Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Plack CPAN distribution.

Report information
The Basics
Id: 57436
Status: resolved
Priority: 0/
Queue: Plack
People
Owner: Nobody in particular
Requestors: mcholste [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed May 12 14:48:16 2010 mcholste [...] gmail.com - Ticket created
Subject: Plack::Middleware::Auth::Basic broken under Apache2
Date: Wed, 12 May 2010 13:47:45 -0500
To: bug-Plack [...] rt.cpan.org
From: Martin Holste <mcholste [...] gmail.com>
I'm trying to use Plack::Middleware::Auth::Basic in Apache2 under mod_perl (SetHandler perl-script), and I'm finding that the headers are not set correctly somewhere along the way. The only way to find the auth headers is like this: $env->{'psgi.input'}->headers_in->{Authorization} instead of the way it's currently done: my $auth = $env->{HTTP_AUTHORIZATION} because the header that HTTP::Headers would normally set for HTTP_AUTHORIZATION is only available via the Apache2::RequestRec ($r) object. Checking $env->{HTTP_AUTHORIZATION} works fine under plackup. Thanks, Martin
  Wed May 12 15:52:00 2010 miyagawa [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #57436] Plack::Middleware::Auth::Basic broken under Apache2
Date: Wed, 12 May 2010 12:51:48 -0700
To: bug-Plack [...] rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa [...] gmail.com>
This is weird, since we call subprocess_env, to tell mod_perl to populate the %ENV for us. When you dump $env (and %ENV), do you see other HTTP_ variables but not AUTHORIZATION? I won't be surprised if Apache special cases auth headers like this, though. On Wed, May 12, 2010 at 11:48 AM, Martin Holste via RT <bug-Plack@rt.cpan.org> wrote: Show quoted text
> Wed May 12 14:48:16 2010: Request 57436 was acted upon. > Transaction: Ticket created by mcholste@gmail.com >       Queue: Plack >     Subject: Plack::Middleware::Auth::Basic broken under Apache2 >   Broken in: (no value) >    Severity: (no value) >       Owner: Nobody >  Requestors: mcholste@gmail.com >      Status: new >  Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=57436 > > > > I'm trying to use Plack::Middleware::Auth::Basic in Apache2 under > mod_perl (SetHandler perl-script), and I'm finding that the headers > are not set correctly somewhere along the way.  The only way to find > the auth headers is like this: > > $env->{'psgi.input'}->headers_in->{Authorization} > > instead of the way it's currently done: > > my $auth = $env->{HTTP_AUTHORIZATION} > > because the header that HTTP::Headers would normally set for > HTTP_AUTHORIZATION is only available via the Apache2::RequestRec ($r) > object. > > Checking $env->{HTTP_AUTHORIZATION} works fine under plackup. > > Thanks, > > Martin > >
-- Tatsuhiko Miyagawa
  Wed May 12 15:52:01 2010 The RT System itself - Status changed from 'new' to 'open'
  Wed May 12 17:36:31 2010 mcholste [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #57436] Plack::Middleware::Auth::Basic broken under Apache2
Date: Wed, 12 May 2010 16:36:00 -0500
To: bug-Plack [...] rt.cpan.org
From: Martin Holste <mcholste [...] gmail.com>
Thanks for getting back to me so quickly. Yes, other headers come through just fine. Here's what the call sub was seeing for env: env: $VAR1 = { 'psgi.multiprocess' => 1, 'SCRIPT_NAME' => '', 'PATH_INFO' => '/inc/main.js', 'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'REQUEST_METHOD' => 'GET', 'psgi.multithread' => '', 'SCRIPT_FILENAME' => '/srv/www/vuln/inc/main.js', 'SERVER_SOFTWARE' => 'Apache/2.2.3 (Linux/SUSE)', 'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3', 'REMOTE_PORT' => '3012', 'QUERY_STRING' => '', 'SERVER_SIGNATURE' => '<address>Apache/2.2.3 (Linux/SUSE) Server at detsecaudit.enterprise.wistate.us Port 80</address> ', 'HTTP_CACHE_CONTROL' => 'max-age=0', 'HTTP_ACCEPT_LANGUAGE' => 'en-us,en;q=0.5', 'HTTP_KEEP_ALIVE' => '115', 'psgi.streaming' => 1, 'MOD_PERL_API_VERSION' => '2', 'PATH' => '/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin', 'PERL5LIB' => '/srv/www/vuln', 'GATEWAY_INTERFACE' => 'CGI/1.1', 'psgi.version' => [ 1, 1 ], 'DOCUMENT_ROOT' => '/srv/www/vuln', 'psgi.run_once' => '', 'SERVER_NAME' => 'detsecaudit.enterprise.wistate.us', 'SERVER_ADMIN' => 'root@utlmad0p0130', 'HTTP_ACCEPT_ENCODING' => 'gzip,deflate', 'HTTP_CONNECTION' => 'keep-alive', 'HTTP_ACCEPT_CHARSET' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', 