Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

htaccess through perl without apache

by true (Pilgrim)
on Mar 26, 2003 at 19:19 UTC ( #246048=perlquestion: print w/ replies, xml ) Need Help??
true has asked for the wisdom of the Perl Monks concerning the following question:

Im sure folks more clever than i have come up with a solution for this problem. I was hoping to get some arrows pointing me to any packages, modules or advice for my next trudge.

1. I want my virtual hosting environment to have the ability to add password protection to folders within their domain via a perl script without restarting apache. I like htaccess but want to avoid restarting apache. I have configured folders by hand with the httpd.conf file, but i want to avoid the conf edit step.

2. In addition, i'm not aware of how perl can generate the encrypted password string to generate the htpasswd file needed by the directory.

Any advice would be appreciated.

thanks, jtrue

Comment on htaccess through perl without apache
Re: htaccess through perl without apache
by jasonk (Parson) on Mar 26, 2003 at 19:28 UTC

    You don't have to put htaccess directives in the httpd.conf, you can also put them in a .htaccess file in the directory you want to protect, which does not require restarting apache. Perl can generate the encrypted passwords using the crypt() function (perldoc -f crypt).


    We're not surrounded, we're in a target-rich environment!
      Thanks for comments. What salt should i throw at crypt to mimic the htaccess crypt? i'm trying to write a htpasswd file in perl. if the password is birthday. I want to generate the .htpasswd file. so in perl i could say.
      #!/usr/bin/perl use strict; my $passw = "birthday"; print crypt($passw,"SALT");
      But the output doesn't match the shadow password file. I thought these needed to match. Here's my .htaccess file if it helps.
      AuthName "Clients/jtrue" AuthType Basic AuthUserFile /home/latitude38productions/.htpasswd Require valid-user

      thanks for reading.

        From perldoc -f crypt:
        When verifying an existing encrypted string you should use the encrypted text as the salt (like "crypt($plain, $crypted) eq $crypted"). This allows your code to work with the standard "crypt" and with more exotic implementations.

        Works perfectly with htpasswd.

        Update: Or you could try Apache::Htpasswd.

        $foo = new Apache::Htpasswd({passwdFile => "path-to-file", ReadOnly => 1} ); # Check that a password is correct $pwdFile->htCheckPassword("zog", "password");
Re: htaccess through perl without apache
by thpfft (Chaplain) on Mar 26, 2003 at 19:40 UTC

    if you use .htaccess files, as you suggest, then changing the access restrictions doesn't mean you have to restart the server. It sounds like all you need is to throw together a friendly front end.

    There are two CPAN modules that will do nearly all that work for you: Apache::Htaccess and Apache::Htpasswd provide object-oriented interfaces to their respective files and the usual directives, and should make changing authentication policies and adding users a very simple job.

Re: htaccess through perl without apache
by sutch (Curate) on Mar 27, 2003 at 02:39 UTC
    Another option is to not deal with the htpasswd file and store and test user credentials within your program. For example:
    use CGI; my $request = CGI->new; if( $ENV{'REMOTE_USER'} eq "sutch" && $ENV{'REMOTE_PASSWD' } eq "myb4d +" ) { # user is authenticated print $request->header; # return restricted web page here } else { print $request->header( '-status' => '401 Authentication required', +'-auth-type' => 'Basic', '-WWW-Authenticate' => 'Basic realm="My Rest +ricted Area"' ); # return failed authentication message here }
    This will provide the user with the familiar username/password dialog box that is displayed when using htaccess. Instead of Apache handling the authentication though, the script tests the REMOTE_USER and REMOTE_PASSWD environment variables to authenticate the user.

    A benefit of handling the authentication yourself is that you can also expire authenticated sessions and allow users to logout. This can be done by returning a 401 status with different realm text.

      This sounds interesting.

      But i'm not getting the environment variables REMOTE_USER and REMOTE_PASSWD returning anything. I login successfully with htaccess but neither return anything.

      #!/usr/bin/perl use CGI; my $request = CGI->new; print $request->header; print <<EOM; CHECK/$ENV{'REMOTE_USER'}/$ENV{'REMOTE_PASSWD'} EOM exit;
      This is running on Win2k Apache2 BTW.

      thanks update

      $ENV{'REMOTE_USER'} will return but $ENV{'REMOTE_PASSWD'} will not

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://246048]
Approved by thpfft
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (7)
As of 2014-12-28 05:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (178 votes), past polls