +---------------+
+ | returns session key with | n | / pass \ ^
+ | successive requests | | / session \ |
+ +----------------------------+ | / key to \ return |
+ | +-| authen_ses_key|------------+
+ V \ / False
+ +-----------------------------------+ \ /
+ | Tell Apache to set Expires header,| \ /
+ | set user to user ID returned by | \ /
+ | authen_ses_key, set authentication| \ /
+ | to our type (e.g. AuthCookie). | \ /
+ +-----------------------------------+ \ /
+ V
+ (---------------------) ^
+ ( Request a protected ) |
+ ( page, user has a )--------------+
+ ( session key cookie )
+ (---------------------)
+
+
+ * The session key that the client gets can be anything you want. For
+ example, encrypted information about the user, a hash of the
+ username and password (similar in function to Digest
+ authentication), or the user name and password in plain text
+ (similar in function to HTTP Basic authentication).
+
+ The only requirement is that the authen_ses_key function that you
+ create must be able to determine if this session_key is valid and
+ map it back to the originally authenticated user ID.
+
+=for html </PRE>
+
+=head1 METHODS
+
+C has several methods you should know about.
+
+=over 4
+
+=item * authenticate()
+
+This method is one you'll use in a server config file (httpd.conf, .htaccess,
+...) as a PerlAuthenHandler. If the user provided a session key in a cookie,
+the C method will get called to check whether the key is
+valid. If not, or if there is no key provided, we redirect to the login form.
+
+=item * authen_cred()
+
+You must define this method yourself in your subclass of
+C. Its job is to create the session key that will be
+preserved in the user's cookie. The arguments passed to it are:
+
+ sub authen_cred ($$\@) {
+ my $self = shift; # Package name (same as AuthName directive)
+ my $r = shift; # Apache request object
+ my @cred = @_; # Credentials from login form
+
+ ...blah blah blah, create a session key...
+ return $session_key;
+ }
+
+The only limitation on the session key is that you should be able to look at it
+later and determine the user's username. You are responsible for implementing
+your own session key format. A typical format is to make a string that
+contains the username, an expiration time, whatever else you need, and an MD5
+hash of all that data together with a secret key. The hash will ensure that
+the user doesn't tamper with the session key.
+
+=item * authen_ses_key()
+
+You must define this method yourself in your subclass of
+C. Its job is to look at a session key and determine
+whether it is valid. If so, it returns the username of the authenticated user.
+
+ sub authen_ses_key ($$$) {
+ my ($self, $r, $session_key) = @_;
+ ...blah blah blah, check whether $session_key is valid...
+ return $ok ? $username : undef;
+ }
+
+Optionally, return an array of 2 or more items that will be passed to method
+custom_errors. It is the responsibility of this method to return the correct
+response to the main Apache module.
+
+=item * custom_errors($r,@_)
+
+This method handles the server response when you wish to access the Apache
+custom_response method. Any suitable response can be used. this is
+particularly useful when implementing 'by directory' access control using
+the user authentication information. i.e.
+
+ /restricted
+ /one user is allowed access here
+ /two not here
+ /three AND here
+
+The authen_ses_key method would return a normal response when the user attempts
+to access 'one' or 'three' but return (NOT_FOUND, 'File not found') if an
+attempt was made to access subdirectory 'two'. Or, in the case of expired
+credentials, (AUTH_REQUIRED,'Your session has timed out, you must login
+again').
+
+ example 'custom_errors'
+
+ sub custom_errors {
+ my ($self,$r,$CODE,$msg) = @_;
+
+ # return custom message else use the server's standard message
+ $r->custom_response($CODE, $msg) if $msg;
+
+ return($CODE);
+ }
+
+ where CODE is a valid code from Apache2::Const
+
+=item * login()
+
+This method handles the submission of the login form. It will call the
+C method, passing it C<$r> and all the submitted data with names
+like C<"credential_#">, where # is a number. These will be passed in a simple
+array, so the prototype is C<$self-E<gt>authen_cred($r, @credentials)>. After
+calling C, we set the user's cookie and redirect to the URL
+contained in the C<"destination"> submitted form field.
