Mailing List Archive: Catalyst: Users

SOLVED Re: 5.80005: $c->req->remote_user and apache: excluding actions from authentication

Index | Next | Previous | View Threaded

francesc.roma+catalyst at gmail

Jun 10, 2009, 2:04 AM

Post #1 of 3 (396 views)
Permalink

SOLVED Re: 5.80005: $c->req->remote_user and apache: excluding actions from authentication

2009/6/9 Francesc Romà i Frigolé
<francesc.roma+catalyst[at]gmail.com<francesc.roma%2Bcatalyst[at]gmail.com>
>

> I'm trying the new feature $c->req->remote_user introduced in 5.80005. I'd
> like to know if it is possible to tell apache, in a .htaccess file, to not
> ask authentication for a certain set of URIs (for example matching /public/)
>
> I'm on a shared account in asmallorange.com ( apache 1.3.41). I'm using
> fastcgi.
>

I found a workaround for this scenario. Instead of setting up fastcgi in
.haccess at the root of the application, I make two different directories
for public and private, with different authentication rules. My directory
structure is like this

public_html/myapp/static (soft link to MyApp/static)
public_html/myapp/public
public_html/myapp/public/script (soft link to MyApp/script)
public_html/myapp/private
public_html/myapp/private/script (soft link to MyApp/script)

The .htaccess in the public directory is like this

AddHandler fastcgi-script .pl

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ script/myapp_fastcgi.pl/public/$1 [QSA,L]

Similarly in the private directory:

AddHandler fastcgi-script .pl

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ script/myapp_fastcgi.pl/private/$1 [QSA,L]

Auth stuf [...]

Also, in the static directory I could leave some things public ( css,
javascript, icons...) but make other private ( uploads, reports, ...) by
placing a .htaccess file requiring authentication in each corresponding
directory.

It's not a very flexible or elegant approach, but it seems to work.

Regards,
Francesc

bobtfish at bobtfish

Jun 10, 2009, 2:20 AM

Post #2 of 3 (371 views)
Permalink

Re: SOLVED Re: 5.80005: $c->req->remote_user and apache: excluding actions from authentication [In reply to]

On 10 Jun 2009, at 10:04, Francesc Romà i Frigolé wrote:
>
> Also, in the static directory I could leave some things public
> ( css, javascript, icons...) but make other private ( uploads,
> reports, ...) by placing a .htaccess file requiring authentication
> in each corresponding directory.
>

Why not just totally exclude public things from going into Catalyst
at all?

You're meant to (and all the deployment guides recommend) just
excluding normal public static files from Catalyst seeing at all.

BTW, auth doesn't have to be configured in .htaccess, in fact, I'd
only do that if you have to, as re-reading htaccess files can end up
fairly expensive.

Cheers
t0m

_______________________________________________
List: Catalyst[at]lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst[at]lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/

francesc.roma+catalyst at gmail

Jun 10, 2009, 3:30 AM

Post #3 of 3 (369 views)
Permalink

Re: SOLVED Re: 5.80005: $c->req->remote_user and apache: excluding actions from authentication [In reply to]

On Wed, Jun 10, 2009 at 11:20 AM, Tomas Doran <bobtfish[at]bobtfish.net> wrote:

>
> On 10 Jun 2009, at 10:04, Francesc Romà i Frigolé wrote:
>
>>
>> Also, in the static directory I could leave some things public ( css,
>> javascript, icons...) but make other private ( uploads, reports, ...) by
>> placing a .htaccess file requiring authentication in each corresponding
>> directory.
>>
>>
> Why not just totally exclude public things from going into Catalyst at all?

Yes, that is what I'm doing, I should have said it more explicitly. I don't
make the application root directory ( /public_html/myapp) go through
Catalyst. Only the subdirectories that have an explicit .htaccess do. So
everything is "static" unless stated otherwise. There is no .htaccess in
/public_html/myapp

> BTW, auth doesn't have to be configured in .htaccess, in fact, I'd only do
> that if you have to, as re-reading htaccess files can end up fairly
> expensive.
>

I'm on a shared hosting. I'm trying to find out if I can get a reasonable
performance serving non public static files. With the setup I described
there is at most one .htaccess file that needs to be read for each request:
either it redirects dynamic stuff to catalyst ( different .htaccess for
public or private ) or serves a public static file (no .htaccess to be read)
or serves static private files (no catalyst, static/private/.htaccess)

cheers

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com