Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Getting username and password from the URL.

by Punto (Scribe)
on Jun 11, 2000 at 01:04 UTC ( [id://17537]=perlquestion: print w/replies, xml ) Need Help??

Punto has asked for the wisdom of the Perl Monks concerning the following question:

Probably not a perl question, but, is there any way to get (on a perl script) the username and password used for the apache authentication? for ex., the user calls:

http://user:password@www.domain.com/script.pl

How do I get "username" and "password"? I guess it's on one of the ENV{'HTTP_something'} variables..

Thanks..

Replies are listed 'Best First'.
Re: Getting username and password from the URL.
by Zoogie (Curate) on Jun 11, 2000 at 01:08 UTC
    Dunno about password, but the username is simply $ENV{'REMOTE_USER'}.
Re: Getting username and password from the URL.
by lhoward (Vicar) on Jun 11, 2000 at 02:17 UTC
    You can set up a simple CGI to show you all the environmental variables. Then just call it and see if there is one that contains the password:
    #!/usr/bin/perl -w print "Content-type: text/html\n\n<html><body>"; foreach (keys %ENV){ print "$_ -> $ENV{$_}<br>\n"; } print "</body></html>";
Re: Getting username and password from the URL.
by chromatic (Archbishop) on Jun 11, 2000 at 02:27 UTC
    $ENV{REMOTE_USER} will give you the username, after it's been authenticated by the web server.

    If you've built your own server out of something like HTTP::Daemon, you can get a request object and grab the Authorization header to parse it yourself:

    my $r = $daemon->get_request(); my ($username, $password) = split(/:/, $r->header('Authorization'), 2) +;

    Update:

    Yeah, that did say 'REQUEST_USER' before. Sorry, I merged the right line with the description of 'REQUEST_METHOD' as I read it.

      Are you aware of an existing HTTP::Daemon-side implementation of Digest authentication?
Re: Getting username and password from the URL.
by btrott (Parson) on Jun 11, 2000 at 02:48 UTC
    And, for the sake of completeness... if you're using mod_perl, you can get the username from the Apache request record ($r):
    my $user = $r->connection->user;
Re: Getting username and password from the URL.
by httptech (Chaplain) on Jun 11, 2000 at 16:19 UTC
    If you really need the password, there is a way you can get it, but not from the CGI script itself. You can use mod_auth_external to do your authentications, and use some sort of cache to store the username and password, then have your CGI script read that and compare to the REMOTE_USER environment variable. You're going to take a performance hit for doing this though.

    If you use Apache's built-in authentication modules, you can be relatively certain the password was given correctly, so there's probably no need to check it a second time in your script.

    It also seems like you should be able to implement something in mod_perl to obtain the password, but I haven't looked into it enough to know.

      If you really need the password, there is a way you can get it, but not from the CGI script itself. You can use mod_auth_external to do your authentications

      Actually, I only need apache to ask for the username and password, and then do the authentication on the CGI script. I don't need apache to check for the password..

RE: Getting username and password from the URL.
by Kozz (Friar) on Jun 11, 2000 at 06:05 UTC
    If the referring URL also used the same type of user:password authentication, you could always extract both the user & password from the $ENV{'HTTP_REFERER'} using a REGEXP.
    UPDATE: I should have tried it first. NO worky. It appears that Netscape (and I'm guessing other browsers) remove this info from the referring url string before sending the request.
RE: Getting username and password from the URL.
by jjhorner (Hermit) on Jun 12, 2000 at 03:08 UTC

    If you are using mod_perl, try this:

    $username = $r->connection->user my($ret, $password) = $r->get_basic_auth_pw;

    The $username will be the username entered when challenged, $ret will be either OK, DECLINED, SERVER_ERROR, or AUTH_REQUIRED, and $password will be the plain text password entered at the challenge. These must be used with Basic authorization type.

    J. J. Horner
    Linux, Perl, Apache, Stronghold, Unix
    jhorner@knoxlug.org http://www.knoxlug.org/
    
      If you are using mod_perl, try this:

      The server is running mod_perl (I can see "mod_perl" on the "server" part of the http responses), I tryed this:

      #!/usr/bin/perl print "Content type: text/html\n\n"; $username = $r->connection->user; my($ret, $password) = $r->get_basic_auth_pw; print $password;
      And I get an "Internal Server Error". Do I have to use some library or something on the script?

      Thanks!

        Yes, you'll need to get the $r object, which you don't have in your script. $r is the Apache request record.

        You should set up your script as an Apache::Registry script. Then you can get $r like this:

        my $r = Apache->request;
        To set the script up as Apache::Registry, add something like this to httpd.conf:
        <Location /perl> SetHandler perl-script PerlHandler Apache::Registry Options +ExecCGI </Location>
        This sets up the perl subroutine under the document root to run under Apache::Registry. So put your script there.

        Or, if you set up a mod_perl handler, your handler subroutine will be passed $r.

        For example, you might set up a handler thusly in your httpd.conf:

        <Location /foo> SetHandler perl-script PerlHandler My::Foo </Location>
        And then in My::Foo:
        package My::Foo; use strict; sub handler { my $r = shift; my $user = $r->connection->user; my($ret, $password) = $r->get_basic_auth_pw; $r->send_http_header; $r->print($user); $r->print($password); } 1;
        I'd recommend trying the first approach.

        While btrott's answer was right, I thought I would send you to a real world example here.

        J. J. Horner
        Linux, Perl, Apache, Stronghold, Unix
        jhorner@knoxlug.org http://www.knoxlug.org/
        
Re: Getting username and password from the URL.
by mt2k (Hermit) on Jun 11, 2000 at 03:39 UTC
    To simply say: There is no way you can get the password of the user logged on.
    I tried the same thing before and was put down with no way of getting up.
    As everyone else has said, $ENV{'REMOTE_USER'} contains username.
    From chromatic's post, I must say I've never heard of $ENV{'REQUEST_USER'}.
    So, no, there is no way to receive the password of the user from headers.
    I hope you didn't really need the password, adn if you do, I have no idea!

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://17537]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (6)
As of 2024-03-28 21:23 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found