[MP2] [QUESTION] authentication modules (reuse of mod_auth_basic, mod_auth_digest, mod_auth_ntlm) and cookies
Hello all Apache mod_perl2 module experts (I am a newbie with Apache), Hope I am clear in my explanations (my English is not so good and I had a lot of problems explaining my needs by mail. I am not sure that everybody will read entirely this mail ;-))) The direct question: Is it possible to: . use the mod_auth_basic module (or mod_auth_digest or mod_auth_ntlm) to authenticate a client for the first request, . then create a session tracking module (based on cookies) for the next requests (I would write this last module in Perl) The indirect question (good luck ;)) I am currently working on a project to develop a server hosting HTTP applications developed with different technologies and I am in charge of the session management (authentication along with SSO) for the HTTP-based applications. Applications are developed in . PHP . Servlet I can not modify these applications (in term of authentication) My objective is to "offer" SSO, meaning that the end-user will be asked authentication only once, when accessing PHP or servlet (backend). The idea: an Apache module will simulate an HTTP client against the PHP or the servlet by sending basic authentication to PHP/servlet (ok, I simplify the problem, because the PHP or servlet container could require another authentication mechanism) Apache would act as a front-end and would . manage authentication against the client . manage session tracking with cookies . simulate the client authentication against the application (servlet or PHP) by sending basic authentication to the servlet or PHP applications (or any other mechanism, depending on the application authentication mechanism) I will write a session tracking module (using the PerlAuthenHandler handler). This module will manage: . a cookie for session tracking . the client simulation (using basic authentication or any other mechanism) against the back-end (PHP/Servlet) My requirement: this module has to be usable with any existing client authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO mod_auth_ntlm, ...) For example, . a client (a web services based client) uses basic authentication for the first request then a cookie is used for the next requests . a client (a browser) uses FORM authentication for the first request then a cookie is used for the next requests. . a client uses NTLM authentication . a client uses digest authentication I would imagine the Apache configuration as below AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie This would mean that : . MySessionModuleVerifyCookie would be first called, verifying if the cookie is present and correct . If no cookie, then basic authent is requested . if basic authent ok, then MySessionModuleGenerateCookie generates a valid cookie Another example, AuthType MySessionModuleVerifyCookie ntlm MySessionModuleGenerateCookie I searched for Apache modules fitting my needs. The Internet community proposes a lot of modules but all of these modules mix the different phases I described above (authentication between client and Apache, credentials verifications, session creation) For example, . mod_auth_pam: "The PAM authentication module implements Basic authentication on top of the Pluggable Authentication Module library". This means that the module implements basic authentication with PAM to verify credentials but without cookie session tracking . mod_auth_cookie_mysql: implements only FORM authentication with SQL to verify credentials with cookie session tracking . Apache::AuthTicket: implements only FORM authentication with any credentials mechanism (the module is extensible) with cookie session tracking . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but does not manage digest or form authentication My question: is it possible to serialize authentication modules in the AuthType Apache directive ? If so, how these modules interact each others. Another way to ask the question: is it possible to use already existing Apache module (basic, ntlm, digest, ...) to be included in a more global authentication/session framework ? Advantage of such a solution is that I can reuse the existing Apache modules (basic, ntlm, digest, ...), concentrating on my session tracking module. (I read the mod_perl2 documentation and mod_perl2 offers only Basic and Digest authentication. It does not offer NTLM authentication). Last but not least, my session tracking module has to be developed in Perl ! Thanks Gaetan
Re: [MP2] [QUESTION] authentication modules (reuse of mod_auth_basic, mod_auth_digest, mod_auth_ntlm) and cookies
