Custom Authentication

Two phases to authentication in Apache:
Authentication phase
Is remote user who he says he is?

Authorization phase
Is remote user authorized to get this resource?
This is a simple authorization system that uses Unix /etc/passwd or NIS databases.

Configuration Entry

 <Location /protected>
   AuthName System
   AuthType Basic
   PerlAuthenHandler  Apache::AuthSystem
   require valid-user
 </Location>

Script III.4.1: Apache::AuthSystem

 package Apache::AuthSystem;
 # file: Apache/AuthSystem.pm
 # authenticate users on system password database

 use strict;
 use Apache::Constants ':common';

 sub handler {
    my $r = shift;

    my($res, $sent_pwd) = $r->get_basic_auth_pw;
    return $res if $res != OK;
    
    my $user = $r->connection->user;
    my $reason = "";

    my($name,$passwd) = getpwnam($user);
    if (!$name) {
	$reason = "user does not have an account on this system";
    } else {
	$reason = "user did not provide correct password"
	    unless $passwd eq crypt($sent_pwd,$passwd);
    }

    if($reason) {
	$r->note_basic_auth_failure;
	$r->log_reason($reason,$r->filename);
	return AUTH_REQUIRED;
    }

    return OK;
 }

 1;

What it Looks Like

http://localhost/protected/test_document.html
<< Previous
 Contents >> Next >>
Lincoln D. Stein, lstein@cshl.org
Cold Spring Harbor Laboratory
Last modified: Mon Aug 17 10:49:41 EDT 1998