John D Groenveld > Apache-DBILogin-2.06 > Apache::DBILogin

Download:
Apache-DBILogin-2.06.tar.gz

Dependencies

Annotate this POD

View/Report Bugs
Module Version: 2.06   Source  

NAME ^

Apache::DBILogin - authenticates and authorizes via a DBI connection

SYNOPSIS ^

 #in .htaccess
 AuthName MyAuth
 AuthType Basic
 PerlAuthenHandler Apache::DBILogin::authen
 PerlSetVar Auth_DBI_data_source dbi:Oracle:SQLNetAlias
 PerlAuthzHandler Apache::DBILogin::authz
 
 allow from all
 require group connect resource dba
 satisfy all

 #in startup.pl
 package Apache::DBILogin;
 
 # is_member function for authz handler
 #  expects request object, database handle, and group for which to test
 #  returns valid response code
 sub is_member {
     my ($r, $dbh, $group) = @_;
 
     my $sth;
     eval {
         # no, Oracle doesn't support binding in SET ROLE statement
         $sth = $dbh->prepare("SET ROLE $group") or die $DBI::errstr;
     };
     return ( MP2 ? Apache2::Const::HTTP_INTERNAL_SERVER_ERROR
                  : Apache::Constants::HTTP_INTERNAL_SERVER_ERROR ) if ( $@ );
        
     return ( defined $sth->execute() ) ? (MP2 ? Apache2::Const::OK
                                               : Apache::Constants::OK)
                                        : (MP2 ? Apache2::Const::HTTP_FORBIDDEN
                                               : Apache::Constants::HTTP_FORBIDDEN);
 }

DESCRIPTION ^

Apache::DBILogin allows authentication and authorization against a multi-user database.

It is intended to facilitate web-based transactions against a database server as a particular database user. If you wish authenticate against a passwd table instead, please see Edmund Mergl's Apache::AuthDBI module.

Group authorization is handled by your Apache::DBILogin::is_member() function which you must define if you enable the authz handler.

The above example uses Oracle roles to assign group membership. A role is a set of database privileges which can be assigned to users. Unfortunately, roles are vendor specific. Under Oracle you can test membership with "SET ROLE role_name" statement. You could also query the data dictionary, DBA_ROLE_PRIVS, but under Oracle that requires explicit privilege. Documentation patches for other databases are welcome.

ENVIRONMENT ^

Applications may access the clear text password as well as the data_source via the environment variables HTTP_MODPERL_DBILOGIN_PASSWORD and HTTP_MODPERL_DBILOGIN_DATA_SOURCE.

 #!/usr/bin/perl -wT
 
 use strict;
 use CGI;
 use DBI;
 my $name = $ENV{REMOTE_USER};
 my $password = $ENV{HTTP_MODPERL_DBILOGIN_PASSWORD};
 my $data_source = $ENV{HTTP_MODPERL_DBILOGIN_DATA_SOURCE};
 my $dbh = DBI->connect($data_source, $name, $password)
        or die "$DBI::err: $DBI::errstr\n";
 ...

SECURITY ^

The database user's clear text passwd is made available in the server's environment. Do you trust your developers?

BUGS ^

Probably lots, I'm not the best programmer in the world.

NOTES ^

Feel free to email me with comments, suggestions, flames. Its the only way I'll become a better programmer.

SEE ALSO ^

mod_perl(1), Apache::DBI(3), and Apache::AuthDBI(3)

AUTHOR ^

John Groenveld <groenveld@acm.org>

syntax highlighting: