----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files. Don't make us guess your problem!!!
----------------------------------------------------------------
Dan,
I wrote an Apache module that does something like this. I wrote a very
simple Apache module
called mod_auth_cgi that does authentication via any external
authentication mechanism (be it
servlet or whatever). The return from this is a simple HTTP return code.
>From this you can configure
Apache to respond to your return code any way you want.
This method is a little different from your description. In your proposal
all requests are made to the auth servlet
by rewriting and then forwarded to the correct url if the user is
authenticated. I think it is better to use Apache's
inherent mechanism for authorization - i.e. let your auth servlet be a
subprocess (in concept) that Apache uses
to authenticate the user during a normal request to the correct url. The
latter method means leveraging off
of HTTP authentication more efficiently. In my method the servlet is
invoked once (if the user is valid)
and then HTTP takes care of the ACL from that point onward.
I have been pretty lazy about posting the module (I wrote it well over a
year ago) but if you want the
source I would be happy to give it to you.
John
> ----------------------------------------------------------------
> BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
> WHEN YOU POST, include all relevant version numbers, log files,
> and configuration files. Don't make us guess your problem!!!
> ----------------------------------------------------------------
>
> Once Apache has handed a request to Jserv, is there any way for Jserv to
> ask Apache to serve a page (rather than having Jserv stream output back
> to Apache)?
>
> Specifically, I'd like to be able to set up the following:
>
> I want to protect access to all the pages off of a certain directory
> (restricted/, say). I would like to implement this as follows:
>
> - For any requests which come in off of that directory, invoke an
> Authorizer servlet (I can do this using mod_rewrite, I believe).
>
> - The Authorizer servlet will check to see if the user's server-side
> session contains an "authorized" token.
>
> If not, Authorizer issues a redirect to a login screen. If the user
> successfully authenticates (and is authorized) after posting to that
> screen, the authorized token is set in their server-side session
>
> If the user has already been authorized, I would like to have
> Authorizer "tell" Apache to serve a static page. This is the part which
> I think may be impossible.
>
> The main reason I'd like to do this is performance -- I want to be able
> to use this authentication scheme to protect a largely static site. If
> I can get Apache to handle the static requests after an authorization
> check, it will be a *big* performance win over serving it all through
> Java. Beyond that, I very much like that this scheme does not involve
> repeated sending of password information -- once the token is set on the
> server, the session id is all that gets sent back and forth.
>
> I know that there are various ways to handle this sort of thing via
> mod_perl, but, since the bulk of the dynamic stuff will be written in
> Java, I'd really like to find a way to implement the security system in
> Java as well.
>
> In general, I'd like to be able to write servlets which will act as
> filters on Apache's behavior.
>
> Any ideas?
>
> Thanks,
> -Dan Milstein
>
> --
>
> Dan Milstein // [EMAIL PROTECTED]
> Member of Technical Staff // Capital Knowledge Partners
>
> --
> --------------------------------------------------------------
> Please read the FAQ! <http://java.apache.org/faq/>
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> Archives and Other: <http://java.apache.org/main/mail.html>
> Problems?: [EMAIL PROTECTED]
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
