However note that your approach should not be used if performance matters to you. Opening a new database connection is a fairly heavy operation, and a standard technique in mod_perl is to cache the connection and not incur this cost. But that will be impossible for you to do because your authentication requires connecting to the database.

Update: I should have mentioned that the default authentication method is Basic, which passes name/password combinations in the clear. By coincidence the newest story on perl.com right now is Integrating mod_perl with Apache 2.1 Authentication which walks through custom authentication schemes in more detail.

I believe that so far we've missed the OP's point.

The database is on a different server than the webserver, behind a(nother) firewall.

Authenticating users from infromation stored in the database has been done before with modules to make it fairly trivial - once an initial connection is opened from Apache to the db in order to submit the requests. It is the opening of this initial connection that the poster is concerned about. he wants the intiial db connection somehow done without the id,password being stored on the webserver.

And the only ways I see around this are:

• to have an entry for every user in the table that defines who can connect to mySQL and what they can do in mySQL, as well as possibly another table handling the same stuff for the webserver. But this implies a separate process for setting up these users. OR
• That the ID,password for db connection is stored in an encrypted file (eg using gpg) and the Apache startup process requires you to enter a passphrase at startup, after which the id,passwd are held by processes in RAM and used as needed. (The Agent thing for OpenSSL that stores users keys in RAM for use by other processes might be worth looking at in thgis regard.) But, even after you figure out how to do this, this may be a cure worse than the disease.

Perhaps my post above was unclear.

The PerlAuthenHandler approach in mod_perl allows any method that you want for verifying the authentication. Including attempting to connect to the database and seeing whether the database accepts that user name/pasword for connecting.

There are also potential performance problems with this method that I pointed out.

Even if you manage to get onto the web server, you should not be able to get the username and password off any text file on the server -- that's what I'm trying to achieve.

Again, I'm not trying to be a smarty pants its just so you take that into consideration if you hadn't known or thought about it yet. :)

Just wondering, but what keeps the guy who breaks into your system from setting up something that harvests those usernames and passwords from any method of authorization? This is why they introduced digest authorization and are further beefing up security with the Apache 2.1 authorization scheme.

As a side note, do not encrypt the username and password for a DBI connection on the server unless you REALLY REALLY want to. Think about it if you will: the server has to decrypt them somehow. The decryption key will be either stored somewhere on the machine or provided by the user. If someone takes control of the system, they can either find it wherever it is on the hard drive or harvest it the next time someone comes in. Forming the database connection is already expensive and decrypting the username and password will only make this process more expensive.

antirice    
The first rule of Perl club is - use Perl
The ith rule of Perl club is - follow rule i - 1 for i > 1