Am Dienstag 29 Januar 2008 10:51:00 schrieb titetluc titetluc: > Hello all Apache mod_perl2 module experts (I am a newbie with Apache), > > Hope I am clear in my explanations (my English is not so good and I had a > lot of problems explaining my needs by mail. I am not sure that everybody > will read entirely this mail ;-))))))) > > The direct question: > Is it possible to: > . use the mod_auth_basic module (or mod_auth_digest or mod_auth_ntlm) to > authenticate a client for the first request, > . then create a session tracking module (based on cookies) for the next > requests (I would write this last module in Perl) > > > The indirect question (good luck ;)) > > I am currently working on a project to develop a server hosting HTTP > applications developed with different technologies and I am in charge of > the session management (authentication along with SSO) for the HTTP-based > applications. > Applications are developed in > . PHP > . Servlet > I can not modify these applications (in term of authentication)
So , as far as I understood your problem. the first thing you should consider is writing an own mod_perl handler for the authentication phase, that way you don't have to care about the technologie of the sites below. To read about the request phase look at: http://perl.apache.org/docs/2.0/user/handlers/http.html#HTTP_Request_Cycle_Phases This is independent of what module you use, the point is at what time of the request you do the authentification. Tracking the user with a cookie is a "normal" thing. The problems would start, if the apps need to know which user logged in or not. if so you have to find a way to pass them the user id or what data the apps requires. > > My objective is to "offer" SSO, meaning that the end-user will be asked > authentication only once, when accessing PHP or servlet (backend). > The idea: an Apache module will simulate an HTTP client against the PHP or > the servlet by sending basic authentication to PHP/servlet (ok, I simplify > the problem, because the PHP or servlet container could require another > authentication mechanism) > > Apache would act as a front-end and would > . manage authentication against the client > . manage session tracking with cookies > . simulate the client authentication against the application (servlet > or PHP) by sending basic authentication to the servlet or PHP applications > (or any other mechanism, depending on the application authentication > mechanism) So , probably, you could set HTTP-header variables or environment variables, depending on what the application requires. > > I will write a session tracking module (using the PerlAuthenHandler > handler). This module will manage: > . a cookie for session tracking > . the client simulation (using basic authentication or any other > mechanism) against the back-end (PHP/Servlet) I don't think to have to rwrite anything, have a look at Apache(2)::Cookie or CGI::Cookie. > My requirement: this module has to be usable with any existing client > authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO > mod_auth_ntlm, ...) Look at Apache::Session::Wrapper; > > For example, > . a client (a web services based client) uses basic authentication for the > first request then a cookie is used for the next requests > . a client (a browser) uses FORM authentication for the first request then > a cookie is used for the next requests. > . a client uses NTLM authentication .... > . a client uses digest authentication .... > > I would imagine the Apache configuration as below > > <Location /docs_protected_access_basic> > AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie > .... > </Location> > > This would mean that : > . MySessionModuleVerifyCookie would be first called, verifying if the > cookie is present and correct > . If no cookie, then basic authent is requested > . if basic authent ok, then MySessionModuleGenerateCookie generates a valid > cookie > > Another example, > <Location /docs_protected_access_ntlm> > AuthType MySessionModuleVerifyCookie ntlm MySessionModuleGenerateCookie > .... > </Location> > > > I searched for Apache modules fitting my needs. The Internet community > proposes a lot of modules but all of these modules mix the different phases > I described above (authentication between client and Apache, credentials > verifications, session creation) > For example, > . mod_auth_pam: "The PAM authentication module implements Basic > authentication on top of the Pluggable Authentication Module library". This > means that the module implements basic authentication with PAM to verify > credentials but without cookie session tracking > . mod_auth_cookie_mysql: implements only FORM authentication with SQL to > verify credentials with cookie session tracking > . Apache::AuthTicket: implements only FORM authentication with any > credentials mechanism (the module is extensible) with cookie session > tracking > . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but does > not manage digest or form authentication > > My question: is it possible to serialize authentication modules in the > AuthType Apache directive ? If so, how these modules interact each others. > Another way to ask the question: is it possible to use already existing > Apache module (basic, ntlm, digest, ...) to be included in a more global > authentication/session framework ? Advantage of such a solution is that I > can reuse the existing Apache modules (basic, ntlm, digest, ...), > concentrating on my session tracking module. (I read the mod_perl2 > documentation and mod_perl2 offers only Basic and Digest authentication. It > does not offer NTLM authentication). Again, I think the solution to your problems is in writing a customized handler for the authentification phase. -- Regards Rolf Schaufelberger
