I've written a module, "auth_any" that allows a user to be authenticated by any mechanism including OpenID (Google), Basic auth, LDAP, or Shibboleth (Protect Network). My PerlAuthenticationHandler checks for a cookie, and if not found, redirects to a page containing a list of links for each auth mechanism. These links go back to mod_perl which adds the appropriate configuration directives for that authentication mechanism. If authentication succeeds, the response phase sets the cookie and writes it into our database. The browser is then redirected back to the originally requested URL. The authentication handler finds the cookie this time and returns "OK".
I've written a corresponding PerlAuthorizationHandler, however we would like to be able to replace it with authorization through one of the standard providers mentioned above (authorization provider determined at server initialization time). The problem is that if the user is not authorized, the module returns either a 401 with a "WWW-Authenticate:" header field (LDAP or basic), or a 302 with a "Location:" header field (Shibboleth) and displays a second window requesting credentials. I thought that I might be able to remove these header fields in a PerlFixupHandler and issue my own 302 or 200 return code. However, it seems that the fixup phase does not run after an authorization hook or handler returns HTTP_UNAUTHORIZED or REDIRECT. Is there a way around this, or is there another handler phase that I can use to manipulate the return code and HTTP header? Kim