You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.apache-2.4.pod
+35-14Lines changed: 35 additions & 14 deletions
Original file line number
Diff line number
Diff line change
@@ -33,12 +33,18 @@ the constant C<APACHE2_4> which is needed for the test suite.
33
33
34
34
=item *
35
35
36
-
Your module must inherit from C<Apache2_4::AuthCookie> instead of C<Apache2::AuthCookie>
36
+
You must not call authcookie's authorize() method. Authorization is done using
37
+
AuthzProvider's under Apache 2.4 and these work very different from previous
38
+
apache versions. If you are simply doing simple things such as
39
+
C<Require user ...> or C<Require valid-user> in your C<httpd.conf>, then you
40
+
likely do not need an authorization provider at all. Apache 2.4 handles these
41
+
for you in C<mod_authz_user.c>.
37
42
38
43
=item *
39
44
40
-
You must change every method that was called as a C<PerlAuthzHandler> under
41
-
previous versions to return one of the following values:
45
+
Related to previous item, you must change every method that was called as a
46
+
C<PerlAuthzHandler> under previous versions to return one of the following
47
+
values:
42
48
43
49
=over 4
44
50
@@ -75,7 +81,9 @@ return granted or denied.
75
81
76
82
=item *
77
83
78
-
Remove all C<PerlAuthzHandler> entries. C<PerlAuthzHandler> does not exist in Apache 2.4.
84
+
Remove all C<PerlAuthzHandler> entries. C<PerlAuthzHandler> is not necessary
85
+
in Apache 2.4. If you are doing custom authoriaztion, you need to convert
86
+
these to C<PerlAddAuthzProvider> entries:
79
87
80
88
=item *
81
89
@@ -85,11 +93,7 @@ one.
85
93
86
94
If your C<Require> directives are simply C<valid-user> or C<user ...> then you
87
95
do not need to do this. Apache already provides an authz provider that handles
88
-
C<user> and C<valid-user> requirements for you in C<mod_authz_user>.
89
-
90
-
C<AuthCookie> does provide a C<authz_handler> for these requirements for
91
-
backwards compatibility with previous versions, but the one provided by Apache
92
-
is preferred.
96
+
C<user> and C<valid-user> requirements for you in C<mod_authz_user.c>.
93
97
94
98
=item *
95
99
@@ -101,7 +105,7 @@ Each one implements a specific requirement. E.g.:
101
105
102
106
PerlAddAuthzProvider species My::AuthCookieHandler->authz_species
103
107
104
-
Will be called to handle a
108
+
Will be called to handle a
105
109
106
110
Require species klingon
107
111
@@ -110,7 +114,8 @@ Directive.
110
114
It is important to know that Authz Providers are called B<twice> for
111
115
a request. First, the authz provider is called before authentication has been
112
116
processed to check for anonymous access. In this method call, C<< $r->user >>
113
-
is not set. You are expected to return one of:
117
+
is not set (to allow for your handler to allow annonymous access). You are
118
+
expected to return one of:
114
119
115
120
=over 4
116
121
@@ -128,8 +133,9 @@ provider)
128
133
129
134
=item AUTHZ_DENIED_NO_USER
130
135
131
-
Authentication is processed, C<< $r->user >> will be set with the current
132
-
username and your authz provider will be called again.
136
+
This should be returned if C<< $r->user >> is not set and you do not wish to
137
+
allow anonymous access. Authentication will be processed, C<< $r->user >> will
138
+
be set with the current username and your authz provider will be called again.
133
139
134
140
=back
135
141
@@ -233,7 +239,7 @@ Continue processing siblings.
233
239
You need to use a C<PerlAddAuthzProvider> and write an appropriate handler as
234
240
described above instead. Note that you do not need a C<PerlAddAuthzProvider>
235
241
for C<user> or C<valid-user> requirements. Apache already handles those
236
-
internally.
242
+
internally via C<mod_authz_user.c>
237
243
238
244
=item ${auth_name}Satisfy
239
245
@@ -259,6 +265,7 @@ then C<HTTP_UNAUTHORIZED> is returned. In previous versions of Apache,
259
265
C<HTTP_FORBIDDEN> was returned. You can get the old behaviour if you want it
260
266
with:
261
267
268
+
# in httpd.conf
262
269
AuthzSendForbiddenOnFailure On
263
270
264
271
=back
@@ -279,6 +286,20 @@ second time after the user has been authenticated.
279
286
280
287
=item *
281
288
289
+
I get an error like C<Can't locate object method "requires" via package Apache2::RequestRec ...>
290
+
291
+
This is because you called C<AuthCookie>'s C<authorize()> method, which is illegal under Apache 2.4. This could either be because your C<AuthCookie> subclass explicitly called C<authorize()>, or (more likely) because your C<httpd.conf> contains a line like:
292
+
293
+
PerlAuthzHandler My::AuthCookie->authorize
294
+
295
+
You should remove lines from C<httpd.conf> that call C<authorize>, and your
296
+
subclass should not be calling authorize().
297
+
298
+
If you need to do custom autorization, you need to write an authz provider
299
+
instead.
300
+
301
+
=item *
302
+
282
303
My log shows an entry like:
283
304
284
305
authorization result of Require ...: denied (no + # authenticated user yet)
0 commit comments