[BugDB] How can I ... (PR#220)

Wed, 28 Jul 1999 01:24:10 -0700 

Full_Name: Schwartz Jean-Etienne
Version: 2.3.9-1.3.6
OS: all supported OS
Submission from: caubit-p.fraz.bull.fr (129.181.13.93)


I am actually writing a module whitch try to implement a full Single-SignOn.

Synopsys:
1) A user authenticate against a security server and, depending of the
   configuration of this server, get back a 'authentication cookie' or
   a real X503v3 certificat.

2) This user want to get a 'securized' Web page. As this user is
   'well-known', we should not ask him a 'user/password'. We just
   have to verify to 'authentication' token (cookie or certificat) and
   if this token is correct, to send him the web page he ask for.
   If there is no authentication token, we redirect the user to the
   authentication server with the full URL as query_string. The
   authentication server does it's work and, if all is correct, send
   the following html page:
           <html><body>
           <script language=javascript>
           location.replace(unescape(_query-string_))
           </script>
           </body></html>


This module is implemented at the 'translate_handler' stage (we are 
totaly independant of the platform naming convention and of the real
path)

Problem when using user certificate:
   the mod_ssl module put the 'SSL_CLIENT_CERT' variable at the 'fixup_upper'
   stage, so we don't have any idea of the presence (or not) of the
   certificate.

Problem when using 'https':
   if there is the mod_ssl module put the 'HTTPS=on' variable at the
   'fixup_upper' stage, so if we have to redirect the user
   when the user come back with his authentication token, we have the
   error: 'HTTP on an HTTPS server'.

The good questions are:
   after the 'new_connection' hook, how can we have
   1) the real protocol (HTTP or HTTPS)
   2) the user certificate if it exists
   As this module must run on any kind of Apache Server (with or without the
   mod_ssl module), I cannot use the features comming the EAPI define
   (typically the 'ap_ctx_get' functionnality).

Thanks for all your suggestion.


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to