[Melbourne-pm] Web auth meth

[Scott Penrose]

----- "Toby Corkindale" <toby.corkindale at rea-group.com> wrote:
> I don't think anyone has mentioned a downside so far..
> 
> Apache authentication handlers are harder to test.
> 
> It's still do-able, but you need to the apache test module to actually
> 
> boot up a live apache daemon, make requests, etc..
> Whereas if you're using a system that uses CGI 
> parameters+cookies/session IDs, etc then you can test it with 
> WWW::Mechanize or similar.

In practice it turns out the other way around.

* You get to test your scripts without authentication.
* If you want authentication you only need to set the user, not the password - much easier.

The argument that Apache modules are harder to test is true, but it is also true that it is harder to write modules than just straight scripts. The arguments are that the advantages outweight the problems.

There are two very strong reasons that it is worth a little extra pain on testing the module:

* This is security - don't take it lightly - keep it separate from the rest of your code
* There are so many modules already written it is rare that you have to write your own, but when you do they are usually fairly short and easy to test.

Testing also greatly benefits from this separation. One of the rules you learn early when doing test driven development is to reduce coupling between components. This has many benefits that I won't go into here. Write your modules that access the data without knowing any HTML - easy to test with simple data input and output. Then write your wrappers (CGI scripts, mod_perl, Catalyst, what ever) that do the HTML (you can even move the HTML itself into templates). Finally the one we have been talking about - keep your authentication completely separate. If at all possible even use a separate database.

When you finally want the end to end testing, then the Apache configuration also needs to be tested, so by all means test it through apache with one of the many good tools such as WWW::Mechanize.

Scott