Gaetan: On Tue, 2008-01-29 at 10:51 +0100, titetluc titetluc wrote: > Hello all Apache mod_perl2 module experts (I am a newbie with Apache), > > Hope I am clear in my explanations (my English is not so good and I > had a lot of problems explaining my needs by mail. I am not sure that > everybody will read entirely this mail ;-))) > > The direct question: > Is it possible to: >. use the mod_auth_basic module (or mod_auth_digest or > mod_auth_ntlm) to authenticate a client for the first request, >. then create a session tracking module (based on cookies) for the > next requests (I would write this last module in Perl) > The cookie needs to be setup upon authentication, so you have to use an authentication module other than the basic authentication, which does not set up a cookie. > > The indirect question (good luck ;)) > > I am currently working on a project to develop a server hosting HTTP > applications developed with different technologies and I am in charge > of the session management (authentication along with SSO) for the > HTTP-based applications. > Applications are developed in > . PHP > . Servlet > I can not modify these applications (in term of authentication) > > My objective is to "offer" SSO, meaning that the end-user will be > asked authentication only once, when accessing PHP or servlet > (backend). > The idea: an Apache module will simulate an HTTP client against the > PHP or the servlet by sending basic authentication to PHP/servlet (ok, > I simplify the problem, because the PHP or servlet container could > require another authentication mechanism) > > Apache would act as a front-end and would > . manage authentication against the client > . manage session tracking with cookies > . simulate the client authentication against the application > (servlet or PHP) by sending basic authentication to the servlet or PHP > applications (or any other mechanism, depending on the application > authentication mechanism) > Take a look at the AuthCookie and AuthTicket modules, they can be used to easily build a solution like the one you are indicating. > I will write a session tracking module (using the PerlAuthenHandler > handler). This module will manage: > . a cookie for session tracking > . the client simulation (using basic authentication or any other > mechanism) against the back-end (PHP/Servlet) > > My requirement: this module has to be usable with any existing client > authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO > mod_auth_ntlm, ...) > > For example, > . a client (a web services based client) uses basic authentication for > the first request then a cookie is used for the next requests > . a client (a browser) uses FORM authentication for the first request > then a cookie is used for the next requests. > . a client uses NTLM authentication > . a client uses digest authentication > > I would imagine the Apache configuration as below > > > AuthType MySessionModuleVerifyCookie basic > MySessionModuleGenerateCookie > > > > This would mean that : > . MySessionModuleVerifyCookie would be first called, verifying if the > cookie is present and correct > . If no cookie, then basic authent is requested > . if basic authent ok, then MySessionModuleGenerateCookie generates a > valid cookie > > Another example, > > AuthType MySessionModuleVerifyCookie ntlm > MySessionModuleGenerateCookie > > > > > I searched for Apache modules fitting my needs. The Internet community > proposes a lot of modules but all of these modules mix the different > phases I described above (authentication between client and Apache, > credentials verifications, session creation) > For example, > . mod_auth_pam: "The PAM authentication module implements Basic > authentication on top of the Pluggable Authentication Module library". > This means that the module implements basic authentication with PAM to > verify credentials but without cookie session tracking > . mod_auth_cookie_mysql: implements only FORM authentication with SQL > to verify credentials with cookie session tracking > . Apache::AuthTicket: implements only FORM authentication with any > credentials mechanism (the module is extensible) with cookie session > tracking > . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but > does not manage digest or form authentication > > My question: is it possible to serialize authentication modules in the > AuthType Apache directive ? If so, how these modules interact each > others. > Another way to ask the question: is it possible to use already > existing Apache module (basic, ntlm, digest, ...) to be included in a > more global authentication/session framework ? Advantage of such a > solution is that I can reuse the existing Apache modules (basic, ntlm, > digest, ...), concentrating on my session tracking module. (I read the > mod_perl2 documentation and mod_perl2 offers only Basic and Digest > authentication. It doe
Re: [MP2] [QUESTION] authentication modules (reuse of mod_auth_basic, mod_auth_digest, mod_auth_ntlm) and cookies
Thank you for your answer Rafael My comments are below 2008/1/29, Rafael Caceres <[EMAIL PROTECTED]>: > > Gaetan: > > On Tue, 2008-01-29 at 10:51 +0100, titetluc titetluc wrote: > > Hello all Apache mod_perl2 module experts (I am a newbie with Apache), > > > > Hope I am clear in my explanations (my English is not so good and I > > had a lot of problems explaining my needs by mail. I am not sure that > > everybody will read entirely this mail ;-))) > > > > The direct question: > > Is it possible to: > >. use the mod_auth_basic module (or mod_auth_digest or > > mod_auth_ntlm) to authenticate a client for the first request, > >. then create a session tracking module (based on cookies) for the > > next requests (I would write this last module in Perl) > > > The cookie needs to be setup upon authentication, so you have to use an > authentication module other than the basic authentication, which does > not set up a cookie. This is one of my problem: how can I link basic authentication with a cookie ? One of the solution I proposed (but it it feasible with Apache infrastructure and AuthType directive) was to declare different authentication