Bug #82575 for Authen-Simple-HTTP: BUG: Incompatability with LWP 6.x under persistent environments

LWP::UserAgent::credentials and LWP::UserAgent::get_basic_credentials changed at some point around after 5.805 and before 6.02. Also, LWP::Authen::Basic changed. Authen::Simple::HTTP implements credential handling by overriding the get_basic_credentials methods in LWP::UserAgent (or the given LWP class). This breaks with the new LWP because Authen::Simple::HTTP keeps the LWP::UserAgent instance as class data (Class::Data::Inheritable), so a new instance of LWP isn't created for every new Authen::Simple::HTTP... and LWP is caching the user/pass per instance (per host+port+realm) via the credentials sub in an instance variable. Whew... anyway... the attached patch, "Authen-Simple-HTTP-0.2.lwp-fix.patch", works around that by also overriding the "credentials" sub in a safe way. Two other patches are included. "Authen-Simple-HTTP-0.2.request-method-feature.patch" adds a new feature I've been maintaining separately for 2.5 years. It adds support for a "request_method" option, so that the LWP request can be forced to use "get", "head", or "post" when doing the auth check (or anything the user agent supports). This was needed to work around a wonky server that would return 404 errors when issued HEAD requests, but worked fine with GET requests (it was a Microsoft Exchange Outlook Web Access site running on Microsoft IIS). "Authen-Simple-HTTP-0.2.lwp-and-request-method-feature.patch" combines both patchsets. Please consider these for inclusion in the next version. Please note, the request_method patch provided here, IMO, is a safer implementation than that provided in bug #26468, but it does not address providing additional options to LWP via apache config (IMO, that should be handled via a subclass anyway).

diff -rup Authen-Simple-HTTP-0.2.orig/Changes Authen-Simple-HTTP-0.2/Changes --- Authen-Simple-HTTP-0.2.orig/Changes 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2/Changes 2013-01-08 18:55:31.226167667 -0500 @@ -1,5 +1,12 @@ Revision history for Perl extension Authen::Simple::HTTP + - work around for libwww-perl 6.x+ when used in a persistent environment. + LWP::UserAgent sub credentials and get_basic_credentials changed and now + cache data per-instance differently than before. + LWP::Authen::Basic calls credentials directly, which will get the previously + used credentials under this new version of LWP. This breaks persistent usage + of Authen::Simple::HTTP (ex. using it undef mod_perl). + 0.2 2006-01-12 00:00 - use HEAD method instead of GET. diff -rup Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm Authen-Simple-HTTP-0.2/lib/Authen/Simple/HTTP.pm --- Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2/lib/Authen/Simple/HTTP.pm 2013-01-08 18:55:05.422234386 -0500 @@ -33,7 +33,9 @@ sub check { # way to implement this without forking a lot of code from LWP::UserAgent. # Please let me know if you have any ideas of improvements. - my $override = sprintf '%s::get_basic_credentials', ref $self->agent; + my $lwpclass = ref $self->agent; + my $override = sprintf '%s::get_basic_credentials', $lwpclass; + my $override2 = sprintf '%s::credentials', $lwpclass; my $response = undef; my $url = $self->url; @@ -46,6 +48,11 @@ sub check { local *$override = sub { return ( undef, undef ); }; + # make sure we don't use cached credentials (interaction bug between us and LWP 6.x) + local *$override2 = sub { + # we want to force no user/pass at this point... so just return + return; + }; $response = $self->agent->head($url); } @@ -75,6 +82,18 @@ sub check { local *$override = sub { return ( $username, $password ); }; + # save orig credentials subref + my $credentials_sub = $self->agent->can( 'credentials' ); + # make sure we don't use cached credentials (interaction bug between us and LWP 6.x) + local *$override2 = sub { + my $self = shift; + my $netloc = shift; + my $realm = shift; + # call orig method to set any instance variables, forcing user/pass + $credentials_sub->( $self, $netloc, $realm, $username, $password ); + # call orig method as a getter to get what we just put there + return $credentials_sub->( $self, $netloc, $realm ); + }; $response = $self->agent->head($url); }

