[Catalyst] 5.80005: $c->req->remote_user and apache: excluding actions from authentication

Tomas Doran bobtfish at bobtfish.net
Wed Jun 10 09:17:14 GMT 2009

On 10 Jun 2009, at 09:40, Francesc Romà i Frigolé wrote:
> 1) static performance: serving static files directly from apache is  
> much faster than through catalyst. I find it specially noticeable  
> with big files like large pictures and pdfs. Some of the files  
> should not be public. If I do authentication in catalyst I can't  
> serve them directly from apache.

Nod so.

Look at mod_sendfile, which implements lighty's X-SendFile

Personally, I use nginx and its X-Accel-Redirect as I'm proxying  
files from other web servers (MogileFS), rather
  than serving them from local disk. But either way - you can do your  
Authentication, Authorization and Auditing in Catalyst, then delegate  
back to your web server for actually shoveling the bytes down the wire.

> 2) dynamic/AJAX laziness: pages that use XMLHttpRequest stop  
> working when authentication expires. Unless I manually detect the  
> condition and allow the user to re-authenticate. Using HTTP auth  
> should let the browser take care of this.

Erm, the reason that this will never fail with HTTP auth is that http  
auth never expires (well, it always lasts one browser session), and  
the browser sends the auth credentials with each request.

You can get the same effect by setting the correct options on your  
session cookie.


More information about the Catalyst mailing list