'SERVER_PORT' => '80', 'REMOTE_ADDR' => '165.189.85.208', 'SERVER_PROTOCOL' => 'HTTP/1.1', 'psgi.errors' => *::STDERR, 'REQUEST_URI' => '/inc/main.js', 'psgi.nonblocking' => '', 'SERVER_ADDR' => '10.68.20.91', 'psgi.url_scheme' => 'http', 'HTTP_HOST' => 'detsecaudit.enterprise.wistate.us', 'MOD_PERL' => 'mod_perl/2.0.2', 'psgi.input' => bless( do{\(my $o = '93824999249048')}, 'Apache2::RequestRec' ) }; And here's what $r looks like: $VAR1 = bless( { 'Host' => 'detsecaudit.enterprise.wistate.us', 'User-Agent' => 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language' => 'en-us,en;q=0.5', 'Accept-Encoding' => 'gzip,deflate', 'Accept-Charset' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', 'Keep-Alive' => '115', 'Connection' => 'keep-alive', 'Authorization' => 'Basic FXBkZnFzAGY5', 'Cache-Control' => 'max-age=0, max-age=0' }, 'APR::Table' ); Thanks for looking at this. --Martin On Wed, May 12, 2010 at 2:52 PM, miyagawa@gmail.com via RT <bug-Plack@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=57436 > > > This is weird, since we call subprocess_env, to tell mod_perl to > populate the %ENV for us. When you dump $env (and %ENV), do you see > other HTTP_ variables but not AUTHORIZATION? I won't be surprised if > Apache special cases auth headers like this, though. > > > On Wed, May 12, 2010 at 11:48 AM, Martin Holste via RT > <bug-Plack@rt.cpan.org> wrote:
>> Wed May 12 14:48:16 2010: Request 57436 was acted upon. >> Transaction: Ticket created by mcholste@gmail.com >>       Queue: Plack >>     Subject: Plack::Middleware::Auth::Basic broken under Apache2 >>   Broken in: (no value) >>    Severity: (no value) >>       Owner: Nobody >>  Requestors: mcholste@gmail.com >>      Status: new >>  Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=57436 > >> >> >> I'm trying to use Plack::Middleware::Auth::Basic in Apache2 under >> mod_perl (SetHandler perl-script), and I'm finding that the headers >> are not set correctly somewhere along the way.  The only way to find >> the auth headers is like this: >> >> $env->{'psgi.input'}->headers_in->{Authorization} >> >> instead of the way it's currently done: >> >> my $auth = $env->{HTTP_AUTHORIZATION} >> >> because the header that HTTP::Headers would normally set for >> HTTP_AUTHORIZATION is only available via the Apache2::RequestRec ($r) >> object. >> >> Checking $env->{HTTP_AUTHORIZATION} works fine under plackup. >> >> Thanks, >> >> Martin >> >>
> > > > -- > Tatsuhiko Miyagawa > >
  Wed May 12 18:19:27 2010 miyagawa [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #57436] Plack::Middleware::Auth::Basic broken under Apache2
Date: Wed, 12 May 2010 15:19:15 -0700
To: bug-Plack [...] rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa [...] gmail.com>
I have no time to look at this in details, but i'd assume in the case of mod_perl (and probably FastCGI and CGI as well), authentication and authorization have to be handled by the web server itself and doing the auth with a PSGI application in the main request handler is too late to do so. On Wed, May 12, 2010 at 2:36 PM, Martin Holste via RT <bug-Plack@rt.cpan.org> wrote: Show quoted text
>       Queue: Plack >  Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=57436 > > > Thanks for getting back to me so quickly. > > Yes, other headers come through just fine.  Here's what the call sub > was seeing for env: > > env: $VAR1 = { >          'psgi.multiprocess' => 1, >          'SCRIPT_NAME' => '', >          'PATH_INFO' => '/inc/main.js', >          'HTTP_ACCEPT' => > 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', >          'REQUEST_METHOD' => 'GET', >          'psgi.multithread' => '', >          'SCRIPT_FILENAME' => '/srv/www/vuln/inc/main.js', >          'SERVER_SOFTWARE' => 'Apache/2.2.3 (Linux/SUSE)', >          'HTTP_USER_AGENT' => 'Mozilla/5.0 (Windows; U; Windows NT > 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3', >          'REMOTE_PORT' => '3012', >          'QUERY_STRING' => '', >          'SERVER_SIGNATURE' => '<address>Apache/2.2.3 (Linux/SUSE) > Server at detsecaudit.enterprise.wistate.us Port 80</address> > ', >          'HTTP_CACHE_CONTROL' => 'max-age=0', >          'HTTP_ACCEPT_LANGUAGE' => 'en-us,en;q=0.5', >          'HTTP_KEEP_ALIVE' => '115', >          'psgi.streaming' => 1, >          'MOD_PERL_API_VERSION' => '2', >          'PATH' => > '/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin', >          