Authentication Module

[Suneet Shah]

Hello,

I am trying to build an Authentication/SSO module and part of it leverages
the work in Mod-Proxy (all my requests need to flow through the proxy)
After I authenticate, I generate a security token that I need to tack on to
each request and not have it get lost through the proxy.
Is there a way to configure mod-proxy so that it does or a way to enhance
it?

For example - I may start with url:
http://myhost/myapp?userid=abctoken=12334343
the proxy would then return a page, but that page should also have the query
string tacked on to it: ie.
http://myhost/myapp/page1.jsp?userid=abctoken=12334343

Thanks for your help
suneet

Re: Developing an Authentication Module

[Mark Montague]

On September 15, 2011 11:41 , Suneet Shah suneetshah2...@gmail.com wrote:

In our architecture, authentication and authorization is handled by a set of
web services.  I would need to have the apache module make calls to the
service. I was planning on using Axis 2 for this. Are there any issues with
thiat?


I have no experience with Axis 2, but an Apache module can certainly 
utilize external services.  For example, mod_auth_kerb makes RPC calls 
to Kerberos KDCs, and mod_auth_dbd makes queries against SQL databases.




I need to be able to look at request and see if it has a security token. If
it does, then I need to validate it through the service.

If it does not, then I need to redirect them to an authentication page.

I thought it would be easier to handle the authentication through our java
application (as we have the rest of the application) or should this part of
the module as well?

If a person successful authenticates, then the authentication app would
redirect the user to the originally requested url.



This sounds very much like the way cosign works.  cosign is a web 
single-sign-on solution that includes an Apache HTTP Server module, 
mod_cosign.  A diagram showing how cosign works is available at 
http://cosign.sourceforge.net/overview.shtml   The actual authentication 
(prompting for and verifying the user's username and password) is 
handled by an application written in C which runs as a CGI and is not a 
part of the mod_cosign module itself.


You may also want to study the implementation of other web 
single-sign-on solutions, including Pubcookie ( http://pubcookie.org/ ) 
and CAS ( http://www.jasig.org/cas ).  CAS may be of particular interest 
to you because it is written in Java.




This would flow through
the apache web service and mod-proxy to end up at the target location.


You may not need mod_proxy unless it is key to your requirements in some 
way.  cosign, for example, simply redirects the user to the target 
location after verifying the security token (cookie) or authenticating 
the user and issuing a new security token.


--
  Mark Montague
  m...@catseye.org

Re: Developing an Authentication Module

[Suneet Shah]

Hi Mark,

Thanks a lot for your help with this. I will take a look at the modules that
you have referenced below.

In our case, Mod-proxy and complementary modules seem to make sense. We need
to hide the location of the real application and the proxy would help with
that.  Also the firewall rules in place only allow us to talk to the apache
web server. There is no access directly to the other apps.. Finally, we also
need to be able to inject headers into some applications to enable a form of
SSO.

We need the speed and security offered by running native in Apache, which is
the reason why we opted for an apache module based approach. It would have
been easier to go with a java based approach since we have a lot more
experience in that environment

Thanks again for your guidance
Suneet


On Thu, Sep 15, 2011 at 12:02 PM, Mark Montague m...@catseye.org wrote:

 On September 15, 2011 11:41 , Suneet Shah suneetshah2...@gmail.com
 wrote:

 In our architecture, authentication and authorization is handled by a set
 of
 web services.  I would need to have the apache module make calls to the
 service. I was planning on using Axis 2 for this. Are there any issues
 with
 thiat?


 I have no experience with Axis 2, but an Apache module can certainly
 utilize external services.  For example, mod_auth_kerb makes RPC calls to
 Kerberos KDCs, and mod_auth_dbd makes queries against SQL databases.



  I need to be able to look at request and see if it has a security token.
 If
 it does, then I need to validate it through the service.

 If it does not, then I need to redirect them to an authentication page.

 I thought it would be easier to handle the authentication through our java
 application (as we have the rest of the application) or should this part
 of
 the module as well?

 If a person successful authenticates, then the authentication app would
 redirect the user to the originally requested url.



 This sounds very much like the way cosign works.  cosign is a web
 single-sign-on solution that includes an Apache HTTP Server module,
 mod_cosign.  A diagram showing how cosign works is available at
 http://cosign.sourceforge.net/**overview.shtmlhttp://cosign.sourceforge.net/overview.shtml
   The actual authentication (prompting for and verifying the user's username
 and password) is handled by an application written in C which runs as a CGI
 and is not a part of the mod_cosign module itself.

 You may also want to study the implementation of other web single-sign-on
 solutions, including Pubcookie ( http://pubcookie.org/ ) and CAS (
 http://www.jasig.org/cas ).  CAS may be of particular interest to you
 because it is written in Java.



  This would flow through
 the apache web service and mod-proxy to end up at the target location.


 You may not need mod_proxy unless it is key to your requirements in some
 way.  cosign, for example, simply redirects the user to the target location
 after verifying the security token (cookie) or authenticating the user and
 issuing a new security token.

 --
  Mark Montague
  m...@catseye.org