Apache::DBILogin - authenticates and authorizes via a DBI connection
#in .htaccess AuthName MyAuth AuthType Basic PerlAuthenHandler Apache::DBILogin::authen PerlSetVar Auth_DBI_data_source dbi:Oracle:SQLNetAlias PerlAuthzHandler Apache::DBILogin::authz allow from all require group connect resource dba satisfy all #in startup.pl package Apache::DBILogin; # is_member function for authz handler # expects request object, database handle, and group for which to test # returns valid response code sub is_member { my ($r, $dbh, $group) = @_; my $sth; eval { # no, Oracle doesn't support binding in SET ROLE statement $sth = $dbh->prepare("SET ROLE $group") or die $DBI::errstr; }; return ( MP2 ? Apache2::Const::HTTP_INTERNAL_SERVER_ERROR : Apache::Constants::HTTP_INTERNAL_SERVER_ERROR ) if ( $@ ); return ( defined $sth->execute() ) ? (MP2 ? Apache2::Const::OK : Apache::Constants::OK) : (MP2 ? Apache2::Const::HTTP_FORBIDDEN : Apache::Constants::HTTP_FORBIDDEN); }
Apache::DBILogin allows authentication and authorization against a multi-user database.
It is intended to facilitate web-based transactions against a database server as a particular database user. If you wish authenticate against a passwd table instead, please see Edmund Mergl's Apache::AuthDBI module.
Group authorization is handled by your Apache::DBILogin::is_member() function which you must define if you enable the authz handler.
The above example uses Oracle roles to assign group membership. A role is a set of database privileges which can be assigned to users. Unfortunately, roles are vendor specific. Under Oracle you can test membership with "SET ROLE role_name" statement. You could also query the data dictionary, DBA_ROLE_PRIVS, but under Oracle that requires explicit privilege. Documentation patches for other databases are welcome.
Applications may access the clear text password as well as the data_source via the environment variables HTTP_MODPERL_DBILOGIN_PASSWORD and HTTP_MODPERL_DBILOGIN_DATA_SOURCE.
#!/usr/bin/perl -wT use strict; use CGI; use DBI; my $name = $ENV{REMOTE_USER}; my $password = $ENV{HTTP_MODPERL_DBILOGIN_PASSWORD}; my $data_source = $ENV{HTTP_MODPERL_DBILOGIN_DATA_SOURCE}; my $dbh = DBI->connect($data_source, $name, $password) or die "$DBI::err: $DBI::errstr\n"; ...
The database user's clear text passwd is made available in the server's environment. Do you trust your developers?
Probably lots, I'm not the best programmer in the world.
Feel free to email me with comments, suggestions, flames. Its the only way I'll become a better programmer.
mod_perl(1), Apache::DBI(3), and Apache::AuthDBI(3)
John Groenveld <groenveld@acm.org>
To install Apache::DBILogin, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Apache::DBILogin
CPAN shell
perl -MCPAN -e shell install Apache::DBILogin
For more information on module installation, please visit the detailed CPAN module installation guide.