The saga continues...
I've been tasked with developing a single-signon environment for a suite of
web applications, some developed in house, and others obtained from third
parties; others are still waiting to be developed. The framework I'm
developing will, when a user signs in, end up setting a cookie which
contains security credentials that will allow access to various parts of the
system. The cookie will be encrypted, or perhaps just contain a session id.
I currently use a proxy/app server configuration, with the app server
running (what else) mod_perl. I will be adding additional servers to host
third party applications, which may or may not be running mod_perl. In one
case, I know for sure that one of the additional servers will be running
PHP.
The framework I'm developing will *only* perform application access control,
based on an application tree structure. The access control handler will
take the cookie and the security requirements for the portion of the
application tree being accessed and determine if access is allowed or not.
It's up to the application itself to perform authorization (authentication
has already been done if the cookie is present).
Since access control is performed in mod_perl, I need the proxy to forward
all requests to the mod_perl server. For applications hosted on the same
mod_perl instance, access control is easy, since the request will naturally
flow from handler to handler. Where I'm having difficulty is figuring out
how the mod_perl server will perform access control for third party
applications that reside on different servers.
I guess what I'm asking is this:
How can I configure an apache instance to perform access control, and
proxying of the request to another server if the access control says the
request is ok? From my reading, mod_proxy will only allow top-level
configuration, not <Location> configuration. Ditto for mod_rewrite. Do I
have to implement my own proxying?
I would like the end result to be something like this:
proxy server --> access control server -> application servers
where the access control server is a mod_perl server, and an application
server is one of either mod_perl or PHP or whatever.
Is what I'm suggesting doable, or just plain silly? Is there a better way?
Cheers!
-klm.
