I am ISV developing a system that is using Apache. All the frontend's for system I am developing are all custom desktop applications, or web browsers controls wrapped in my own code. Thus users are not going to be entering username and password, the username and password used will be depended on which frontend being used.
It is time for me to implement authentication correctly. I have two objectives with respect to authentication: 1: Protect my customers from unauthorized users. 2: Protect myself from customers hacking the authorization system to get access to features in which they have not purchased. #1 looks straight forward: If my impression is correct, I simply need to implement my own custom provider to check the custom username and password the frontends give it. Q: Is there documentation out there somewhere on how to implementing a new provider? #2 looks a lot more tricky. It seems that I will need to deviate from the normal way Apache's authentication works. For starters, NONE of the configuration can be in the http.conf, not like it is now with AuthType, AuthBasicProvider, etc. There is a <Location> directives in the conf that will have a custom directive for my custom Apache module. I would like to fully wire up this custom provider within this directive. To add to the complexity, there are different levels of authentication: None required, user, admin and there will be different locations under the <Location> directive for each, again, this all needs to be wired up in code when the custom directive for my custom Apache module is called. Q: Any suggestions on how I might achieve this? Sam P.S. I do NOT own the book on writing Apache Module in 2.0, just the older 1.3 book. Would any of this be addressed in that book?