Welcome! Log In Create A New Profile

Advanced

Re: Feature extension to auth_request module: FastCGI authorizer

Maxim Dounin
April 22, 2013 12:40PM
Hello!

On Mon, Apr 22, 2013 at 12:35:51AM -0400, davidjb wrote:

> I've written an additional feature into the Auth Request module (from
> http://mdounin.ru/hg/ngx_http_auth_request_module/) that allows a user to
> control the behaviour of the auth_request in such a way that it can act as a
> FastCGI authorizer. This patch that I have written allows the user to
> specify the flag "authorizer=on" against a call to "auth_request" (eg
> "auth_request /my-auth authorizer=on;") and the auth request module will
> behave as per the authorizer specification
> (http://www.fastcgi.com/drupal/node/22#S6.3).
>
> There is one (potentially significant) caveat for now is that
> request/response bodies are not passed to the authorizer or back to the
> client respectively - assistance on this would be greatly appreciated.
> However, as it stands at present, the authorizer mode is able to correctly
> handle situations where only the headers are utilised -- eg the Shibboleth
> SSO FastCGI authorizer which relies on redirection and cookies and never a
> response/request body. This satisfies at least what I need it for at
> present and authentication works successfully.
>
> I'd like to see about whether this can be included within the main module
> itself at http://mdounin.ru/hg/ngx_http_auth_request_module, as I know this
> will be useful to more than just me. For example, see the various posts and
> questions surrounding this:
> https://www.google.com/search?q=fastcgi+authorizer+nginx .
>
> The latest version of my module lives at:
> https://bitbucket.org/davidjb/ngx_http_auth_request_module
>
> and the one main diff is located at:
> https://bitbucket.org/davidjb/ngx_http_auth_request_module/commits/3d865a718d3e34e4e353962ccc71c588a806db31/raw/
>
> Comments are more than welcome.

For me it doesn't looks like what you do actually matches FastCGI
Authorizer specification. Even if we ignore the fact that body
isn't handled properly, and authorizer mode isn't advertized to
FastCGI.

Most of the code in the patch seems to be dedicated to special
processing of Variable-* headers. But they don't seem to do what
they are expected to do as per FastCGI spec - with your code the
"Variable-AUTH_METHOD" header returned by an authorizer will
result in "AUTH_METHOD" header being passed to the application,
i.e. it will be available in HTTP_AUTH_METHOD variable in
subsequent FastCGI requests - instead of AUTH_METHOD variable as
per FastCGI spec.

Please also note that it's bad idea to try to modify input headers -
this is not something expected to be done by modules, and will
result in a segmentation fault if you'll try to do it in a
subrequest.

--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Feature extension to auth_request module: FastCGI authorizer

davidjb April 22, 2013 12:35AM

Re: Feature extension to auth_request module: FastCGI authorizer

Maxim Dounin April 22, 2013 12:40PM

Re: Feature extension to auth_request module: FastCGI authorizer

davidjb April 23, 2013 07:23PM

Re: Feature extension to auth_request module: FastCGI authorizer

Maxim Dounin April 24, 2013 06:38AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 119
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready