Book HomeApache: The Definitive GuideSearch this book

5.5. New Order Form

We want this to be our state-of-the-art, showcase site, so we will employ our order form for users and make up a similar one for salespeople. We copy and edit our customers' form ... /main_docs/form_summer.html to produce ... /main_docs/form_summer_sales.html, reflecting the cynical language used internally by the sales department and removing the request for a credit card number:

<html> 
<body> 
<FORM METHOD=GET ACTION="/cgi-bin/mycgi.cgi">
<h1>Welcome to the great rip-off of '97: Butterthlies Inc</h1> 
<p> 
All our worthless cards are available in packs of 20 
at $1.95 a pack. WHAT A FANTASTIC DISCOUNT! There is an amazing 
FURTHER 10% discount if you order more than 100. 
</p> 
</p> <hr> <p> Style 2315
<p align=center> <img src="bench.jpg" alt="Picture of a bench"> 
<p align=center> Be BOLD on the bench 
<p>How many packs of 20 do you want? 
<INPUT NAME="2315_order" TYPE=int> 
<hr> 
<p> 
Style 2316 
<p align=center> 
<img src="hen.jpg" ALT="Picture of a hencoop like a pagoda"> 
<p align=center> 
Get SCRAMBLED in the henhouse 
<p>How many packs of 20 do you want? 
<INPUT NAME="2316_order" TYPE=int> 
<HR> 
<p> 
Style 2317 
<p align=center> 
<img src="tree.jpg" alt="Very nice picture of tree"> 
<p align=center> 
Get HIGH in the treehouse 
<p>How many packs of 20 do you want? <INPUT NAME="2317_order" TYPE=int> 
<hr> 
<p> 
Style 2318 
<p align=center> 
<img src="bath.jpg" alt="Rather puzzling picture of a bathtub"> 
<p align=center> 
Get DIRTY in the bath 
<p>How many packs of 20 do you want? <INPUT NAME="2318_order" TYPE=int> 
<hr> 
<p align=right> 
Postcards designed by Harriet@alart.demon.co.uk 
<hr> 
<br> 
Butterthlies Inc, Hopeful City, Nevada 99999 
</br> 
<p><INPUT TYPE=submit><INPUT TYPE=reset> 
</FORM> 
</body> 
</html>

We have to edit ... /site.authent/htdocs/customers/index.html :

<html> 
<head> 
<title>Index to Butterthlies Catalogs<title> 
</head> 
<body> 
<ul> 
<li>
<A href="form_summer.html">Summer order form </A> 
</ul> 
<hr> 
<br> 
Butterthlies Inc, Hopeful City, Nevada 99999 
</br> 
</body> 
</html>

And we also have to edit ... /site.authent/htdocs/salesmen:

<html> 
<head> 
<title>Salesman's Index to Butterthlies Catalogs</title> 
</head> 
<body> 
<ul> 
<li>
<A href="form_summer_sales.html">Summer order form </A> 
</ul> 
<hr> 
<br> 
Butterthlies Inc, Hopeful City, Nevada 99999 
</br> 
</body> 
</html>

All this works satisfactorily. When you access www.butterthlies.com, you get the customers' order form as before. When you go to sales.butterthlies.com, you are told:

Enter username for darkness at sales.butterthlies.com

The realm name darkness was specified when we set up the passwords. You enter bill and then his password, theft, and there you are with the salespeople's order form. You can now experiment with different require directives by stopping Apache and editing conf/httpd.conf, then restarting Apache with ./go and logging in again.

You may find that logging in again is a bit more elaborate than you would think. We found that Netscape was annoyingly helpful in remembering the password used for the last login and using it again. To make sure you are really exercising the security features, you have to get out of Netscape each time and reload it to get a fresh crack.

You might like to try the effect of:

#require valid-user 
#require user daphne bill 
require group cleaners 
#require group directors

or:

#require valid-user 
require user daphne bill 
#require group cleaners 
#require group directors

5.5.1. DBM Files on Unix

Although searching a file of usernames and passwords works perfectly well, it is apt to be rather slow once the list gets up to a couple of hundred entries. To deal with this, Apache provides a better way of handling large lists: turning them into a database. You need one of the modules that appear in the Configuration file as:

#Module db_auth_module  mod_auth_db.o 
Module dbm_auth_module mod_auth_dbm.o

Bear in mind that they correspond to different directives: AuthDBMUserFile or AuthDBUserFile . A Perl script to manage both types of database, dbmmanage , is supplied with Apache in .../src/support. To decide which type to use, you need to discover the capabilities of your Unix. Explore these by going to the command prompt and typing first:

% man db

and then:

% man dbm

Whichever method first produces a manpage is the one you should use. You can also use an SQL database, employing MySQL or a third-party package to manage it.

Once you have decided which method to use, edit Configuration to include the appropriate module, and then type:

% ./Configure

and:

% make

We now have to create a database of our users: bill, ben, sonia, and daphne. Go to ... /apache/src/support, find the utility dbmmanage, and copy it into /usr/local/bin or something similar to put it on your path. This utility may be distributed without execute permission set, so, before attempting to run it, we may need to change the permissions:

% chmod +x dbmmanage

You may find, when you first try to run dbmmanage, that it complains rather puzzlingly that some unnamed file can't be found. This is probably Perl, a text-handling language, and if you have not installed it, you should. It may also be necessary to change the first line of dbmmanage to the correct path for Perl, if it is installed somewhere other than /usr/local/bin.

We use dbmmanage in the following way:

% dbmmanage dbmfile command username

The possible commands are as follows:

So, to add our four users to a file /usr/www/ok_dbm/users, we type:

% dbmmanage /usr/www/ok_dbm/users.db adduser bill 
New password:theft
Re-type new password:theft
User bill added with password encrypted to vJACUCNeAXaQ2

Perform the same service for ben, sonia, and daphne. The file ... /users is not editable directly, but you can see the results by typing:

% dbmmanage /usr/www/ok_dbm/users view

bill:vJACUCNeAXaQ2
ben:TPsuNKAtLrLSE
sonia:M9x731z82cfDo
daphne:7DBV6Yx4.vMjc

You can build a group file with dbmmanage, but, because of faults in the script that we hope will have been rectified by the time readers of this edition use it, the results seem a bit odd. To add the user fred to the group cleaners, type:

% dbmmanage /usr/www/ok_dbm/group add fred cleaners

(Note: Do not use adduser.) dbmmanage rather puzzlingly responds with the following message:

User fred added with password encrypted to cleaners

When we test this with:

% dbmmanage  /usr/www/ok_dbm/group view

we see:

fred:cleaners

which is correct, because in a group file the name of the group goes where the encrypted password would go in a password file.

Since we have a similar file structure, we invoke DBM authentication in ... /conf/httpd.conf by commenting out:

#AuthUserFile /usr/www/ok_users/sales
#AuthGroupFile /usr/www/ok_users/groups

and inserting:

AuthDBMUserFile /usr/www/ok_dbm/sales 
AuthDBMGroupFile /usr/www/ok_dbm/sales

AuthDBMGroupFile is set to the same file as the AuthDBMUserFile. What happens is that the username becomes the key in the DBM file, and the value associated with the key is password:group. To create a separate group file, a database with usernames as the key and groups as the value (with no colons in the value) would be needed.



Library Navigation Links

Copyright © 2001 O'Reilly & Associates. All rights reserved.