chiggins has asked for the wisdom of the Perl Monks concerning the following question:

Greetings all,

I'm trying to implement a ticket-based auth system with SOAP::Lite and apache/mod_perl. The way it works now (with a SOAP::Apache module in the middle dispatching the SOAP request):

client: calls the login method with username and password
SOAP modules: validates username and password; returns username, time() +n, and MD5 string generated from the username, time() + n seconds, and a secret

client: calls a method, passes the username,time,and ticket in the SOAP envelope header.
SOAP modules: validates the ticket and checks expiration, executes if everything's in order

what I'm trying to do, and having a bang-head-on-brick time figuring out, is to have the SOAP::Apache module catch the request, get the remote_host ip, and pass it through to the SOAP method (any way it can get there). The problem is that once the request has been dispatched via SOAP::Transport::HTTP::Apache, it's no longer an Apache request, and (as far as I know) there's no way to get at the Apache Request object from the SOAP module to which the request has been dispatched. So, I'm faced with something like:

- catch the request
- turn it back into a SOAP request
- pull the envelope header element authInfo
- add the remote ip
- reform the request
- re-dispatch the request to the intended modules

although a.) this seems overly complicated, which is usually a sign my implementation has become to complicated, and b.) I'm not at all sure this would work.

Does anyone have any suggestions (along these lines or any alternatives), or lacking that, a definitive "no you can't do that" they can pass along? I get the feeling that there's a section of documentation somewhere that I've overlooked in my scouring that would shed light on this...

Replies are listed 'Best First'.
Re: SOAP::Lite and mod_perl
by perrin (Chancellor) on Apr 29, 2003 at 01:33 UTC
    Well, in mod_perl 1.x you can always just call Apache->request() to get the current request object. Using the remote IP is usually a bad idea though. You can't expect it to be unique (proxies) and you can't expect the same client to always come in with the same IP (proxies again).
[reply]
[d/l]
      BINGO. Worked like a charm testing locally, will test again tomorrow in the dev environment.

      In this particular case, the client is going to provide us with a list of possible ip's they'll be connecting to the service with, and we'll be able to associate at least a list of ip's with the user account. agreed, it's not a perfect solution, but it's the one i've been charged with implementing. i'd be delighted, however, to hear an alternative approach i can sell to the powers that be?

      Thanks again muchly for the tip, feels good to be unstuck.

      c
[reply]
        You might mention to the powers that be that relying on IPs for authentication is a really bad idea. Spoofing IPs is something crackers do all day long.

        Is there some reason the usual cookie-based username/password login won't work for you? I implemented a SOAP system for Bricolage which supports a login call and uses standard HTTP cookies for authentication. Put it over SSL and I bet it would be pretty hard to break.

        -sam

[reply]
Re: SOAP::Lite and mod_perl
by Anonymous Monk on Apr 30, 2003 at 07:35 UTC
    Hello I don't quite understand why do you need Apache::Request object with SOAP.
    1. It is SOAP so it should be free from any data protocol realization
    2. The http server should set a branch of environment variables about a current session with remote client.
    check this variable $ENV{REMOTE_ADDR} inside your soap handler on the server side. also check this page to view a list of variables the web server should set http://hoohoo.ncsa.uiuc.edu/cgi/env.html
[reply]

Back to Seekers of Perl Wisdom