Simple authorization with FastCGI

FastCGI is a high-performance API supported by the Zeus Web Server. It is an open standard, and is language and platform independent. FastCGI provides both authorization and content generation services, and has a simple, quick development cycle. FastCGI is recommended as a general purpose solution for almost any task. Here is a simple example of using FastCGI to perform authorization. It is written in Perl, using the Perl FastCGI library described in the Hello World example.

#!/usr/bin/perl
 
use FCGI;
 
while (FCGI::accept >= 0)
{
    if( $ENV{'REMOTE_USER'  } eq "foo" &&
        $ENV{'REMOTE_PASSWD'} eq "bar"  )
    {
        print( "Status: 200\n\n" );
    }
    else
    {
        print( "Status: 401\n\n" );
        print( "WWW-Authenticate: basic realm=\"foo\"\n\n" );
    }
}

A FastCGI authorizer simply retrieves the information about the request using FCGI::accept() , and then returns a response of either 'Status: 200' if the request should be allowed, or 'Status: 401' if the username or password is invalid.

In this case, any requests passed to the authorizer will be allowed only is the user supplied a username of 'foo' and a password of 'bar'. Otherwise the authorizer will disallow the request and prompt the user to enter a new password. Running this example

In order to run this code, you'll need to enable FastCGI authorizer support in the Zeus Web Server and have installed a copy of Perl and the FCGI perl module. Authenticating against a database

As a more advanced example, imagine wanting to authenticate the customers request from a backend SQL customer data which holds all the information about your customers. This is such a common task we explain how to do this in detail.

For this example, we are going to use the popular MySQL, and a simple database schema to hold our customer information. The database is running on a machine called 'db', and is a schema that comprises of a single table called 'users' which looks like:

Username	Password
Fred	Bloggs
John	Doe

Thus to retrieve a password for a given user, we would issue the following SQL statement:

/* the question mark is a marker for a `bound parameter'*/
select password from users where username = ?;

Altering our FastCGI application to connect to this database and check the user supplied password against it is very easy, here's a mysql version.

Note, one of the key advantages of FastCGI is its ability to have persistent database-connections. Establishing a new connection to a database is generally a very time-consuming and CPU-intensive task, so persistent database connections provide a huge performance increase. When doing database queries in FastCGI one can spawn multiple instances of the authorizer process to allow multiple database queries to be running in parallel Authenticating against a LDAP server

Instead of using a general purpose database, many large ISPs and corporations are now choosing to keep their customer data in a global LDAP database, commonly known as a white pages server. Again, altering the FastCGI example to query the LDAP server is an easy task.

For this example, OpenLDAP slapd server (http://www.openldap.org/) with the following configuration:

Our 'minimal' slapd.conf file contained:

schemacheck     off
database        ldbm
suffix          "o=Zeus Technology, c=UK"
directory       /tmp
defaultaccess   read
rootdn          "cn=root, o=Zeus Technology, c=UK"
rootpw          secret

All access was disabled to the LDAP server unless the client provided the rootdn/rootpw. Different access control rules between the web server and your LDAP server will probably apply to your setup.

The database we used, in `ldif' format was:

dn: o=Zeus Technology, c=UK
o: Zeus Technology
 
dn: cn=fred_bloggs, ou=People, o=Zeus Technology, c=UK
cn: fred_bloggs
password: secret
 
dn: cn=john_doe, ou=People, o=Zeus Technology, c=UK
cn: john_doe
userid: john.doe
password: notverysecret

This defined two users, each with a password. In this example we have stored the plaintext passwords in the LDAP server for simplicity, but a hash of the passwords could easily be stored instead.

The FastCGI application will need to be able to retrieve the password for a given user name. Queries are encoded in the standard LDAP URL format (see http://search.ietf.org/rfc/rfc2255.txt for a full specification).

Using our example database schema above, and the knowledge that our test LDAP server was setup on a machine named `olympus', the LDAP query URL we need is:

ldap://olympus/o=Zeus Technology, c=UK?password?sub?userid=$u

Content Manager [Administrator] 16 December 2005

Recently...

Other Resources

The ZWS Online Support service is provided as is, without warranty or specific endorsement by Zeus Technology. For technical support queries, please contact Zeus Technical Support. Articles and comments may not reflect the views of Zeus Technology. • Disclaimer and Privacy statement.