I am attempting to authorize post content (SOAP methods) against ACLs, but once the authorize handler grabs the HTTP body, the other handlers can't process the content. I have been told that an input filter is the way to go, but those return codes are ignored and I need to be able to return a 404. Also, I need to be able to look at the entire body first before passing it on.
A work around is to proxy the request to a local virtual host to handle the request AFTER it has been authorized, but then the SSL/TLS information is lost. Also, this means that anyone on that box can bypass the authorizer by simply calling the proxied virtual host. I would like to do everything in a single pass so I can keep the SSL info and make it harder for local apps to bypass ACLs. Any ideas? Thanks, Andrew