+
+=item * login_form($r)
+
+This method is responsible for displaying the login form. The default
+implementation will make an internal redirect and display the URL you specified
+with the C<PerlSetVar WhatEverLoginScript> configuration directive. You can
+overwrite this method to provide your own mechanism.
+
+=item * login_form_status($r)
+
+This method returns the HTTP status code that will be returned with the login
+form response. The default behaviour is to return HTTP_FORBIDDEN, except for
+some known browsers which ignore HTML content for HTTP_FORBIDDEN responses
+(e.g.: SymbianOS). You can override this method to return custom codes.
+
+Note that HTTP_FORBIDDEN is the most correct code to return as the given
+request was not authorized to view the requested page. You should only change
+this if HTTP_FORBIDDEN does not work.
+
+=item * logout()
+
+This is simply a convenience method that unsets the session key for you. You
+can call it in your logout scripts. Usually this looks like
+C<$r-E<gt>auth_type-E<gt>logout($r);>.
+
+=item * send_cookie($r, $session_key)
+
+By default this method simply sends out the session key you give it. If you
+need to change the default behavior (perhaps to update a timestamp in the key)
+you can override this method.
+
+=item * recognize_user()
+
+If the user has provided a valid session key but the document isn't protected,
+this method will set C<$r-E<gt>user> anyway. Use it as a PerlFixupHandler,
+unless you have a better idea.
+
+=item * key($r)
+
+This method will return the current session key, if any. This can be handy
+inside a method that implements a C<require> directive check (like the
+C<species> method discussed above) if you put any extra information like
+clearances or whatever into the session key.
+
+=item * untaint_destination($self, $uri)
+
+This method returns a modified version of the destination parameter before
+embedding it into the response header. Per default it escapes CR, LF and TAB
+characters of the uri to avoid certain types of security attacks. You can
+override it to more limit the allowed destinations, e.g., only allow relative
+uris, only special hosts or only limited set of characters.
+
+=back
+
+=head1 EXAMPLE
+
+For an example of how to use C, you may want to check
+out the test suite, which runs AuthCookie through a few of its paces. The
+documents are located in t/eg/, and you may want to peruse t/real.t to see the
+generated httpd.conf file (at the bottom of real.t) and check out what requests
+it's making of the server (at the top of real.t).
+
+=head1 THE LOGIN SCRIPT
+
+You will need to create a login script (called login.pl above) that generates
+an HTML form for the user to fill out. You might generate the page using a
+ModPerl::Registry script, a HTML::Mason component, an Apache handler, or
+perhaps even using a static HTML page. It's usually useful to generate it
+dynamically so that you can define the 'destination' field correctly (see
+below).
+
+The following fields must be present in the form:
+
+=over 4
+
+=item 1.
+
+The ACTION of the form must be /LOGIN (or whatever you defined in your
+server configuration as handled by the C<-E<gt>login()> method - see example in
+the SYNOPSIS section).
+
+=item 2.
+
+The various user input fields (username, passwords, etc.) must be named
+'credential_0', 'credential_1', etc. on the form. These will get passed to
+your C method.
+
+=item 3.
+
+You must define a form field called 'destination' that tells AuthCookie where
+to redirect the request after successfully logging in. Typically this value is
+obtained from C<$r-E<gt>prev-E<gt>uri>. See the login.pl script in t/eg/.
+
+=back
+
+In addition, you might want your login page to be able to tell why the user is
+being asked to log in. In other words, if the user sent bad credentials, then
+it might be useful to display an error message saying that the given username
+or password are invalid. Also, it might be useful to determine the difference
+between a user that sent an invalid auth cookie, and a user that sent no auth
+cookie at all. To cope with these situations, B<AuthCookie> will set
+C<$r-E<gt>subprocess_env('AuthCookieReason')> to one of the following values.
+
+=over 4
+
+=item I
+
+The user presented no cookie at all. Typically this means the user is
+trying to log in for the first time.
+
+=item I
+
+The cookie the user presented is invalid. Typically this means that the user
+is not allowed access to the given page.
+
+=item I
+
+The user tried to log in, but the credentials that were passed are invalid.
+
+=back
+
+You can examine this value in your login form by examining
+C<$r-E<gt>prev-E<gt>subprocess_env('AuthCookieReason')> (because it's a
+sub-request).