diff -rup Authen-Simple-HTTP-0.2.orig/Changes Authen-Simple-HTTP-0.4/Changes --- Authen-Simple-HTTP-0.2.orig/Changes 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.4/Changes 2013-01-08 16:54:33.482400835 -0500 @@ -1,5 +1,16 @@ Revision history for Perl extension Authen::Simple::HTTP +0.4 2013-01-08 00:00 + - work around for libwww-perl 6.x+ when used in a persistent environment. + LWP::UserAgent sub credentials and get_basic_credentials changed and now + cache data per-instance differently than before. + LWP::Authen::Basic calls credentials directly, which will get the previously + used credentials under this new version of LWP. This breaks persistent usage + of Authen::Simple::HTTP (ex. using it undef mod_perl). + +0.3 2010-02-02 00:00 + - added request_method option to specify use of HEAD, GET, or POST. + 0.2 2006-01-12 00:00 - use HEAD method instead of GET. diff -rup Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm Authen-Simple-HTTP-0.4/lib/Authen/Simple/HTTP.pm --- Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.4/lib/Authen/Simple/HTTP.pm 2013-01-08 18:37:24.293004387 -0500 @@ -7,13 +7,18 @@ use base 'Authen::Simple::Adapter'; use LWP::UserAgent; use Params::Validate qw[]; -our $VERSION = 0.2; +our $VERSION = 0.3; __PACKAGE__->options({ url => { type => Params::Validate::SCALAR, optional => 0 }, + request_method => { + type => Params::Validate::SCALAR, + default => 'head', + optional => 1 + }, agent => { type => Params::Validate::OBJECT, isa => 'LWP::UserAgent', @@ -33,9 +38,23 @@ sub check { # way to implement this without forking a lot of code from LWP::UserAgent. # Please let me know if you have any ideas of improvements. - my $override = sprintf '%s::get_basic_credentials', ref $self->agent; - my $response = undef; - my $url = $self->url; + my $lwpclass = ref $self->agent; + my $override = sprintf '%s::get_basic_credentials', $lwpclass; + my $override2 = sprintf '%s::credentials', $lwpclass; + my $response = undef; + my $url = $self->url; + my $reqmeth = $self->request_method; + + # Determine request method + + my $method = $self->agent->can( $reqmeth ); + if (! $method ) { + $self->log->error( qq/Unsupported request method: '$reqmeth'./ ) + if $self->log; + + return 0; + } + # First make sure we receive a challenge @@ -46,8 +65,13 @@ sub check { local *$override = sub { return ( undef, undef ); }; + # make sure we don't use cached credentials (interaction bug between us and LWP 6.x) + local *$override2 = sub { + # we want to force no user/pass at this point... so just return + return; + }; - $response = $self->agent->head($url); + $response = $method->($self->agent, $url); } if ( my $warning = $response->header('Client-Warning') ) { @@ -75,8 +99,20 @@ sub check { local *$override = sub { return ( $username, $password ); }; + # save orig credentials subref + my $credentials_sub = $self->agent->can( 'credentials' ); + # make sure we don't use cached credentials (interaction bug between us and LWP 6.x) + local *$override2 = sub { + my $self = shift; + my $netloc = shift; + my $realm = shift; + # call orig method to set any instance variables, forcing user/pass + $credentials_sub->( $self, $netloc, $realm, $username, $password ); + # call orig method as a getter to get what we just put there + return $credentials_sub->( $self, $netloc, $realm ); + }; - $response = $self->agent->head($url); + $response = $method->($self->agent, $url); } if ( $response->code == 401 ) { @@ -165,6 +201,12 @@ Any object that is a subclass of L<LWP:: agent => LWP::UserAgent->new; +=item * request_method + +Request method used to pull the url. "head", "get", or "post". + + request_method => 'head' + =item * log Any object that supports C<debug>, C<info>, C<error> and C<warn>. diff -rup Authen-Simple-HTTP-0.2.orig/META.yml Authen-Simple-HTTP-0.4/META.yml --- Authen-Simple-HTTP-0.2.orig/META.yml 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.4/META.yml 2013-01-08 16:54:58.062324878 -0500 @@ -1,6 +1,6 @@ --- name: Authen-Simple-HTTP -version: 0.2 +version: 0.4 author: - 'Christian Hansen C<ch@ngmedia.com>' abstract: Simple HTTP authentication @@ -11,5 +11,5 @@ requires: provides: Authen::Simple::HTTP: file: lib/Authen/Simple/HTTP.pm - version: 0.2 + version: 0.4 generated_by: Module::Build version 0.2611 diff -rup Authen-Simple-HTTP-0.2.orig/README Authen-Simple-HTTP-0.4/README --- Authen-Simple-HTTP-0.2.orig/README 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.4/README 2013-01-08 16:49:00.991293884 -0500 @@ -42,6 +42,11 @@ METHODS agent => LWP::UserAgent->new; + * request_method Request method used to pull the url. "head", + "get", or "post". + + request_method => 'get' + * log Any object that supports "debug", "info", "error" and "warn".

