Sébastien Bonnegent wrote: > Graham Leggett wrote: > GL> Sébastien Bonnegent wrote: > GL> > GL> > Not necessarily, because I can detect in the proxy module when the server > GL> > responds with a 401 (need authentification) and in this case, I re-send > GL> > a request with a authentification field if the user is already authentified > GL> > on the proxy. And this, without any browser's cooperation. > GL> > GL> In that case I've lost you - can you explain again what you are trying > GL> to achieve? I understood that you were trying to force a transparent > GL> proxy to authenticate users through it, I don't see how the end server > GL> should get involved in any of this...? > > The server doesn't see that there is a proxy, the schema is as follow: > --------------------------------------------------------------- > | User -------------------- Proxy ------------------- Server | > --------------------------------------------------------------- > Get an URL ----> do nothing ----> Need auth > so > <----(401) > If User is known > then > give user > auth header (auth)---> > else > <----(401) > user provides > authentification > (auth)----> catch the authentification header > and store it somewhere (auth)----> > > (401) means "need authentification", a 401 request > (auth) means that the request contains an authentification header > > Is it more clear ? ok.. it seems like you need to cache the authentication header, so that based on whatever criteria you can re-add it to the proxied request.
I'm not sure if you can do this at the moment with the current code. we have a hook in place which will let you inject the auth header into to proxied request, but I don't think there is a hook to grab the original auth-header recieved from the 'server' so you can cache it. so to summarise, you would need to write a authentication module which can grab the original authentication and cache it (you could use something similar in design to mod_mem_cache to do this). you can then inject it via the proxy hook into the proxied request. I haven't tried it, and I >think< this may work .. --Ian > > Best regards, > seß - sinad
