Streamlining login to Web site

Discussion in 'Perl Misc' started by mailbox@cpacker.org, Jul 9, 2007.

  1. Guest

    For an existing suite of CGI scripts, I have
    a task to improve the site's login access,
    and I would like to know if CGI::Auth is
    what I need.

    Right now, the user must log in to gain
    access to the main menu page, which is a
    static HTML page. If he then clicks on
    certain menu items that require
    more privileged access, he will be
    presented with the login dialogue again.
    I understand how this has been set up by
    configuring httpd.conf.

    What I would like to do is determine the
    user's access level at his initial login
    and generate the appropriate main menu
    page, thereby removing the need for any
    further logins. If CGI::Auth is what I
    need for this, are there any good tutorials
    on using it, maybe with a really well
    spelled-out example?

    --
    Charles Packer
    http://cpacker.org/whatnews
    mailboxATcpacker.org
    , Jul 9, 2007
    #1
    1. Advertising

  2. J. Gleixner Guest

    wrote:
    > For an existing suite of CGI scripts, I have
    > a task to improve the site's login access,
    > and I would like to know if CGI::Auth is
    > what I need.
    >
    > Right now, the user must log in to gain


    How is that login handled? HTTP authentication?
    A form and CGI?

    > access to the main menu page, which is a
    > static HTML page. If he then clicks on
    > certain menu items that require
    > more privileged access, he will be
    > presented with the login dialogue again.
    > I understand how this has been set up by
    > configuring httpd.conf.


    If it's configured properly and if the user is authorized
    to get documents from that directory/URL, then that
    shouldn't happen.

    If you want to stick with HTTP authentication,
    then read a few documents about it and using groups.

    >
    > What I would like to do is determine the
    > user's access level at his initial login
    > and generate the appropriate main menu
    > page, thereby removing the need for any
    > further logins. If CGI::Auth is what I
    > need for this, are there any good tutorials
    > on using it, maybe with a really well
    > spelled-out example?


    Sounds like you're after a more dynamic page approach where
    the static HTML would be generated, some how, based on
    something about the user name. It could be
    via a CGI, HTML::Mason (www.masonhq.com), or possibly
    PHP (php.net) might be a solution. You may use
    CGI:Auth to help manage authentication, or do it
    yourself, either way you'll have to learn about
    generating HTML dynamically and come up with how
    to apply the logic.
    J. Gleixner, Jul 9, 2007
    #2
    1. Advertising

  3. On 2007-07-09 20:16, <> wrote:
    > For an existing suite of CGI scripts, I have
    > a task to improve the site's login access,
    > and I would like to know if CGI::Auth is
    > what I need.
    >
    > Right now, the user must log in to gain
    > access to the main menu page, which is a
    > static HTML page. If he then clicks on
    > certain menu items that require
    > more privileged access, he will be
    > presented with the login dialogue again.
    > I understand how this has been set up by
    > configuring httpd.conf.


    First, you should make yourself clear the difference between
    authentitication and authorization:

    * authentication is establishing who a user is.

    * authorization is establishing what a user is allowed to do.

    HTTP Basic authentication muddies the distinction both in the headers
    (The server sends a WWW-Authenticate header and the client responds with
    an Authorization header) and in the behaviour of the common browsers.

    But it is still very useful to keep them apart.

    In HTTP basic authentication, a user is identified by four pieces of
    information:

    1) The server (identified by protocol, server and port).

    2) The Realm (as sent in the WWW-Authenticate header and specified in
    the AuthName directive in Apache)

    3) The user name (as sent by the client in the Authorization header).

    These three pieces uniquely identify a user. If one of them is
    different, it is a different user. For the user to prove that he really
    this user (to "authenticate" itself), the fourth piece is needed:

    4) The password (sent by the client in the Authorization header).

    Once you have authenticated the user, you need to decide what he can do.
    For example Alice may access directory directory A, but not Directory B,
    while Bob may access both directories.

    In the Apache config, this is done with allow/deny and require
    directives.

    Note that HTTP has no way to confer that a user has successfully
    authenticated, but is not authorized to access some resource. Both a
    failed authentication and an attempt to access a resource without proper
    authorization result in a 401 code. So when the browser receives a 401
    code, it doesn't know whether the user supplied a wrong username or
    password or isn't allowed to access that resource. So it pops up a
    dialog box asking for username and password in either case.



