APACHE 2.4 PORTING NOTES

VERY IMPORTANT!!!

Apache 2.4 has a VERY different authentication API from previous versions. You will not be able to simply ugrade apache and upgrade AuthCookie in order to migrate to Apache 2.4. You will also need to port your AuthCookie subclass over to the Apache 2.4 API, and update your Apache configuration for Apache 2.4.

This document attempts to help you understand the changes required and how to port your module over to Apache 2.4. If your subclass stopped working when you migrated to Apache 2.4, please make sure you have read and understand everything in this document before filing a bug report.

Changes Required to Run Under Apache 2.4

Mod Perl: You need at least "mod_perl" version 2.0.9, which is the first official release to support Apache 2.4.
Apache::Test: You need Apache::Test version 1.39 or later. Previous versions do not define the constant "APACHE2_4" which is needed for the test suite.
Your AuthCookie Subclass

You must not call authcookie's authorize() method. Authorization is done using AuthzProvider's under Apache 2.4 and these work very different from previous apache versions. If you are simply doing simple things such as "Require user ..." or "Require valid-user" in your "httpd.conf", then you likely do not need an authorization provider at all. Apache 2.4 handles these for you in "mod_authz_user.c".
Related to previous item, you must change every method that was called as a "PerlAuthzHandler" under previous versions to return one of the following values:

Apache2::Const::AUTHZ_DENIED_NO_USER: return this constant if "$r->user" is empty/undefined and you do not wish to allow anonymous access.
Apache2::Const::AUTHZ_DENIED: return this constant if "$r->user" is not authorized for the current request.
Apache2::Const::AUTHZ_GRANTED: return this constant if "$r->user" is authorized for the current request
Apache2::Const::AUTHZ_GENERAL_ERROR: return this constant to indicate an error processing authz requirements.
Apache2::Const::AUTHZ_NEUTRAL: return this constant to indicate a neutral response. It is assumed that another authz provider will be checked in a parent/sibling scope that will return granted or denied.

httpd.conf

Remove all "PerlAuthzHandler" entries. "PerlAuthzHandler" is not necessary in Apache 2.4. If you are doing custom authoriaztion, you need to convert these to "PerlAddAuthzProvider" entries:
Depending on what your "Require" directives say, you may need to add one or more top level "PerlAddAuthzProvider" entires and implement a handler for each one.
If your "Require" directives are simply "valid-user" or "user ..." then you do not need to do this. Apache already provides an authz provider that handles "user" and "valid-user" requirements for you in "mod_authz_user.c".
If you are "Require"'ing anything other than "valid-user" or "user ..." then you will need to write your own Authz Provider method and register it with Apache.
Authz Providers are the Apache 2.4 equivalent of a "PerlAuthzHandler" method. Each one implements a specific requirement. E.g.:
```
 PerlAddAuthzProvider species My::AuthCookieHandler->authz_species
    
```
Will be called to handle a
```
 Require species klingon
    
```
Directive.

It is important to know that Authz Providers are called twice for a request. First, the authz provider is called before authentication has been processed to check for anonymous access. In this method call, "$r->user" is not set (to allow for your handler to allow annonymous access). You are expected to return one of:

AUTHZ_GRANTED: Access is granted and no further authn/authz processing will occur for this request.
AUTHZ_DENIED
AUTHZ_NEUTRAL: The response is "HTTP_FORBIDDEN" (unless neutral is overridden by another provider)
AUTHZ_DENIED_NO_USER: This should be returned if "$r->user" is not set and you do not wish to allow anonymous access. Authentication will be processed, "$r->user" will be set with the current username and your authz provider will be called again.

The second time the authz provider is called, "$r->user" is set and you are expected to return one of:

AUTHZ_GRANTED: The request is allowed
AUTHZ_DENIED: The request is forbidden
AUTHZ_NEUTRAL: The request is forbidden, unless another authz provider returns "AUTHZ_GRANTED". Consult the apache documentation about authorization merging for more info.

You could also return "AUTHZ_GENERAL_ERROR" from any of these to indicate an error processing authz directives and halt processing immediately.

One way to think about these response codes what kind of Require satisfies is in effect:

RequireAll/RequireNone: In this case the priority of responses is:

AUTHZ_GENERAL_ERROR: Processing stops immediately
AUTHZ_DENIED: Processing stops immediately, no siblings are processed. Request is denied.
AUTHZ_DENIED_NO_USER: Process Authentication and try again
AUTHZ_GRANTED: Continue processing siblings.
AUTZ_NEUTRAL: Continue processing siblings.

RequireAny: In this case the priority of responses is:

AUTHZ_GENERAL_ERROR: Processing stops immediately
AUTHZ_GRANTED: Processing stops immediately, no siblings are processed. Request is allowed.
AUTHZ_DENIED_NO_USER: Process Authentication and try again
AUTHZ_DENIED: Continue processing siblings.
AUTZ_NEUTRAL: Continue processing siblings.

Important Internal API Changes for Apache 2.4

authorize() has been removed

You need to use a "PerlAddAuthzProvider" and write an appropriate handler as described above instead. Note that you do not need a "PerlAddAuthzProvider" for "user" or "valid-user" requirements. Apache already handles those internally via "mod_authz_user.c"

${auth_name}Satisfy

Satisfy support is removed as it is no longer needed with Apache 2.4.

You are expected to use "RequireAll" or "RequireAny" instead.

e.g.:

    PerlAddAuthzProvider species Your::AuthCookieHandler->authz_species_handler
    <RequireAll>
      Require valid-user
      Require species klingon
    </RequireAll>

see: <https://httpd.apache.org/docs/2.4/howto/auth.html#reqaccessctrl>

Unauthorized User HTTP Response Code

In Apache 2.4, in "mod_authz_core", if no authz handlers return "AUTHZ_GRANTED", then "HTTP_UNAUTHORIZED" is returned. In previous versions of Apache, "HTTP_FORBIDDEN" was returned. You can get the old behaviour if you want it with:

    # in httpd.conf
    AuthzSendForbiddenOnFailure On

FREQUENTLY ASKED QUESTIONS

Why is my authz method called twice per request?
This is normal behaviour under Apache 2.4. This is to accomodate for authorization of anonymous access. You are expected to return "Apache2::Const::AUTHZ_DENIED_NO_USER" IF "$r->user" has not yet been set if you want authentication to proceed. Your authz handler will be called a second time after the user has been authenticated.
I get an error like "Can't locate object method "requires" via package Apache2::RequestRec ..."
This is because you called "AuthCookie"'s authorize() method, which is illegal under Apache 2.4. This could either be because your "AuthCookie" subclass explicitly called authorize(), or (more likely) because your "httpd.conf" contains a line like:
```
 PerlAuthzHandler My::AuthCookie->authorize
    
```
You should remove lines from "httpd.conf" that call "authorize", and your subclass should not be calling authorize().

If you need to do custom autorization, you need to write an authz provider instead.
My log shows an entry like:
```
 authorization result of Require ...: denied (no + # authenticated user yet)
    
```
These are normal. This happens because the authz provider returned "AUTHZ_DENIED_NO_USER" and the authz provider will be called again after authentication happens.