For an existing suite of CGI scripts, I have
a task to improve the site's login access,
and I would like to know if CGI::Auth is
what I need.
Right now, the user must log in to gain
access to the main menu page, which is a
static HTML page. If he then clicks on
certain menu items that require
more privileged access, he will be
presented with the login dialogue again.
I understand how this has been set up by
configuring httpd.conf.
First, you should make yourself clear the difference between
authentitication and authorization:
* authentication is establishing who a user is.
* authorization is establishing what a user is allowed to do.
HTTP Basic authentication muddies the distinction both in the headers
(The server sends a WWW-Authenticate header and the client responds with
an Authorization header) and in the behaviour of the common browsers.
But it is still very useful to keep them apart.
In HTTP basic authentication, a user is identified by four pieces of
information:
1) The server (identified by protocol, server and port).
2) The Realm (as sent in the WWW-Authenticate header and specified in
the AuthName directive in Apache)
3) The user name (as sent by the client in the Authorization header).
These three pieces uniquely identify a user. If one of them is
different, it is a different user. For the user to prove that he really
this user (to "authenticate" itself), the fourth piece is needed:
4) The password (sent by the client in the Authorization header).
Once you have authenticated the user, you need to decide what he can do.
For example Alice may access directory directory A, but not Directory B,
while Bob may access both directories.
In the Apache config, this is done with allow/deny and require
directives.
Note that HTTP has no way to confer that a user has successfully
authenticated, but is not authorized to access some resource. Both a
failed authentication and an attempt to access a resource without proper
authorization result in a 401 code. So when the browser receives a 401
code, it doesn't know whether the user supplied a wrong username or
password or isn't allowed to access that resource. So it pops up a
dialog box asking for username and password in either case.
What I would like to do is determine the
user's access level at his initial login
and generate the appropriate main menu
page,
So you want to create a page containing only links which the user is
authorized to visit? Once a user has been authenticated, you can easily
do that if you know where the user has access (that sounds trivial, but
may not be - you may need to parse server config files and .htaccess
files to find out).
thereby removing the need for any further logins.
If CGI::Auth is what I need for this,
No. CGI::Auth is concerned with Authentication, not Authorization.
At first glance, CGI::Auth may help you in two aspects:
1) It doesn't use Basic Authentication, so you can distinguish between
lack of authentication and authorization - you can tell a user "you
aren't allowed to go there" without his browser losing the login
information.
2) Since you are doing authentication yourselves, you also need to edo
authorization - so if you want dynamic menus, you don't need to
parser your server config files to find out where the user is allowed
access.
But at second glance it is obvious that you don't need CGI::Auth for
this. You get the same effect if you use Apache only for authentication,
and do the authorization in your scripts.
hp