An Authenticating Script for Apache
We’ll
start by observing that web servers aren’t the only things that
can issue Authorization:
headers. Scripts can do
that too. Example 12.1 is a simple Perl script that
challenges for a name and password, just as an authenticating web
server does.
Example 12-1. Scripting the Name/Password Challenge
use MIME::Base64; if ( ! defined $ENV{HTTP_AUTHORIZATION} ) # if no Authorization: header { print "HTTP/1.0 401 Authentication\n"; # issue authorization challenge print "WWW-Authenticate: Basic realm=\"subscribers\"\n\n"; return; } print "HTTP/1.0 200 Ok\n"; # needed for ISAPI Perl or mod_perl print "Content-type: text/html\n\n"; # the standard header $ENV{HTTP_AUTHORIZATION} =~ m/Basic (.+)/i; # get MIME-encoded credentials print "Hello " . decode_base64($1); # print "Hello Aladdin:open sesame"
We’ve introduced another CPAN module here.
MIME::Base64 converts back and forth between plain
text and the Base64 encoding used by the HTTP basic authentication
protocol. If you put this code in a file called
auth.pl, put that file into the
/cgi-bin
directory of an Apache web server, and ask your
browser to fetch /cgi-bin/auth.pl, you’ll
provoke an authentication dialog. Type in the credentials
Aladdin and open sesame
and
you’ll get the reponse Hello Aladdin:open sesame
.
If that doesn’t work, define the symbol
SECURITY_HOLE_PASS_AUTHORIZATION
and rebuild Apache. What? Open a security hole? Well, here’s what the Apache source code says about allowing scripts ...
Get Practical Internet Groupware now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.