type with the AuthType directive AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie This would mean that : . MySessionModuleVerifyCookie would be first called, verifying if the cookie is present and correct . If no cookie, then basic authent is requested . if basic authent ok, then MySessionModuleGenerateCookie generates a valid cookie In fact, my ultimate objective was to have an authentication framework based on cookie. It would be possible, with such a framework, to define client authentication type. The following example would mean: use cookie for authentication tracking, but first request can be authenticated with SSL. If SSL not available, use NTLM. If NTLM not available, use Form authentication. SSL, NTLM and Form authentication woul be external module I would re-used AuthType AuthentFrameworkCookie AuthOrder SSL NTLM Form Modules on Internet offer only one kind of authentication. Combining 2 (or more) authentication type is hard to configure (see SSL with basic authent http://www.modssl.org/docs/2.8/ssl_howto.html). And worse, combining authentication type with cookie is harder. Due to planning constraints, I will have to be less ... ambitious ;-) > > > The indirect question (good luck ;)) > > > > I am currently working on a project to develop a server hosting HTTP > > applications developed with different technologies and I am in charge > > of the session management (authentication along with SSO) for the > > HTTP-based applications. > > Applications are developed in > > . PHP > > . Servlet > > I can not modify these applications (in term of authentication) > > > > My objective is to "offer" SSO, meaning that the end-user will be > > asked authentication only once, when accessing PHP or servlet > > (backend). > > The idea: an Apache module will simulate an HTTP client against the > > PHP or the servlet by sending basic authentication to PHP/servlet (ok, > > I simplify the problem, because the PHP or servlet container could > > require another authentication mechanism) > > > > Apache would act as a front-end and would > > . manage authentication against the client > > . manage session tracking with cookies > > . simulate the client authentication against the application > > (servlet or PHP) by sending basic authentication to the servlet or PHP > > applications (or any other mechanism, depending on the application > > authentication mechanism) > > > Take a look at the AuthCookie and AuthTicket modules, they can be used > to easily build a solution like the one you are indicating. I already studied these modules, but they manage only form authentication. In any case, I think I will use the AuthCookie module to build a POC. > I will write a session tracking module (using the PerlAuthenHandler > > handler). This module will manage: > > . a cookie for session tracking > > . the client simulation (using basic authentication or any other > > mechanism) against the back-end (PHP/Servlet) > > > > My requirement: this module has to be usable with any existing client > > authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO > > mod_auth_ntlm, ...) > > > > > For example, > > . a client (a web services based client) uses basic authentication for > > the first request then a cookie is used for the next requests > > . a client (a browser) uses FORM authentication for the first request > > then a cookie is used for the next requests. > > . a client uses NTLM authentication > > . a client uses digest authentication > > > > I would imagine the Apache configuration as below > > > > > > AuthType MySessionModuleVerifyCookie basic > > MySessionModuleGenerateCookie > > > > > > > > This would mean that : > > . MySessionModuleVerifyCookie would be first called, verifyi
Re: [MP2] [QUESTION] authentication modules (reuse of mod_auth_basic, mod_auth_digest, mod_auth_ntlm) and cookies
On Wed 30 Jan 2008, titetluc titetluc wrote: > This would mean that : > . MySessionModuleVerifyCookie would be first called, verifying if the > cookie is present and correct > . If no cookie, then basic authent is requested > . if basic authent ok, then MySessionModuleGenerateCookie generates a valid > cookie Sorry, but I haven't really understood what you are trying to achieve. I assume you understand the difference between authentication and authorization and how they work together. If not try to figure that out first. 1) Perhaps you want to replace a specialized cookie named Authorization header with a general purpose cookie. (The Authorization header is nothing else than a specialized cookie.) This can easily be done by forging the Authorization header in a request phase that comes before (or even in) Auth if the general purpose cookie is there and correct. In a phase after Auth (like Fixup) you can then add your cookie if it is not there. Then all your documents would have to be secured by normal Auth-configuration. This can be done with Apache 1.3, 2.0 and 2.2. 2) If you are looking for a more general solution (which I believe you are) then for Apache 2.0+ have a look at the Auth*Authoritative directives, e.g. AuthBasicAuthoritative. Almost all Auth-modules implement such a directive. Your specialized-cookie-module would also have to implement such one. Then you can chain Authentication-modules together. If an Authentication module is authoritative it returns HTTP_UNAUTHORIZED if the user identity cannot be verified. If it is not authoritative it returns DECLINED instead passing the responsibility to the next authentication module. 3) With Apache 2.2 came authentication providers. They allow to chain different identity verification sources. But all of them are based on the same identity information that is passed in by the client (browser). Among geoff's modules is one that provides a perl interface to that. Torsten
