Apache 2.4 has a VERY different authentication API from previous versions. You will not be able to simply ugrade apache and upgrade AuthCookie in order to migrate to Apache 2.4. You will also need to port your AuthCookie subclass over to the Apache 2.4 API, and update your Apache configuration for Apache 2.4.
This document attempts to help you understand the changes required and how to port your module over to Apache 2.4. If your subclass stopped working when you migrated to Apache 2.4, please make sure you have read and understand everything in this document before filing a bug report.
You need at least mod_perl version 2.0.9, which is the first official release to support Apache 2.4.
mod_perl
You need Apache::Test version 1.39 or later. Previous versions do not define the constant APACHE2_4 which is needed for the test suite.
APACHE2_4
You must not call authcookie's authorize() method. Authorization is done using AuthzProvider's under Apache 2.4 and these work very different from previous apache versions. If you are simply doing simple things such as Require user ... or Require valid-user in your httpd.conf, then you likely do not need an authorization provider at all. Apache 2.4 handles these for you in mod_authz_user.c.
Require user ...
Require valid-user
httpd.conf
mod_authz_user.c
Related to previous item, you must change every method that was called as a PerlAuthzHandler under previous versions to return one of the following values:
PerlAuthzHandler
return this constant if $r->user is empty/undefined and you do not wish to allow anonymous access.
$r->user
return this constant if $r->user is not authorized for the current request.
return this constant if $r->user is authorized for the current request
return this constant to indicate an error processing authz requirements.
return this constant to indicate a neutral response. It is assumed that another authz provider will be checked in a parent/sibling scope that will return granted or denied.
Remove all PerlAuthzHandler entries. PerlAuthzHandler is not necessary in Apache 2.4. If you are doing custom authoriaztion, you need to convert these to PerlAddAuthzProvider entries:
PerlAddAuthzProvider
Depending on what your Require directives say, you may need to add one or more top level PerlAddAuthzProvider entires and implement a handler for each one.
Require
If your Require directives are simply valid-user or user ... then you do not need to do this. Apache already provides an authz provider that handles user and valid-user requirements for you in mod_authz_user.c.
valid-user
user ...
user
If you are Require'ing anything other than valid-user or user ... then you will need to write your own Authz Provider method and register it with Apache.
Authz Providers are the Apache 2.4 equivalent of a PerlAuthzHandler method. Each one implements a specific requirement. E.g.:
PerlAddAuthzProvider species My::AuthCookieHandler->authz_species
Will be called to handle a
Require species klingon
Directive.
It is important to know that Authz Providers are called twice for a request. First, the authz provider is called before authentication has been processed to check for anonymous access. In this method call, $r->user is not set (to allow for your handler to allow annonymous access). You are expected to return one of:
Access is granted and no further authn/authz processing will occur for this request.
The response is HTTP_FORBIDDEN (unless neutral is overridden by another provider)
HTTP_FORBIDDEN
This should be returned if $r->user is not set and you do not wish to allow anonymous access. Authentication will be processed, $r->user will be set with the current username and your authz provider will be called again.
The second time the authz provider is called, $r->user is set and you are expected to return one of:
The request is allowed
The request is forbidden
The request is forbidden, unless another authz provider returns AUTHZ_GRANTED. Consult the apache documentation about authorization merging for more info.
AUTHZ_GRANTED
You could also return AUTHZ_GENERAL_ERROR from any of these to indicate an error processing authz directives and halt processing immediately.
AUTHZ_GENERAL_ERROR
One way to think about these response codes what kind of Require satisfies is in effect:
In this case the priority of responses is:
Processing stops immediately
Processing stops immediately, no siblings are processed. Request is denied.
Process Authentication and try again
Continue processing siblings.
Processing stops immediately, no siblings are processed. Request is allowed.
You need to use a PerlAddAuthzProvider and write an appropriate handler as described above instead. Note that you do not need a PerlAddAuthzProvider for user or valid-user requirements. Apache already handles those internally via mod_authz_user.c
Satisfy support is removed as it is no longer needed with Apache 2.4.
You are expected to use RequireAll or RequireAny instead.
RequireAll
RequireAny
e.g.:
PerlAddAuthzProvider species Your::AuthCookieHandler->authz_species_handler <RequireAll> Require valid-user Require species klingon </RequireAll>
see: https://httpd.apache.org/docs/2.4/howto/auth.html#reqaccessctrl
In Apache 2.4, in mod_authz_core, if no authz handlers return AUTHZ_GRANTED, then HTTP_UNAUTHORIZED is returned. In previous versions of Apache, HTTP_FORBIDDEN was returned. You can get the old behaviour if you want it with:
mod_authz_core
HTTP_UNAUTHORIZED
# in httpd.conf AuthzSendForbiddenOnFailure On
Why is my authz method called twice per request?
This is normal behaviour under Apache 2.4. This is to accomodate for authorization of anonymous access. You are expected to return Apache2::Const::AUTHZ_DENIED_NO_USER IF $r->user has not yet been set if you want authentication to proceed. Your authz handler will be called a second time after the user has been authenticated.
Apache2::Const::AUTHZ_DENIED_NO_USER
I get an error like Can't locate object method "requires" via package Apache2::RequestRec ...
Can't locate object method "requires" via package Apache2::RequestRec ...
This is because you called AuthCookie's authorize() method, which is illegal under Apache 2.4. This could either be because your AuthCookie subclass explicitly called authorize(), or (more likely) because your httpd.conf contains a line like:
AuthCookie
authorize()
PerlAuthzHandler My::AuthCookie->authorize
You should remove lines from httpd.conf that call authorize, and your subclass should not be calling authorize().
authorize
If you need to do custom autorization, you need to write an authz provider instead.
My log shows an entry like:
authorization result of Require ...: denied (no + # authenticated user yet)
These are normal. This happens because the authz provider returned AUTHZ_DENIED_NO_USER and the authz provider will be called again after authentication happens.
AUTHZ_DENIED_NO_USER
To install Apache::AuthCookie, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Apache::AuthCookie
CPAN shell
perl -MCPAN -e shell install Apache::AuthCookie
For more information on module installation, please visit the detailed CPAN module installation guide.