+
+Of course, if you want to give more specific information about why access
+failed when a cookie is present, your C method can set
+arbitrary entries in C<$r-E<gt>subprocess_env>.
+
+=head1 THE LOGOUT SCRIPT
+
+If you want to let users log themselves out (something that can't be done using
+Basic Auth), you need to create a logout script. For an example, see
+t/htdocs/docs/logout.pl. Logout scripts may want to take advantage of
+AuthCookie's C method, which will set the proper cookie headers in
+order to clear the user's cookie. This usually looks like
+C<$r-E<gt>auth_type-E<gt>logout($r);>.
+
+Note that if you don't necessarily trust your users, you can't count on cookie
+deletion for logging out. You'll have to expire some server-side login
+information too. AuthCookie doesn't do this for you, you have to handle it
+yourself.
+
+=head1 ABOUT SESSION KEYS
+
+Unlike the sample AuthCookieHandler, you have you verify the user's login and
+password in C, then you do something like:
+
+ my $date = localtime;
+ my $ses_key = Digest::SHA::sha256_hex(join(';', $date, $PID, $PAC));
+
+save C<$ses_key> along with the user's login, and return C<$ses_key>.
+
+Now C looks up the C<$ses_key> passed to it and returns the
+saved login. I use a database to store the session key and retrieve it later.
+
+=head1 FREQUENTLY ASKED QUESTIONS
+
+=over 4
+
+=item *
+
+I upgraded to Apache 2.4 and now AuthCookie doesn't work!
+
+Apache 2.4 radically changed the authenciation and authorization API. You will
+need to port your AuthCookie subclass over to the Apache 2.4 API. See the POD
+documenation in L for more information, but the quick
+rundown is you need to:
+
+=over 4
+
+=item *
+
+Inherit from C
+
+=item *
+
+Remove all C<PerlAuthzHandler> configuration entries.
+
+=item *
+
+Write Authz Provider methods for any C<Requires> directives that you are using
+that apache does not provide for already (e.g. apache already handles C<user>
+and C<valid-user>) and register them with something like.
+
+ PerlAddAuthzProvier species Sample::AuthCookieHandler->authz_species
+
+=item *
+
+Replace instances of C<${AuthName}Satistfy> with either C<RequireAll> or
+C<RequireAny> blocks.
+
+=back
+
+=item *
+
+Why is my authz method called twice per request?
+
+This is normal behaviour under Apache 2.4. This is to accomodate for
+authorization of anonymous access. You are expected to return
+CApache2::Const::AUTHZ_DENIED_NO_USER IF C<< $r->user >> has not yet been set
+if you want authentication to proceed. Your authz handler will be called a
+second time after the user has been authenticated.
+
+=item *
+
+AuthCookie authenticates, but the authorization handler is returning
+C<UNAUTHORIZED> instead of C<FORBIDDEN>!
+
+In Apache 2.4, in C, if no authz handlers return C,
+then C is returned. In previous versions of Apache,
+C was returned. You can get the old behaviour if you want it
+with:
+
+ AuthzSendForbiddenOnFailure On
+
+=item *
+
+My log shows an entry like:
+
+ authorization result of Require ...: denied (no authenticated user yet)
+
+These are normal. This happens because the authz provider returned
+C and the authz provider will be called again after
+authentication happens.
+
+=back
+
+=head1 HISTORY
+
+Originally written by Eric Bartley
+
+versions 2.x were written by Ken Williams
+
+=head1 COPYRIGHT
+
+Copyright (c) 2015 Michael Schout. All rights reserved.
+
+This program is free software; you can redistribute it and/or modify it under
+the same terms as Perl itself.
+
+=head1 SEE ALSO
+
+L, L, L.
=head1 SOURCE
@@ -71,3 +640,8 @@
the same terms as the Perl 5 programming language system itself.
