Hi all,

With support for AJP becoming scarce, there has been a need to get information 
from an Apache httpd to a backend server (Tomcat, etc) in a secure way.

The following patch introduces two new modules:

- mod_auth_bearer: This provides bearer authentication, as described in 
RFC6750. A token can be received by Apache httpd, and accepted if recognised, 
and in addition a token can be generated by httpd, and sent to a backend 
server. This allows the details of a digital certificate to be passed securely 
to the backend, when the digital certificate has been terminated by httpd.

- mod_autht_jwt: RFC6750 does not mandate the type of token used, it can be 
anything. One such token supported is JWT, as implemented in mod_autht_jwt. We 
can verify incoming JWT tokens, and we can sign outgoing JWT tokens today using 
HS256, with more algorithms to come.

We introduce a new type of auth module: autht for authenticating tokens. A 
token can carry usernames, or IP addresses, or any metadata that might 
subsequently be used by authn or authz.

We depend on apr_jose support in apr-util v1.7, which in turn depends on secure 
apr_json support, and apr_crypto hashing functions.

This work (in APR and httpd) has been sponsored by NLNet as part of the Redwax 
Project at https://redwax.eu.

Example configuration to accept a token:

  AuthType bearer
  AuthName example-name
  AuthBearerProvider jwt
  AuthtJwtVerify hs256 file /Users/minfrin/src/apache/sandbox/proxy/conf/secret
  Require valid-user

Example configuration to send a token to a proxy backend:

  AuthBearerProxy %{JWT_TOKEN}
  AuthtJwtClaim set sub %{REMOTE_USER}
  AuthtJwtSign hs256 file /Users/minfrin/src/apache/sandbox/proxy/conf/secret

Work still to be done includes porting this to trunk, as well as documenting it 
properly. This will follow.

Regards,
Graham
—

Attachment: mod_auth_bearer-mod_autht_jwt.patch
Description: Binary data

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to