[Melbourne-pm] Web auth meth

Toby Corkindale toby.corkindale at rea-group.com
Mon Sep 15 19:10:07 PDT 2008 

Scott Penrose wrote:
> ----- "Toby Corkindale" <toby.corkindale at rea-group.com> wrote:
>> I don't think anyone has mentioned a downside so far..
>>
>> Apache authentication handlers are harder to test.
>>
>> It's still do-able, but you need to the apache test module to actually
>>
>> boot up a live apache daemon, make requests, etc..
>> Whereas if you're using a system that uses CGI 
>> parameters+cookies/session IDs, etc then you can test it with 
>> WWW::Mechanize or similar.
> 
> In practice it turns out the other way around.
> 
> * You get to test your scripts without authentication.
> * If you want authentication you only need to set the user, not the password - much easier.

Is it a good thing that you get to test your scripts without authentication?
If, as you say, security is very important, then isn't it important for 
it to be well-integrated?
Sure, you want to test all your components individually, but you also 
want to test them as a whole.

> The argument that Apache modules are harder to test is true, but it is also true that it is harder to write modules than just straight scripts. The arguments are that the advantages outweight the problems.

Also, are you happy with writing code (or using code) that is shackled 
to Apache and mod_perl? What if you need to scale up, and run it on 
lighttpd, IIS, litespeed, nginx, zeus, etc?

> There are two very strong reasons that it is worth a little extra pain on testing the module:
> 
> * This is security - don't take it lightly - keep it separate from the rest of your code

See above re integration.

> * There are so many modules already written it is rare that you have to write your own, but when you do they are usually fairly short and easy to test.

But there are also modules available for non-mod-perl authentication as 
well..

> Testing also greatly benefits from this separation. One of the rules you learn early when doing test driven development is to reduce coupling between components. This has many benefits that I won't go into here. Write your modules that access the data without knowing any HTML - easy to test with simple data input and output. Then write your wrappers (CGI scripts, mod_perl, Catalyst, what ever) that do the HTML (you can even move the HTML itself into templates). Finally the one we have been talking about - keep your authentication completely separate. If at all possible even use a separate database.

I don't think this really applies to Apache-based authentication any 
differently than to non-apache-based auth though. I mean, just because 
Apache authentication is only available on Apache, and has to be tested 
using a more convoluted means, doesn't mean it's more secure than if you 
put effort into testing your other authentication.

-Toby

-- 
Toby Corkindale
Software developer
w: www.rea-group.com
REA Group refers to realestate.com.au Ltd (ASX:REA)

Warning - This e-mail transmission may contain confidential information.
If you have received this transmission in error, please notify us
immediately on (61 3) 9897 1121 or by reply email to the sender. You
must destroy the e-mail immediately and not use, copy, distribute or
disclose the contents.

More information about the Melbourne-pm mailing list