Perrin Harkins wrote:
After successful authentication we need to pass the
control to another application(which is running on the same apache server)
which depend on the REMOTE_USER value which we set.
That will work fine, as long as your auth handler runs in the same
request as the thing that wants to look at REMOTE_USER. If you do an
external redirect, that creates a totally separate request from the
client. You need to set your handler as the auth handler for the
location that you want to protect, not go the auth handler and then
redirect to the location.
I think what Perrin is saying is that you don't want your authentication
handler to perform the location redirect. In fact, you don't want a
location redirect at all. You want to return OK if the user is
authenticated (i.e. the username and passsword are verified by the CAS
service) and AUTH_REQUIRED otherwise. At least that's how it was in MP1
and it's probably pretty much the same in MP2.
Rob
