Mod_Perl Handlers and URL Based Authorization: What's The Best Aproach For A Rank Based Forum?

Revelation has asked for the wisdom of the Perl Monks concerning the following question:

In CGI::Prototype - let me clarify the response phase for you metaperl identifies authentication and authorization as two general phases of a request; similarly, the very useful book, Writing Apache Modules with Perl and C, focuses a chapter on Apache's API with regards to those two phases of a request. In general I'm rather familiar with the authentication phase of a request, which is standardized for my site (a session object has most of the pertinent information,) and comfortable with Apache::AuthenHandler(s).

However, I'm interested in how (Mod_)Perl Monks approach authorizing users for sites like forums, for which each forum may require different access privileges. Is it bad practice to handle this in the Mod_Perl script (PerlHandler) itself? Is there a standard way to approach this problem using Apache::AuthzHandler(s)? For instance, assuming my forum is located at /forum which approach would you take:

Check if the user is authorized in the mod_perl script (PerlHandler) itself? Ie. In the routine that generates the appropriate forum, retrieve the needed access from a table listing minimum access privileges?
Handle this in a single AuthzHandler. Check which forum the user is trying to access; retrieve needed privileges from a table, and then deny or allow access. I assume (I haven’t tried this) I could do this even if the path actually leads to a perl handler:
```
<Location /forum>
 AuthName Restricted
 AuthType Basic
 PerlAuthenHandler My::CookieAuthenAnyHandler
 PerlAuthzHandler  My::AuthzHandler
</Location>
[download]
```
The final option, which I would err towards if the site wasn’t dynamic would be to require different authentication levels within Apache’s config file for different paths. To allow the creation and changing of access privileges in a forum, however, I would have to restart Apache rather often.

So I guess my question is which approach do you think I should take? Is there a way to implement the third approach without continuously restarting Apache? While the first approach means that I won’t have to parse the appropriate forum name twice, the second approach seems to be in accordance with separation of concerns (and I could always just set the forum using $r->subprocess_env or $r->notes or pnotes. Is the second approach more in tune with Mod_Perl’s designs as a language? What’s your advice?

Gyan

Comment on Mod_Perl Handlers and URL Based Authorization: What's The Best Aproach For A Rank Based Forum? Select or Download Code

Replies are listed 'Best First'.
Re: Mod_Perl Handlers and URL Based Authorization: What's The Best Aproach For A Rank Based Forum? by rdfield (Priest) on Feb 11, 2005 at 09:40 UTC
Your second idea is the one to go for. Whether or not the URL is handled by Perl or is a static page or even by something else, it doesn't matter to the Auth(z\|en) handler, just the cookie and/or the URL as entered by the user is all you need. A large site I'm working on allows anyone, registered or not, to view any page. However, if you're logged in you see potentially different content, and even further, depending on the level of access granted the content will be even further tailored. All handled through the magic that is mod_perl and HTML::Mason. There's definitely no call for constantly re-starting a mod_perl enabled Apache webserver just because you've added a new directory dynamically. All you need to do is build a small form for an administrator to set paths/access levels, store it in a database for use within your Auth handlers. rdfield	[reply]
Re: Mod_Perl Handlers and URL Based Authorization: What's The Best Aproach For A Rank Based Forum? by Anonymous Monk on Feb 11, 2005 at 16:25 UTC
In general seperating concerns (your second aproach) is the appropriate way to do this--what makes mod_perl so cool is that you can hook into different phases of the Apache process! (ie. you can validate input, use access control, authenticate, and authorize all in distinct modules.) However, the appropriate approach is determined also by the current state of your code. For instance, if you are using AuthenHandlers, then use an AuthzHandler; however, if you're migrating your code (and using Apache::PerlRun or the like) then I wouldn't worry about seperating concerns. Moreover, it depends on how concerned you are with speed; with regards to your final solution, I agree that restarting Apache so often may not be the best aproach--however, perhaps, if you put PerlCode into the Apache config file you could somehow finagle something? For instance, by having a requires statement that calls code, like what's in the Mod_perl book. I'm not exactly sure if this aproach would work, so somebody more experienced with the language should feel free to pipe up!	[reply]