Gaetan:

On Tue, 2008-01-29 at 10:51 +0100, titetluc titetluc wrote:
> Hello all Apache mod_perl2 module experts (I am a newbie with Apache),
>
> Hope I am clear in my explanations (my English is not so good and I
> had a lot of problems explaining my needs by mail. I am not sure that
> everybody will read entirely this mail ;-)))))))
>
> The direct question:
> Is it possible to:
> . use the mod_auth_basic module (or mod_auth_digest or
> mod_auth_ntlm) to authenticate a client for the first request,
> . then create a session tracking module (based on cookies) for the
> next requests (I would write this last module in Perl)
>

The cookie needs to be setup upon authentication, so you have to use an
authentication module other than the basic authentication, which does
not set up a cookie.
>
> The indirect question (good luck )
>
> I am currently working on a project to develop a server hosting HTTP
> applications developed with different technologies and I am in charge
> of the session management (authentication along with SSO) for the
> HTTP-based applications.
> Applications are developed in
> . PHP
> . Servlet
> I can not modify these applications (in term of authentication)
>
> My objective is to "offer" SSO, meaning that the end-user will be
> asked authentication only once, when accessing PHP or servlet
> (backend).
> The idea: an Apache module will simulate an HTTP client against the
> PHP or the servlet by sending basic authentication to PHP/servlet (ok,
> I simplify the problem, because the PHP or servlet container could
> require another authentication mechanism)
>
> Apache would act as a front-end and would
> . manage authentication against the client
> . manage session tracking with cookies
> . simulate the client authentication against the application
> (servlet or PHP) by sending basic authentication to the servlet or PHP
> applications (or any other mechanism, depending on the application
> authentication mechanism)
>

Take a look at the AuthCookie and AuthTicket modules, they can be used
to easily build a solution like the one you are indicating.

> I will write a session tracking module (using the PerlAuthenHandler
> handler). This module will manage:
> . a cookie for session tracking
> . the client simulation (using basic authentication or any other
> mechanism) against the back-end (PHP/Servlet)
>
> My requirement: this module has to be usable with any existing client
> authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO
> mod_auth_ntlm, ...)
>


> For example,
> . a client (a web services based client) uses basic authentication for
> the first request then a cookie is used for the next requests
> . a client (a browser) uses FORM authentication for the first request
> then a cookie is used for the next requests.
> . a client uses NTLM authentication ....
> . a client uses digest authentication ....
>
> I would imagine the Apache configuration as below
>
>
> AuthType MySessionModuleVerifyCookie basic
> MySessionModuleGenerateCookie
> ....
>

>
> This would mean that :
> . MySessionModuleVerifyCookie would be first called, verifying if the
> cookie is present and correct
> . If no cookie, then basic authent is requested
> . if basic authent ok, then MySessionModuleGenerateCookie generates a
> valid cookie
>
> Another example,
>
> AuthType MySessionModuleVerifyCookie ntlm
> MySessionModuleGenerateCookie
> ....
>

>
>
> I searched for Apache modules fitting my needs. The Internet community
> proposes a lot of modules but all of these modules mix the different
> phases I described above (authentication between client and Apache,
> credentials verifications, session creation)
> For example,
> . mod_auth_pam: "The PAM authentication module implements Basic
> authentication on top of the Pluggable Authentication Module library".
> This means that the module implements basic authentication with PAM to
> verify credentials but without cookie session tracking
> . mod_auth_cookie_mysql: implements only FORM authentication with SQL
> to verify credentials with cookie session tracking
> . Apache::AuthTicket: implements only FORM authentication with any
> credentials mechanism (the module is extensible) with cookie session
> tracking
> . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but
> does not manage digest or form authentication
>
> My question: is it possible to serialize authentication modules in the
> AuthType Apache directive ? If so, how these modules interact each
> others.
> Another way to ask the question: is it possible to use already
> existing Apache module (basic, ntlm, digest, ...) to be included in a
> more global authentication/session framework ? Advantage of such a
> solution is that I can reuse the existing Apache modules (basic, ntlm,
> digest, ...), concentrating on my session tracking module. (I read the
> mod_perl2 documentation and mod_perl2 offers only Basic and Digest
> authentication. It does not offer NTLM authentication).
>
> Last but not least, my session tracking module has to be developed in
> Perl !
>
> Thanks
>
> Gaetan

Regards,
Rafael Caceres