Thanks the for info!
Where my design was coming from was trying to enforce access control
completely outside of application - if a request made it to an application,
then the application could be assure that the user was allowed to be there.
But I think implementing this would be rather difficult.
The solution you suggest is not one I had thought of; I guess letting the
application worry about invoking access/authen/authz control is much easier
than trying to enforce it at a higher level. All I'll have to do is provide
the service (ala Passport) that implements the functionality.
Cheers!
-klm.
-----Original Message-----
From: Ask Bjoern Hansen [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 05, 2002 4:18 PM
To: Ken Miller
Cc: Modperl
Subject: Re: Doing security for backend applications
On Tue, 4 Jun 2002, Ken Miller wrote:
[...]
> So, php application requests would bounce from the proxy server to the mod
> perl server to the php server.
You could also make it so it's only when requests needs to be
authenticated they go to the mod_perl server.
Something like having the php server forward authentication requests
to the mod_perl server; but support the same cookie format would be
relatively simple.
> This is all related to a single sign-on environment - once the user has
> signed on an encrypted cookie will contain the application security
> information used to authorize the user int the various applications.
at perl.org we have made it so authentication requests gets
forwarded, and then we have an internal interface for the various
servers can validate and migrate authentication cookies.
You should be able to find documentation on how passport.com does
it; if nothing else then on the pages where it's described why their
implementation was insecure at some point. ;-)
- ask
--
ask bjoern hansen, http://ask.netcetera.dk/ !try; do();
