Apache::AuthzUserDir - mod_perl UserDir authorization module

Apache-AuthzUserDir documentation Contained in the Apache-AuthzUserDir distribution.

Index

Code Index:

NAME

Top

Apache::AuthzUserDir - mod_perl UserDir authorization module

SYNOPSIS

Top

 <Directory /home/*/public_html>
 PerlAuthzHandler Apache::AuthzUserDir

 # This is the standard authentication stuff.
 # Any can be used, but basic .htpasswd authentication
 # is shown for simplicity.
 AuthName "Foo Bar Authentication"
 AuthType Basic
 AuthUserFile /usr/local/apache/.htpasswd-userdirs
 # This tells apache to only let in users whose
 # http login name matches the * in /home/*/public_html
 require valid-user

 </Directory>

DESCRIPTION

Top

Apache::AuthzUserDir is designed to work with mod_perl and Apache's mod_userdir such that a single systemwide <Directory> block and .htpasswd file can be used to allow authenticated users only into their own UserDir (typically, public_html) directories.

This is especially useful with mod_dav and mod_ssl running on an alternate port for users to upload to their public webspace.

COPYRIGHT Copyright (C) 2002, Peter Clark All Rights Reserved

Top

Apache-AuthzUserDir documentation Contained in the Apache-AuthzUserDir distribution. 
package Apache::AuthzUserDir;

use strict;
use Apache::Constants ':common';

$Apache::AuthzUserDir::VERSION = '0.92';

sub handler {
    my $r = shift;
    my $requires = $r->requires;
    return OK unless $requires;

    # get user's authentication credentials
    my ($res, $sent_pw) = $r->get_basic_auth_pw;
    return $res if $res != OK;

    my $user = $r->connection->user;

    unless($user and $sent_pw) {
        $r->note_basic_auth_failure;
        $r->log_reason("Both a username and password must be provided", $r->filename);
        return AUTH_REQUIRED;
    }

    my($file,$userdir_user);
    $file = $r->uri;

    # validity checking - require something after /~ or DECLINE
    unless ($file =~ (/\/\~.+/)) {
        return DECLINED;
    }
   
    # user is everything after /~ until another slash is seen (or until the end
    # of the string to accomodate sloppy http://foo.com/~user requests w/o 
    # trailing slash)

    ($userdir_user) = $file =~ /~([^\/]+)/;

    for my $entry (@$requires) {
        my($requirement, @rest) = split(/\s+/, $entry->{requirement});

        if (lc $requirement eq 'valid-user') {
            if ($userdir_user eq $user) {
                return OK;
            } else {
                # Forbid a different user is trying to get in.
                $r->log_reason("Apache::AuthzUserDir - declined $user access to $file");
                return FORBIDDEN;
            }
        } else {
            $r->log_reason("Apache::AuthzUserDir - unknown require $requirement");
        }
    }
    $r->note_basic_auth_failure;
    $r->log_reason("Apache::AuthzUserDir - user $user: not authorized", $r->uri);
    return AUTH_REQUIRED;
}

1;
__END__