Gaetan: On Tue, 2008-01-29 at 10:51 +0100, titetluc titetluc wrote: > Hello all Apache mod_perl2 module experts (I am a newbie with Apache), > > Hope I am clear in my explanations (my English is not so good and I > had a lot of problems explaining my needs by mail. I am not sure that > everybody will read entirely this mail ;-))))))) > > The direct question: > Is it possible to: > . use the mod_auth_basic module (or mod_auth_digest or > mod_auth_ntlm) to authenticate a client for the first request, > . then create a session tracking module (based on cookies) for the > next requests (I would write this last module in Perl) > The cookie needs to be setup upon authentication, so you have to use an authentication module other than the basic authentication, which does not set up a cookie. > > The indirect question (good luck ;)) > > I am currently working on a project to develop a server hosting HTTP > applications developed with different technologies and I am in charge > of the session management (authentication along with SSO) for the > HTTP-based applications. > Applications are developed in > . PHP > . Servlet > I can not modify these applications (in term of authentication) > > My objective is to "offer" SSO, meaning that the end-user will be > asked authentication only once, when accessing PHP or servlet > (backend). > The idea: an Apache module will simulate an HTTP client against the > PHP or the servlet by sending basic authentication to PHP/servlet (ok, > I simplify the problem, because the PHP or servlet container could > require another authentication mechanism) > > Apache would act as a front-end and would > . manage authentication against the client > . manage session tracking with cookies > . simulate the client authentication against the application > (servlet or PHP) by sending basic authentication to the servlet or PHP > applications (or any other mechanism, depending on the application > authentication mechanism) > Take a look at the AuthCookie and AuthTicket modules, they can be used to easily build a solution like the one you are indicating.
> I will write a session tracking module (using the PerlAuthenHandler > handler). This module will manage: > . a cookie for session tracking > . the client simulation (using basic authentication or any other > mechanism) against the back-end (PHP/Servlet) > > My requirement: this module has to be usable with any existing client > authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO > mod_auth_ntlm, ...) > > For example, > . a client (a web services based client) uses basic authentication for > the first request then a cookie is used for the next requests > . a client (a browser) uses FORM authentication for the first request > then a cookie is used for the next requests. > . a client uses NTLM authentication .... > . a client uses digest authentication .... > > I would imagine the Apache configuration as below > > <Location /docs_protected_access_basic> > AuthType MySessionModuleVerifyCookie basic > MySessionModuleGenerateCookie > .... > </Location> > > This would mean that : > . MySessionModuleVerifyCookie would be first called, verifying if the > cookie is present and correct > . If no cookie, then basic authent is requested > . if basic authent ok, then MySessionModuleGenerateCookie generates a > valid cookie > > Another example, > <Location /docs_protected_access_ntlm> > AuthType MySessionModuleVerifyCookie ntlm > MySessionModuleGenerateCookie > .... > </Location> > > > I searched for Apache modules fitting my needs. The Internet community > proposes a lot of modules but all of these modules mix the different > phases I described above (authentication between client and Apache, > credentials verifications, session creation) > For example, > . mod_auth_pam: "The PAM authentication module implements Basic > authentication on top of the Pluggable Authentication Module library". > This means that the module implements basic authentication with PAM to > verify credentials but without cookie session tracking > . mod_auth_cookie_mysql: implements only FORM authentication with SQL > to verify credentials with cookie session tracking > . Apache::AuthTicket: implements only FORM authentication with any > credentials mechanism (the module is extensible) with cookie session > tracking > . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but > does not manage digest or form authentication > > My question: is it possible to serialize authentication modules in the > AuthType Apache directive ? If so, how these modules interact each > others. > Another way to ask the question: is it possible to use already > existing Apache module (basic, ntlm, digest, ...) to be included in a > more global authentication/session framework ? Advantage of such a > solution is that I can reuse the existing Apache modules (basic, ntlm, > digest, ...), concentrating on my session tracking module. (I read the > mod_perl2 documentation and mod_perl2 offers only Basic and Digest > authentication. It does not offer NTLM authentication). > > Last but not least, my session tracking module has to be developed in > Perl ! > > Thanks > > Gaetan Regards, Rafael Caceres