Re: [MP2] [QUESTION] authentication modules (reuse of mod_auth_basic, mod_auth_digest, mod_auth_ntlm) and cookies
Am Dienstag 29 Januar 2008 10:51:00 schrieb titetluc titetluc: > Hello all Apache mod_perl2 module experts (I am a newbie with Apache), > > Hope I am clear in my explanations (my English is not so good and I had a > lot of problems explaining my needs by mail. I am not sure that everybody > will read entirely this mail ;-))) > > The direct question: > Is it possible to: >. use the mod_auth_basic module (or mod_auth_digest or mod_auth_ntlm) to > authenticate a client for the first request, >. then create a session tracking module (based on cookies) for the next > requests (I would write this last module in Perl) > > > The indirect question (good luck ;)) > > I am currently working on a project to develop a server hosting HTTP > applications developed with different technologies and I am in charge of > the session management (authentication along with SSO) for the HTTP-based > applications. > Applications are developed in > . PHP > . Servlet > I can not modify these applications (in term of authentication) So , as far as I understood your problem. the first thing you should consider is writing an own mod_perl handler for the authentication phase, that way you don't have to care about the technologie of the sites below. To read about the request phase look at: http://perl.apache.org/docs/2.0/user/handlers/http.html#HTTP_Request_Cycle_Phases This is independent of what module you use, the point is at what time of the request you do the authentification. Tracking the user with a cookie is a "normal" thing. The problems would start, if the apps need to know which user logged in or not. if so you have to find a way to pass them the user id or what data the apps requires. > > My objective is to "offer" SSO, meaning that the end-user will be asked > authentication only once, when accessing PHP or servlet (backend). > The idea: an Apache module will simulate an HTTP client against the PHP or > the servlet by sending basic authentication to PHP/servlet (ok, I simplify > the problem, because the PHP or servlet container could require another > authentication mechanism) > > Apache would act as a front-end and would > . manage authentication against the client > . manage session tracking with cookies > . simulate the client authentication against the application (servlet > or PHP) by sending basic authentication to the servlet or PHP applications > (or any other mechanism, depending on the application authentication > mechanism) So , probably, you could set HTTP-header variables or environment variables, depending on what the application requires. > > I will write a session tracking module (using the PerlAuthenHandler > handler). This module will manage: > . a cookie for session tracking > . the client simulation (using basic authentication or any other > mechanism) against the back-end (PHP/Servlet) I don't think to have to rwrite anything, have a look at Apache(2)::Cookie or CGI::Cookie. > My requirement: this module has to be usable with any existing client > authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO > mod_auth_ntlm, ...) Look at Apache::Session::Wrapper; > > For example, > . a client (a web services based client) uses basic authentication for the > first request then a cookie is used for the next requests > . a client (a browser) uses FORM authentication for the first request then > a cookie is used for the next requests. > . a client uses NTLM authentication > . a client uses digest authentication > > I would imagine the Apache configuration as below > > > AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie > > > > This would mean that : > . MySessionModuleVerifyCookie would be first called, verifying if the > cookie is present and correct > . If no cookie, then basic authent is requested > . if basic authent ok, then MySessionModuleGenerateCookie generates a valid > cookie > > Another example, > > AuthType MySessionModuleVerifyCookie ntlm MySessionModuleGenerateCookie > > > > > I searched for Apache modules fitting my needs. The Internet community > proposes a lot of modules but all of these modules mix the different phases > I described above (authentication between client and Apache, credentials > verifications, session creation) > For example, > . mod_auth_pam: "The PAM authentication module implements Basic > authentication on top of the Pluggable Authentication Module library". This > means that the module implements basic authentication with PAM to verify > credentials but without cookie session tracking > . mod_auth_cookie_mysql: implements only FORM authentication with SQL to > verify credentials with cookie session tracking > . Apache::AuthTicket: implements only FORM authentication with any > credentials mechanism (the module is extensible) with cookie session > tracking > . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but does > not manage digest or form authen
