The saga continues... I've been tasked with developing a single-signon environment for a suite of web applications, some developed in house, and others obtained from third parties; others are still waiting to be developed. The framework I'm developing will, when a user signs in, end up setting a cookie which contains security credentials that will allow access to various parts of the system. The cookie will be encrypted, or perhaps just contain a session id.
I currently use a proxy/app server configuration, with the app server running (what else) mod_perl. I will be adding additional servers to host third party applications, which may or may not be running mod_perl. In one case, I know for sure that one of the additional servers will be running PHP. The framework I'm developing will *only* perform application access control, based on an application tree structure. The access control handler will take the cookie and the security requirements for the portion of the application tree being accessed and determine if access is allowed or not. It's up to the application itself to perform authorization (authentication has already been done if the cookie is present). Since access control is performed in mod_perl, I need the proxy to forward all requests to the mod_perl server. For applications hosted on the same mod_perl instance, access control is easy, since the request will naturally flow from handler to handler. Where I'm having difficulty is figuring out how the mod_perl server will perform access control for third party applications that reside on different servers. I guess what I'm asking is this: How can I configure an apache instance to perform access control, and proxying of the request to another server if the access control says the request is ok? From my reading, mod_proxy will only allow top-level configuration, not <Location> configuration. Ditto for mod_rewrite. Do I have to implement my own proxying? I would like the end result to be something like this: proxy server --> access control server -> application servers where the access control server is a mod_perl server, and an application server is one of either mod_perl or PHP or whatever. Is what I'm suggesting doable, or just plain silly? Is there a better way? Cheers! -klm.