[Catalyst] Authorization header absent under mod_fcgi
Patrick Donelan
pat at patspam.com
Wed Mar 12 01:06:09 GMT 2008
Hi guys,
The HTTP Authentication Header "Authorization" is absent from
$c->req->headers when running under mod_fastcgi.
In other words, under mod_fastcgi:
ok(defined $c->req->header('authorization'), 'HTTP Authorization
Header')... fails
Whereas the above test passes under mod_perl.
I've done some searching and it appears the Authorization header gets
stripped out by FastCGI as a "security precaution". The mod_fastcgi
docs (http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html)
indicate that you can disable this behaviour by adding the following
option to the FastCgiServer directive:
-pass-header header
"The name of an HTTP Request Header to be passed in the request
environment. This option makes available the contents of headers which
are normally not available (e.g. Authorization) to a CGI environment."
However this doesn't seem to work for me (Apache/2.2.3, mod_fastcgi-2.4.6).
The end result is that under mod_fastcgi
Catalyst::Plugin::Authentication::Credential::HTTP doesn't work (and
presumably neither does any other code that tries to do HTTP Basic
Authentication).
Patrick Donelan
More information about the Catalyst
mailing list