Re: Developing an Authentication Module
On September 15, 2011 11:41 , Suneet Shah suneetshah2...@gmail.com wrote: In our architecture, authentication and authorization is handled by a set of web services. I would need to have the apache module make calls to the service. I was planning on using Axis 2 for this. Are there any issues with thiat? I have no experience with Axis 2, but an Apache module can certainly utilize external services. For example, mod_auth_kerb makes RPC calls to Kerberos KDCs, and mod_auth_dbd makes queries against SQL databases. I need to be able to look at request and see if it has a security token. If it does, then I need to validate it through the service. If it does not, then I need to redirect them to an authentication page. I thought it would be easier to handle the authentication through our java application (as we have the rest of the application) or should this part of the module as well? If a person successful authenticates, then the authentication app would redirect the user to the originally requested url. This sounds very much like the way cosign works. cosign is a web single-sign-on solution that includes an Apache HTTP Server module, mod_cosign. A diagram showing how cosign works is available at http://cosign.sourceforge.net/overview.shtml The actual authentication (prompting for and verifying the user's username and password) is handled by an application written in C which runs as a CGI and is not a part of the mod_cosign module itself. You may also want to study the implementation of other web single-sign-on solutions, including Pubcookie ( http://pubcookie.org/ ) and CAS ( http://www.jasig.org/cas ). CAS may be of particular interest to you because it is written in Java. This would flow through the apache web service and mod-proxy to end up at the target location. You may not need mod_proxy unless it is key to your requirements in some way. cosign, for example, simply redirects the user to the target location after verifying the security token (cookie) or authenticating the user and issuing a new security token. -- Mark Montague m...@catseye.org
Re: Developing an Authentication Module
Hi Mark, Thanks a lot for your help with this. I will take a look at the modules that you have referenced below. In our case, Mod-proxy and complementary modules seem to make sense. We need to hide the location of the real application and the proxy would help with that. Also the firewall rules in place only allow us to talk to the apache web server. There is no access directly to the other apps.. Finally, we also need to be able to inject headers into some applications to enable a form of SSO. We need the speed and security offered by running native in Apache, which is the reason why we opted for an apache module based approach. It would have been easier to go with a java based approach since we have a lot more experience in that environment Thanks again for your guidance Suneet On Thu, Sep 15, 2011 at 12:02 PM, Mark Montague m...@catseye.org wrote: On September 15, 2011 11:41 , Suneet Shah suneetshah2...@gmail.com wrote: In our architecture, authentication and authorization is handled by a set of web services. I would need to have the apache module make calls to the service. I was planning on using Axis 2 for this. Are there any issues with thiat? I have no experience with Axis 2, but an Apache module can certainly utilize external services. For example, mod_auth_kerb makes RPC calls to Kerberos KDCs, and mod_auth_dbd makes queries against SQL databases. I need to be able to look at request and see if it has a security token. If it does, then I need to validate it through the service. If it does not, then I need to redirect them to an authentication page. I thought it would be easier to handle the authentication through our java application (as we have the rest of the application) or should this part of the module as well? If a person successful authenticates, then the authentication app would redirect the user to the originally requested url. This sounds very much like the way cosign works. cosign is a web single-sign-on solution that includes an Apache HTTP Server module, mod_cosign. A diagram showing how cosign works is available at http://cosign.sourceforge.net/**overview.shtmlhttp://cosign.sourceforge.net/overview.shtml The actual authentication (prompting for and verifying the user's username and password) is handled by an application written in C which runs as a CGI and is not a part of the mod_cosign module itself. You may also want to study the implementation of other web single-sign-on solutions, including Pubcookie ( http://pubcookie.org/ ) and CAS ( http://www.jasig.org/cas ). CAS may be of particular interest to you because it is written in Java. This would flow through the apache web service and mod-proxy to end up at the target location. You may not need mod_proxy unless it is key to your requirements in some way. cosign, for example, simply redirects the user to the target location after verifying the security token (cookie) or authenticating the user and issuing a new security token. -- Mark Montague m...@catseye.org
Developing an Authentication Module
Hello, I need to build modules that will handle authentication and authorization. Our requirements seem to be a little different then what is provided with the apache web server. However, before I started down this path, I was hoping to get some feedback on the approach, as I am new module development. In our architecture, authentication and authorization is handled by a set of web services. I would need to have the apache module make calls to the service. I was planning on using Axis 2 for this. Are there any issues with thiat? For Authentication: I need to be able to look at request and see if it has a security token. If it does, then I need to validate it through the service. If it does not, then I need to redirect them to an authentication page. I thought it would be easier to handle the authentication through our java application (as we have the rest of the application) or should this part of the module as well? If a person successful authenticates, then the authentication app would redirect the user to the originally requested url. This would flow through the apache web service and mod-proxy to end up at the target location. Does this approach seem reasonable ? Thanks for your feedback. Suneet
developing custom authentication module
I am ISV developing a system that is using Apache. All the frontend's for system I am developing are all custom desktop applications, or web browsers controls wrapped in my own code. Thus users are not going to be entering username and password, the username and password used will be depended on which frontend being used. It is time for me to implement authentication correctly. I have two objectives with respect to authentication: 1: Protect my customers from unauthorized users. 2: Protect myself from customers hacking the authorization system to get access to features in which they have not purchased. #1 looks straight forward: If my impression is correct, I simply need to implement my own custom provider to check the custom username and password the frontends give it. Q: Is there documentation out there somewhere on how to implementing a new provider? #2 looks a lot more tricky. It seems that I will need to deviate from the normal way Apache's authentication works. For starters, NONE of the configuration can be in the http.conf, not like it is now with AuthType, AuthBasicProvider, etc. There is a Location directives in the conf that will have a custom directive for my custom Apache module. I would like to fully wire up this custom provider within this directive. To add to the complexity, there are different levels of authentication: None required, user, admin and there will be different locations under the Location directive for each, again, this all needs to be wired up in code when the custom directive for my custom Apache module is called. Q: Any suggestions on how I might achieve this? Sam P.S. I do NOT own the book on writing Apache Module in 2.0, just the older 1.3 book. Would any of this be addressed in that book?