'PERL5LIB' => '/srv/www/vuln', >          'GATEWAY_INTERFACE' => 'CGI/1.1', >          'psgi.version' => [ >                              1, >                              1 >                            ], >          'DOCUMENT_ROOT' => '/srv/www/vuln', >          'psgi.run_once' => '', >          'SERVER_NAME' => 'detsecaudit.enterprise.wistate.us', >          'SERVER_ADMIN' => 'root@utlmad0p0130', >          'HTTP_ACCEPT_ENCODING' => 'gzip,deflate', >          'HTTP_CONNECTION' => 'keep-alive', >          'HTTP_ACCEPT_CHARSET' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', >          'SERVER_PORT' => '80', >          'REMOTE_ADDR' => '165.189.85.208', >          'SERVER_PROTOCOL' => 'HTTP/1.1', >          'psgi.errors' => *::STDERR, >          'REQUEST_URI' => '/inc/main.js', >          'psgi.nonblocking' => '', >          'SERVER_ADDR' => '10.68.20.91', >          'psgi.url_scheme' => 'http', >          'HTTP_HOST' => 'detsecaudit.enterprise.wistate.us', >          'MOD_PERL' => 'mod_perl/2.0.2', >          'psgi.input' => bless( do{\(my $o = '93824999249048')}, > 'Apache2::RequestRec' ) >        }; > > And here's what $r looks like: > > $VAR1 = bless( { >                 'Host' => 'detsecaudit.enterprise.wistate.us', >                 'User-Agent' => 'Mozilla/5.0 (X11; U; Linux x86_64; > en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3', >                 'Accept' => > 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', >                 'Accept-Language' => 'en-us,en;q=0.5', >                 'Accept-Encoding' => 'gzip,deflate', >                 'Accept-Charset' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', >                 'Keep-Alive' => '115', >                 'Connection' => 'keep-alive', >                 'Authorization' => 'Basic FXBkZnFzAGY5', >                 'Cache-Control' => 'max-age=0, max-age=0' >               }, 'APR::Table' ); > > Thanks for looking at this. > > --Martin > > On Wed, May 12, 2010 at 2:52 PM, miyagawa@gmail.com via RT > <bug-Plack@rt.cpan.org> wrote:
>> <URL: https://rt.cpan.org/Ticket/Display.html?id=57436 > >> >> This is weird, since we call subprocess_env, to tell mod_perl to >> populate the %ENV for us. When you dump $env (and %ENV), do you see >> other HTTP_ variables but not AUTHORIZATION? I won't be surprised if >> Apache special cases auth headers like this, though. >> >> >> On Wed, May 12, 2010 at 11:48 AM, Martin Holste via RT >> <bug-Plack@rt.cpan.org> wrote:
>>> Wed May 12 14:48:16 2010: Request 57436 was acted upon. >>> Transaction: Ticket created by mcholste@gmail.com >>>       Queue: Plack >>>     Subject: Plack::Middleware::Auth::Basic broken under Apache2 >>>   Broken in: (no value) >>>    Severity: (no value) >>>       Owner: Nobody >>>  Requestors: mcholste@gmail.com >>>      Status: new >>>  Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=57436 > >>> >>> >>> I'm trying to use Plack::Middleware::Auth::Basic in Apache2 under >>> mod_perl (SetHandler perl-script), and I'm finding that the headers >>> are not set correctly somewhere along the way.  The only way to find >>> the auth headers is like this: >>> >>> $env->{'psgi.input'}->headers_in->{Authorization} >>> >>> instead of the way it's currently done: >>> >>> my $auth = $env->{HTTP_AUTHORIZATION} >>> >>> because the header that HTTP::Headers would normally set for >>> HTTP_AUTHORIZATION is only available via the Apache2::RequestRec ($r) >>> object. >>> >>> Checking $env->{HTTP_AUTHORIZATION} works fine under plackup. >>> >>> Thanks, >>> >>> Martin >>> >>>
>> >> >> >> -- >> Tatsuhiko Miyagawa >> >>
> >
-- Tatsuhiko Miyagawa
  Fri May 21 16:07:50 2010 MIYAGAWA [...] cpan.org - Correspondence added
This is a limitation with web servers. Added a documentatino for that with mod_rewrite workaround, on github c1c09a6
  Fri May 21 16:07:52 2010 MIYAGAWA [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri May 21 16:23:58 2010 mcholste [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #57436] Plack::Middleware::Auth::Basic broken under Apache2
Date: Fri, 21 May 2010 15:23:28 -0500
To: bug-Plack [...] rt.cpan.org
From: Martin Holste <mcholste [...] gmail.com>