    > What I would like to do is determine the
    > user's access level at his initial login
    > and generate the appropriate main menu
    > page,


    So you want to create a page containing only links which the user is
    authorized to visit? Once a user has been authenticated, you can easily
    do that if you know where the user has access (that sounds trivial, but
    may not be - you may need to parse server config files and .htaccess
    files to find out).

    > thereby removing the need for any further logins.
    > If CGI::Auth is what I need for this,


    No. CGI::Auth is concerned with Authentication, not Authorization.

    At first glance, CGI::Auth may help you in two aspects:

    1) It doesn't use Basic Authentication, so you can distinguish between
    lack of authentication and authorization - you can tell a user "you
    aren't allowed to go there" without his browser losing the login
    information.

    2) Since you are doing authentication yourselves, you also need to edo
    authorization - so if you want dynamic menus, you don't need to
    parser your server config files to find out where the user is allowed
    access.

    But at second glance it is obvious that you don't need CGI::Auth for
    this. You get the same effect if you use Apache only for authentication,
    and do the authorization in your scripts.

    hp


    --
    _ | Peter J. Holzer | I know I'd be respectful of a pirate
    |_|_) | Sysadmin WSR | with an emu on his shoulder.
    | | | |
    __/ | http://www.hjp.at/ | -- Sam in "Freefall"
    Peter J. Holzer, Jul 9, 2007
    #3
  4. Guest

    On Jul 9, 6:16 pm, "Peter J. Holzer" <> wrote:
    > But at second glance it is obvious that you don't need CGI::Auth for
    > this. You get the same effect if you use Apache only for authentication,
    > and do the authorization in your scripts.


    Ah, but I haven't figured out how my script can learn who the user is
    after it's invoked following Basic authentication! If that information
    is in the tutorials, I've missed it, somehow. That's why I went poking
    around in the Auth documentation. Is the user name a variable in %ENV,
    or where? Once I know the user, I can parse .htgroup, I guess, to
    determine his access level and generate the appropriate menu.

    --
    Charles Packer
    http://cpacker.org/whatnews
    mailboxATcpacker.org
    , Jul 10, 2007
    #4
  5. wrote:

    > On Jul 9, 6:16 pm, "Peter J. Holzer" <> wrote:
    >> But at second glance it is obvious that you don't need CGI::Auth for
    >> this. You get the same effect if you use Apache only for authentication,
    >> and do the authorization in your scripts.

    >
    > Ah, but I haven't figured out how my script can learn who the user is
    > after it's invoked following Basic authentication! If that information
    > is in the tutorials, I've missed it, somehow. That's why I went poking
    > around in the Auth documentation. Is the user name a variable in %ENV,
    > or where? Once I know the user, I can parse .htgroup, I guess, to
    > determine his access level and generate the appropriate menu.


    Hi

    Yes, the username is in %ENV - REMOTE_USER I think, but if you dump the
    whole of %ENV it will be obvious on sight.

    That var is guaranteed correct by apache/mod_cgi, so if it is set, then that
    is the username that apache authorised.

    HTH

    Tim
    Tim Southerwood, Jul 10, 2007
    #5
  6. Guest

    On Jul 10, 10:40 am, Tim Southerwood <> wrote:

    > Yes, the username is in %ENV - REMOTE_USER I think, but if you dump the
    > whole of %ENV it will be obvious on sight.
    >
    > That var is guaranteed correct by apache/mod_cgi, so if it is set, then that
    > is the username that apache authorised.


    Yup, I just found "remote_user()" call documented in
    the CGI module. You get the user name returned if the
    script was protected, i.e. required login to be invoked, null
    otherwise.
    Thanks.

    --
    Charles Packer
    http://cpacker.org/whatnews
    mailboxATcpacker.org
    , Jul 10, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mike kim
    Replies:
    2
    Views:
    515
    clintonG
    Aug 20, 2003
  2. Tiddley-Pom
    Replies:
    5
    Views:
    420
    Mark Parnell
    Oct 15, 2003
  3. BradM
    Replies:
    2
    Views:
    689
    BradM
    May 30, 2007
  4. mark4asp
    Replies:
    1
    Views:
    1,124
    Steve C. Orr [MCSD, MVP, CSM, ASP Insider]
    Mar 24, 2007
  5. Replies:
    1
    Views:
    637
    Samuel R. Neff
    Aug 3, 2007
Loading...

Share This Page