NAME

Apache::AuthzCache - mod_perl Cache Authorization Module

SYNOPSIS

 <Directory /foo/bar>
 # Authorization Realm and Type (only Basic supported)
 AuthName "Foo Bar Authentication"
 AuthType Basic

 # Any of the following variables can be set.
 # Defaults are listed to the right.
 PerlSetVar AuthzCache_CaseSensitive Off       # Default: On
 PerlSetVar AuthzCache_CacheTime       60        # Default: Empty String ("")

 PerlAuthzHandler Apache::AuthzCache <Primary Authorization Module> Apache::AuthzCache::manage_cache

 require group "My Group" GroupA "Group B"     # Authorize user against
                                               # multiple groups
 </Directory>

DESCRIPTION

Apache::AuthzCache is designed to work with a mod_perl authorization module to provide caching of group membership for site users. For a list of mod_perl authorization modules see:

http://www.cpan.org/modules/by-module/Apache/apache-modlist.html

When a request that requires authorization is received, Apache::AuthzCache looks up the REMOTE_USER in a shared-memory cache (using IPC::Cache) and compares the list of groups in the cache against the groups enumerated within the "require" configuration directive. If a match is found, the handler returns OK and clears the downstream Authz handlers from the stack. Otherwise, it returns DECLINED and allows the next PerlAuthzHandler in the chain to be called.

After the primary authorization handler completes with an OK, Apache::AuthzCache::manage_cache adds the new group (listed in REMOTE_GROUP) to the cache.

CONFIGURATION OPTIONS

The following variables can be defined within the configuration of Directory, Location, or Files blocks or within .htaccess files.

AuthzCache_CaseSensitive

If this directive is set to 'Off', group matches will be case insensitive.

AuthzCache_CacheTime

The time with which a user's entry within the cache will remain, measured in minutes.

NOTES

This module requires that the primary authorization handler set the REMOTE_GROUP environment variable with the group to which the user successfully was authorized.

This module also has a workaround to the bugs in the set_handlers() method of mod_perl-1.2x. It will write notes to downstream handlers.

At the time of publication, the only primary authorization handler established to both set the REMOTE_GROUP and read the notes left by AuthzCache is Apache::AuthzLDAP.

AVAILABILITY

This module is available via CPAN at http://www.cpan.org/modules/by-authors/id/C/CG/CGILMORE/.

AUTHORS

Christian Gilmore <cag@us.ibm.com>

SEE ALSO

httpd(8)

COPYRIGHT

Copyright (C) 2003, International Business Machines Corporation and others. All Rights Reserved.

This module is free software; you can redistribute it and/or modify it under the terms of the IBM Public License.