An Authenticating Script for Apache
We’ll
start by observing that web servers aren’t the only things that
can issue Authorization: headers. Scripts can do
that too. Example 12.1 is a simple Perl script that
challenges for a name and password, just as an authenticating web
server does.
Example 12-1. Scripting the Name/Password Challenge
use MIME::Base64;
if ( ! defined $ENV{HTTP_AUTHORIZATION} ) # if no Authorization: header
{
print "HTTP/1.0 401 Authentication\n"; # issue authorization challenge
print "WWW-Authenticate: Basic realm=\"subscribers\"\n\n";
return;
}
print "HTTP/1.0 200 Ok\n"; # needed for ISAPI Perl or mod_perl
print "Content-type: text/html\n\n"; # the standard header
$ENV{HTTP_AUTHORIZATION} =~ m/Basic (.+)/i; # get MIME-encoded credentials
print "Hello " . decode_base64($1); # print "Hello Aladdin:open sesame"We’ve introduced another CPAN module here.
MIME::Base64 converts back and forth between plain
text and the Base64 encoding used by the HTTP basic authentication
protocol. If you put this code in a file called
auth.pl, put that file into the
/cgi-bin directory of an Apache web server, and ask your
browser to fetch /cgi-bin/auth.pl, you’ll
provoke an authentication dialog. Type in the credentials
Aladdin and open sesame and
you’ll get the reponse Hello Aladdin:open sesame.
If that doesn’t work, define the symbol
SECURITY_HOLE_PASS_AUTHORIZATION and rebuild Apache. What? Open a security hole? Well, here’s what the Apache source code says about allowing scripts ...