FAQ
Hi guys,

The HTTP Authentication Header "Authorization" is absent from
$c->req->headers when running under mod_fastcgi.

In other words, under mod_fastcgi:
ok(defined $c->req->header('authorization'), 'HTTP Authorization
Header')... fails

Whereas the above test passes under mod_perl.

I've done some searching and it appears the Authorization header gets
stripped out by FastCGI as a "security precaution". The mod_fastcgi
docs (http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html)
indicate that you can disable this behaviour by adding the following
option to the FastCgiServer directive:

-pass-header header
"The name of an HTTP Request Header to be passed in the request
environment. This option makes available the contents of headers which
are normally not available (e.g. Authorization) to a CGI environment."

However this doesn't seem to work for me (Apache/2.2.3, mod_fastcgi-2.4.6).

The end result is that under mod_fastcgi
Catalyst::Plugin::Authentication::Credential::HTTP doesn't work (and
presumably neither does any other code that tries to do HTTP Basic
Authentication).

Patrick Donelan

Search Discussions

  • Andy Grundman at Mar 12, 2008 at 2:34 am

    On Mar 11, 2008, at 9:06 PM, Patrick Donelan wrote:

    Hi guys,

    The HTTP Authentication Header "Authorization" is absent from
    $c->req->headers when running under mod_fastcgi.

    In other words, under mod_fastcgi:
    ok(defined $c->req->header('authorization'), 'HTTP Authorization
    Header')... fails

    Whereas the above test passes under mod_perl.

    I've done some searching and it appears the Authorization header gets
    stripped out by FastCGI as a "security precaution". The mod_fastcgi
    docs (http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html)
    indicate that you can disable this behaviour by adding the following
    option to the FastCgiServer directive:

    -pass-header header
    "The name of an HTTP Request Header to be passed in the request
    environment. This option makes available the contents of headers which
    are normally not available (e.g. Authorization) to a CGI environment."

    However this doesn't seem to work for me (Apache/2.2.3,
    mod_fastcgi-2.4.6).

    The end result is that under mod_fastcgi
    Catalyst::Plugin::Authentication::Credential::HTTP doesn't work (and
    presumably neither does any other code that tries to do HTTP Basic
    Authentication).
    I'm going to look into this. I hope there's a sane way to get it to
    work without having to special-case the Authorization header.
  • Tom Ott at Mar 12, 2008 at 10:21 am
    Hi,

    Andy Grundman schrieb:
    I'm going to look into this. I hope there's a sane way to get it to
    work without having to special-case the Authorization header.
    See my posting "Engine::(Fast)CGI and Basic Auth in Apache 2" on
    29.02.2008.

    In short: Catalyst::Engine::CGI does only copy environment settings =~
    /^(?:HTTP|CONTENT|COOKIE)/i; whereas in Apache2 the env setting is
    called 'Authorization' and the FastCGI engine subclasses
    Catalyst::Engine::CGI.

    So basically one has to fix repare_headers() in Catalyst::Engine::CGI
    or subclass the FastCGI as a workaround.

    Bye
    -Thomas
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: smime.p7s
    Type: application/x-pkcs7-signature
    Size: 3275 bytes
    Desc: S/MIME Cryptographic Signature
    Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20080312/24fde51f/smime.bin
  • Andy Grundman at Mar 12, 2008 at 3:26 pm

    On Mar 12, 2008, at 6:21 AM, Tom Ott wrote:

    Hi,

    Andy Grundman schrieb:
    I'm going to look into this. I hope there's a sane way to get it
    to work without having to special-case the Authorization header.
    See my posting "Engine::(Fast)CGI and Basic Auth in Apache 2" on
    29.02.2008.

    In short: Catalyst::Engine::CGI does only copy environment settings
    =~ /^(?:HTTP|CONTENT|COOKIE)/i; whereas in Apache2 the env setting
    is called 'Authorization' and the FastCGI engine subclasses
    Catalyst::Engine::CGI.

    So basically one has to fix repare_headers() in
    Catalyst::Engine::CGI or subclass the FastCGI as a workaround.
    Yeah, it's a bug in mod_fastcgi but we can work around it easily.
    Lighttpd properly passes the header as HTTP_AUTHORIZATION. For
    mod_fastcgi we'll have to do this:

    if ( $env{Authorization} ) {
    $env{HTTP_AUTHORIZATION} = delete $env{Authorization};
    }

    I have a patch and a test and will check it in soon.
  • Tom Ott at Mar 12, 2008 at 3:56 pm

    Andy Grundman schrieb:
    Yeah, it's a bug in mod_fastcgi but we can work around it easily.
    Lighttpd properly passes the header as HTTP_AUTHORIZATION. For
    mod_fastcgi we'll have to do this:

    if ( $env{Authorization} ) {
    $env{HTTP_AUTHORIZATION} = delete $env{Authorization};
    }

    I have a patch and a test and will check it in soon.
    Great. Thanks!
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: smime.p7s
    Type: application/x-pkcs7-signature
    Size: 3275 bytes
    Desc: S/MIME Cryptographic Signature
    Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20080312/246d7d10/smime.bin
  • Andy Grundman at Mar 12, 2008 at 3:53 pm
    While testing this I found that mod_cgi also seems to strip the
    Authorization header. I found this ugly fix:

    RewriteCond %{HTTP:Authorization} ^(.+)
    RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]
  • Andy Grundman at Mar 12, 2008 at 4:00 pm

    On Mar 12, 2008, at 11:53 AM, Andy Grundman wrote:

    While testing this I found that mod_cgi also seems to strip the
    Authorization header. I found this ugly fix:

    RewriteCond %{HTTP:Authorization} ^(.+)
    RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]
    Good news! This fix appears to work for mod_fastcgi also and doesn't
    require any Catalyst code changes. :)

    I'll still check in my test and update the docs.
  • Thomas Ott at Mar 12, 2008 at 8:51 pm

    Andy Grundman schrieb:
    On Mar 12, 2008, at 11:53 AM, Andy Grundman wrote:

    While testing this I found that mod_cgi also seems to strip the
    Authorization header. I found this ugly fix:

    RewriteCond %{HTTP:Authorization} ^(.+)
    RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]
    I found a lot of references in various FastCGI-PHP related stuff about
    the 'more standard' Authorization header. Unfortunately I am not quite
    sure what standard they refer to ...
    Good news! This fix appears to work for mod_fastcgi also and doesn't
    require any Catalyst code changes. :)

    I'll still check in my test and update the docs.
    Great. Thanks again for the work.

    -Thomas
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: smime.p7s
    Type: application/x-pkcs7-signature
    Size: 3275 bytes
    Desc: S/MIME Cryptographic Signature
    Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20080312/6bcb5860/smime.bin

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcatalyst @
categoriescatalyst, perl
postedMar 12, '08 at 1:06a
activeMar 12, '08 at 8:51p
posts8
users3
websitecatalystframework.org
irc#catalyst

People

Translate

site design / logo © 2021 Grokbase