[Catalyst] Authorization header absent under mod_fcgi
Andy Grundman
andy at hybridized.org
Wed Mar 12 02:34:17 GMT 2008
On Mar 11, 2008, at 9:06 PM, Patrick Donelan wrote:
> Hi guys,
>
> The HTTP Authentication Header "Authorization" is absent from
> $c->req->headers when running under mod_fastcgi.
>
> In other words, under mod_fastcgi:
> ok(defined $c->req->header('authorization'), 'HTTP Authorization
> Header')... fails
>
> Whereas the above test passes under mod_perl.
>
> I've done some searching and it appears the Authorization header gets
> stripped out by FastCGI as a "security precaution". The mod_fastcgi
> docs (http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html)
> indicate that you can disable this behaviour by adding the following
> option to the FastCgiServer directive:
>
> -pass-header header
> "The name of an HTTP Request Header to be passed in the request
> environment. This option makes available the contents of headers which
> are normally not available (e.g. Authorization) to a CGI environment."
>
> However this doesn't seem to work for me (Apache/2.2.3,
> mod_fastcgi-2.4.6).
>
> The end result is that under mod_fastcgi
> Catalyst::Plugin::Authentication::Credential::HTTP doesn't work (and
> presumably neither does any other code that tries to do HTTP Basic
> Authentication).
I'm going to look into this. I hope there's a sane way to get it to
work without having to special-case the Authorization header.
More information about the Catalyst
mailing list