diff -rup Authen-Simple-HTTP-0.2.orig/Changes Authen-Simple-HTTP-0.2.new/Changes --- Authen-Simple-HTTP-0.2.orig/Changes 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2.new/Changes 2010-02-02 18:02:23.079189618 -0500 @@ -1,5 +1,8 @@ Revision history for Perl extension Authen::Simple::HTTP +0.3 2010-02-02 00:00 + - added request_method option to specify use of HEAD, GET, or POST. + 0.2 2006-01-12 00:00 - use HEAD method instead of GET. diff -rup Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm Authen-Simple-HTTP-0.2.new/lib/Authen/Simple/HTTP.pm --- Authen-Simple-HTTP-0.2.orig/lib/Authen/Simple/HTTP.pm 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2.new/lib/Authen/Simple/HTTP.pm 2010-02-03 18:44:58.048860342 -0500 @@ -7,13 +7,18 @@ use base 'Authen::Simple::Adapter'; use LWP::UserAgent; use Params::Validate qw[]; -our $VERSION = 0.2; +our $VERSION = 0.3; __PACKAGE__->options({ url => { type => Params::Validate::SCALAR, optional => 0 }, + request_method => { + type => Params::Validate::SCALAR, + default => 'head', + optional => 1 + }, agent => { type => Params::Validate::OBJECT, isa => 'LWP::UserAgent', @@ -36,6 +41,18 @@ sub check { my $override = sprintf '%s::get_basic_credentials', ref $self->agent; my $response = undef; my $url = $self->url; + my $reqmeth = $self->request_method; + + # Determine request method + + my $method = $self->agent->can( $reqmeth ); + if (! $method ) { + $self->log->error( qq/Unsupported request method: '$reqmeth'./ ) + if $self->log; + + return 0; + } + # First make sure we receive a challenge @@ -47,7 +64,7 @@ sub check { return ( undef, undef ); }; - $response = $self->agent->head($url); + $response = $method->($self->agent, $url); } if ( my $warning = $response->header('Client-Warning') ) { @@ -76,7 +93,7 @@ sub check { return ( $username, $password ); }; - $response = $self->agent->head($url); + $response = $method->($self->agent, $url); } if ( $response->code == 401 ) { @@ -165,6 +182,12 @@ Any object that is a subclass of L<LWP:: agent => LWP::UserAgent->new; +=item * request_method + +Request method used to pull the url. "head", "get", or "post". + + request_method => 'head' + =item * log Any object that supports C<debug>, C<info>, C<error> and C<warn>. diff -rup Authen-Simple-HTTP-0.2.orig/META.yml Authen-Simple-HTTP-0.2.new/META.yml --- Authen-Simple-HTTP-0.2.orig/META.yml 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2.new/META.yml 2010-02-02 17:25:44.279188845 -0500 @@ -1,6 +1,6 @@ --- name: Authen-Simple-HTTP -version: 0.2 +version: 0.3 author: - 'Christian Hansen C<ch@ngmedia.com>' abstract: Simple HTTP authentication @@ -11,5 +11,5 @@ requires: provides: Authen::Simple::HTTP: file: lib/Authen/Simple/HTTP.pm - version: 0.2 + version: 0.3 generated_by: Module::Build version 0.2611 diff -rup Authen-Simple-HTTP-0.2.orig/README Authen-Simple-HTTP-0.2.new/README --- Authen-Simple-HTTP-0.2.orig/README 2006-01-12 14:22:30.000000000 -0500 +++ Authen-Simple-HTTP-0.2.new/README 2010-02-02 18:02:04.899199578 -0500 @@ -42,6 +42,11 @@ METHODS agent => LWP::UserAgent->new; + * request_method Request method used to pull the url. "head", + "get", or "post". + + request_method => 'get' + * log Any object that supports "debug", "info", "error" and "warn".