Actually, this is not the case. If you do not enable any authentication in Apache/mod_perl(1|2), it will pass the data through to Perl. I am using this successfully with Plack + Apache with a small patch to Plack::Middleware::Auth::Basic along the lines of my first email to incorporate $r from Apache::Request. It will then use headers found there if they are available, otherwise it will default to the standard $env->{HTTP_AUTHORIZATION}. I'd be happy to send you the patch if you like. --Martin On Fri, May 21, 2010 at 3:07 PM, Tatsuhiko Miyagawa via RT <bug-Plack@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=57436 > > > This is a limitation with web servers. Added a documentatino for that with mod_rewrite > workaround, on github c1c09a6 >
  Fri May 21 16:24:00 2010 The RT System itself - Status changed from 'resolved' to 'open'
  Fri May 21 16:26:25 2010 miyagawa [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #57436] Plack::Middleware::Auth::Basic broken under Apache2
Date: Fri, 21 May 2010 13:26:13 -0700
To: bug-Plack [...] rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa [...] gmail.com>
On Fri, May 21, 2010 at 1:23 PM, Martin Holste via RT <bug-Plack@rt.cpan.org> wrote: Show quoted text
>       Queue: Plack >  Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=57436 > > > Actually, this is not the case.  If you do not enable any > authentication in Apache/mod_perl(1|2), it will pass the data through > to Perl.  I am using this successfully with Plack + Apache with a > small patch to Plack::Middleware::Auth::Basic along the lines of my > first email to incorporate $r from Apache::Request.
You should look at my change. I added more generic workaround to pass Authorization header to the $env using mod_rewrite, which should work with CGI and FastCGI where you can't access $r. Auth::Basic is not a right place to patch it - if you really wish to patch, should patch Plack::Handler::Apache* to restore Authorization headers and stash it into HTTP_AUTHORIZATION. Show quoted text
> It will then use > headers found there if they are available, otherwise it will default > to the standard $env->{HTTP_AUTHORIZATION}.  I'd be happy to send you > the patch if you like. > > --Martin > > > On Fri, May 21, 2010 at 3:07 PM, Tatsuhiko Miyagawa via RT > <bug-Plack@rt.cpan.org> wrote:
>> <URL: https://rt.cpan.org/Ticket/Display.html?id=57436 > >> >> This is a limitation with web servers. Added a documentatino for that with mod_rewrite >> workaround, on github c1c09a6 >>
> >
-- Tatsuhiko Miyagawa
  Fri May 21 17:20:00 2010 mcholste [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #57436] Plack::Middleware::Auth::Basic broken under Apache2
Date: Fri, 21 May 2010 16:19:30 -0500
To: bug-Plack [...] rt.cpan.org
From: Martin Holste <mcholste [...] gmail.com>
Agreed, I've applied the mod_rewrite config and verified your way works just fine and is probably the easiest all around. Thanks very much! On Fri, May 21, 2010 at 3:26 PM, miyagawa@gmail.com via RT <bug-Plack@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=57436 > > > On Fri, May 21, 2010 at 1:23 PM, Martin Holste via RT > <bug-Plack@rt.cpan.org> wrote:
>>       Queue: Plack >>  Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=57436 > >> >> Actually, this is not the case.  If you do not enable any >> authentication in Apache/mod_perl(1|2), it will pass the data through >> to Perl.  I am using this successfully with Plack + Apache with a >> small patch to Plack::Middleware::Auth::Basic along the lines of my >> first email to incorporate $r from Apache::Request.
> > You should look at my change. I added more generic workaround to pass > Authorization header to the $env using mod_rewrite, which should work > with CGI and FastCGI where you can't access $r. > > Auth::Basic is not a right place to patch it - if you really wish to > patch, should patch Plack::Handler::Apache* to restore Authorization > headers and stash it into HTTP_AUTHORIZATION. >
>> It will then use >> headers found there if they are available, otherwise it will default >> to the standard $env->{HTTP_AUTHORIZATION}.  I'd be happy to send you >> the patch if you like. >> >> --Martin >> >> >> On Fri, May 21, 2010 at 3:07 PM, Tatsuhiko Miyagawa via RT >> <bug-Plack@rt.cpan.org> wrote:
>>> <URL: https://rt.cpan.org/Ticket/Display.html?id=57436 > >>> >>> This is a limitation with web servers. Added a documentatino for that with mod_rewrite >>> workaround, on github c1c09a6 >>>
>> >>
> > > > -- > Tatsuhiko Miyagawa > >
  Sun May 23 00:55:01 2010 MIYAGAWA [...] cpan.org - Status changed from 'open' to 'resolved'