Hello all Apache mod_perl2 module experts (I am a newbie with Apache),
Hope I am clear in my explanations (my English is not so good and I had a
lot of problems explaining my needs by mail. I am not sure that everybody
will read entirely this mail ;-)))))))
The direct question:
Is it possible to:
. use the mod_auth_basic module (or mod_auth_digest or mod_auth_ntlm) to
authenticate a client for the first request,
. then create a session tracking module (based on cookies) for the next
requests (I would write this last module in Perl)
The indirect question (good luck ;))
I am currently working on a project to develop a server hosting HTTP
applications developed with different technologies and I am in charge of the
session management (authentication along with SSO) for the HTTP-based
applications.
Applications are developed in
. PHP
. Servlet
I can not modify these applications (in term of authentication)
My objective is to "offer" SSO, meaning that the end-user will be asked
authentication only once, when accessing PHP or servlet (backend).
The idea: an Apache module will simulate an HTTP client against the PHP or
the servlet by sending basic authentication to PHP/servlet (ok, I simplify
the problem, because the PHP or servlet container could require another
authentication mechanism)
Apache would act as a front-end and would
. manage authentication against the client
. manage session tracking with cookies
. simulate the client authentication against the application (servlet or
PHP) by sending basic authentication to the servlet or PHP applications (or
any other mechanism, depending on the application authentication mechanism)
I will write a session tracking module (using the PerlAuthenHandler
handler). This module will manage:
. a cookie for session tracking
. the client simulation (using basic authentication or any other
mechanism) against the back-end (PHP/Servlet)
My requirement: this module has to be usable with any existing client
authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO
mod_auth_ntlm, ...)
For example,
. a client (a web services based client) uses basic authentication for the
first request then a cookie is used for the next requests
. a client (a browser) uses FORM authentication for the first request then a
cookie is used for the next requests.
. a client uses NTLM authentication ....
. a client uses digest authentication ....
I would imagine the Apache configuration as below
<Location /docs_protected_access_basic>
AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie
....
</Location>
This would mean that :
. MySessionModuleVerifyCookie would be first called, verifying if the
cookie is present and correct
. If no cookie, then basic authent is requested
. if basic authent ok, then MySessionModuleGenerateCookie generates a valid
cookie
Another example,
<Location /docs_protected_access_ntlm>
AuthType MySessionModuleVerifyCookie ntlm MySessionModuleGenerateCookie
....
</Location>
I searched for Apache modules fitting my needs. The Internet community
proposes a lot of modules but all of these modules mix the different phases
I described above (authentication between client and Apache, credentials
verifications, session creation)
For example,
. mod_auth_pam: "The PAM authentication module implements Basic
authentication on top of the Pluggable Authentication Module library". This
means that the module implements basic authentication with PAM to verify
credentials but without cookie session tracking
. mod_auth_cookie_mysql: implements only FORM authentication with SQL to
verify credentials with cookie session tracking
. Apache::AuthTicket: implements only FORM authentication with any
credentials mechanism (the module is extensible) with cookie session
tracking
. Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but does
not manage digest or form authentication
My question: is it possible to serialize authentication modules in the
AuthType Apache directive ? If so, how these modules interact each others.
Another way to ask the question: is it possible to use already existing
Apache module (basic, ntlm, digest, ...) to be included in a more global
authentication/session framework ? Advantage of such a solution is that I
can reuse the existing Apache modules (basic, ntlm, digest, ...),
concentrating on my session tracking module. (I read the mod_perl2
documentation and mod_perl2 offers only Basic and Digest authentication. It
does not offer NTLM authentication).
Last but not least, my session tracking module has to be developed in Perl !
Thanks
Gaetan