=cut
+
+__END__
+
+
+# vim: sw=4 ts=4 ai et
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/t/conf/extra.conf.in new/Apache-AuthCookie-3.24/t/conf/extra.conf.in
--- old/Apache-AuthCookie-3.23/t/conf/extra.conf.in 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/t/conf/extra.conf.in 2016-01-14 00:16:15.000000000 +0100
@@ -12,7 +12,7 @@
<IfDefine APACHE2_4>
PerlModule Sample::Apache2_4::AuthCookieHandler
PerlAddAuthzProvider dwarf Sample::Apache2_4::AuthCookieHandler->dwarf
- PerlAddAuthzProvider user Sample::Apache2_4::AuthCookieHandler->authz_handler
+ PerlAddAuthzProvider myuser Sample::Apache2_4::AuthCookieHandler->authz_handler
</IfDefine>
</IfDefine>
@@ -73,8 +73,7 @@
PerlAuthenHandler Sample::Apache2_4::AuthCookieHandler->authenticate
</IfDefine>
</IfDefine>
- Require user some-user
- Require user programmer
+ Require user some-user programmer
Require user 0
</Location>
@@ -113,6 +112,39 @@
</RequireAll>
</IfDefine>
</Location>
+
+# test our internal authz_handler for apache 2.4
+
+ AuthName WhatEver
+
+ <IfDefine APACHE1>
+ AuthType Sample::Apache::AuthCookieHandler
+ PerlAuthenHandler Sample::Apache::AuthCookieHandler->authenticate
+ PerlAuthzHandler Sample::Apache::AuthCookieHandler->authorize
+ </IfDefine>
+ <IfDefine APACHE2>
+
+ PerlAuthenHandler Sample::Apache2::AuthCookieHandler->authenticate
+ AuthType Sample::Apache2::AuthCookieHandler
+ PerlAuthzHandler Sample::Apache2::AuthCookieHandler->authorize
+ </IfDefine>
+ <IfDefine APACHE2_4>
+ PerlAuthenHandler Sample::Apache2_4::AuthCookieHandler->authenticate
+ AuthType Sample::Apache2_4::AuthCookieHandler
+ </IfDefine>
+ </IfDefine>
+
+
+ # apache 1.x, apache 2.0, apache 2.2
+ Require user programmer
+ </IfDefine>
+ <IfDefine APACHE2_4>
+ # apache 2.4
+ <RequireAll>
+ Require myuser dopey programmer
+ </RequireAll>
+ </IfDefine>
+</Location>
PerlSetVar WhatEverSessionTimeout +10m
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/t/htdocs/docs/myuser/get_me.html new/Apache-AuthCookie-3.24/t/htdocs/docs/myuser/get_me.html
--- old/Apache-AuthCookie-3.23/t/htdocs/docs/myuser/get_me.html 1970-01-01 01:00:00.000000000 +0100
+++ new/Apache-AuthCookie-3.24/t/htdocs/docs/myuser/get_me.html 2016-01-14 00:16:15.000000000 +0100
@@ -0,0 +1,9 @@
+<HTML>
+<HEAD>
+<TITLE>Congratulations</TITLE>
+</HEAD>
+<BODY>
+<H1>Congratulations, you got past AuthCookie</H1>
+<P><A HREF="../logout.pl">Log Out</A></P>
+</BODY>
+</HTML>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Apache-AuthCookie-3.23/t/real.t new/Apache-AuthCookie-3.24/t/real.t
--- old/Apache-AuthCookie-3.23/t/real.t 2015-09-10 18:59:48.000000000 +0200
+++ new/Apache-AuthCookie-3.24/t/real.t 2016-01-14 00:16:15.000000000 +0100
@@ -14,7 +14,7 @@
Apache::TestRequest::user_agent( reset => 1, requests_redirectable => 0 );
-plan tests => 51, need_lwp;
+plan tests => 52, need_lwp;
ok 1; # we loaded.
@@ -228,6 +228,17 @@
'username=0 access allowed');
}
+# local authz provider test for 2.4 (works same as authany on older versions)
+{
+ my $r = GET(
+ '/docs/myuser/get_me.html',
+ Cookie => 'Sample::AuthCookieHandler_WhatEver=programmer:Hero'
+ );
+
+ like($r->content, qr/Congratulations, you got past AuthCookie/,
+ 'myuser=programmer access allowed');
+}
+
# login with username=0 works
{
my $r = POST('/LOGIN', [