On Tue, 2008-01-29 at 10:51 +0100, titetluc titetluc wrote:
> Hello all Apache mod_perl2 module experts (I am a newbie with Apache),
> Hope I am clear in my explanations (my English is not so good and I
> had a lot of problems explaining my needs by mail. I am not sure that
> everybody will read entirely this mail ;-)))))))
> The direct question:
> Is it possible to:
> . use the mod_auth_basic module (or mod_auth_digest or
> mod_auth_ntlm) to authenticate a client for the first request,
> . then create a session tracking module (based on cookies) for the
> next requests (I would write this last module in Perl)

The cookie needs to be setup upon authentication, so you have to use an
authentication module other than the basic authentication, which does
not set up a cookie.
> The indirect question (good luck )
> I am currently working on a project to develop a server hosting HTTP
> applications developed with different technologies and I am in charge
> of the session management (authentication along with SSO) for the
> HTTP-based applications.
> Applications are developed in
> . PHP
> . Servlet
> I can not modify these applications (in term of authentication)
> My objective is to "offer" SSO, meaning that the end-user will be
> asked authentication only once, when accessing PHP or servlet
> (backend).
> The idea: an Apache module will simulate an HTTP client against the
> PHP or the servlet by sending basic authentication to PHP/servlet (ok,
> I simplify the problem, because the PHP or servlet container could
> require another authentication mechanism)
> Apache would act as a front-end and would
> . manage authentication against the client
> . manage session tracking with cookies
> . simulate the client authentication against the application
> (servlet or PHP) by sending basic authentication to the servlet or PHP
> applications (or any other mechanism, depending on the application
> authentication mechanism)

Take a look at the AuthCookie and AuthTicket modules, they can be used
to easily build a solution like the one you are indicating.

> I will write a session tracking module (using the PerlAuthenHandler
> handler). This module will manage:
> . a cookie for session tracking
> . the client simulation (using basic authentication or any other
> mechanism) against the back-end (PHP/Servlet)
> My requirement: this module has to be usable with any existing client
> authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO
> mod_auth_ntlm, ...)

> For example,
> . a client (a web services based client) uses basic authentication for
> the first request then a cookie is used for the next requests
> . a client (a browser) uses FORM authentication for the first request
> then a cookie is used for the next requests.
> . a client uses NTLM authentication ....
> . a client uses digest authentication ....
> I would imagine the Apache configuration as below
> AuthType MySessionModuleVerifyCookie basic
> MySessionModuleGenerateCookie
> ....

> This would mean that :
> . MySessionModuleVerifyCookie would be first called, verifying if the
> cookie is present and correct
> . If no cookie, then basic authent is requested
> . if basic authent ok, then MySessionModuleGenerateCookie generates a
> valid cookie
> Another example,
> AuthType MySessionModuleVerifyCookie ntlm
> MySessionModuleGenerateCookie
> ....

> I searched for Apache modules fitting my needs. The Internet community
> proposes a lot of modules but all of these modules mix the different
> phases I described above (authentication between client and Apache,
> credentials verifications, session creation)
> For example,
> . mod_auth_pam: "The PAM authentication module implements Basic
> authentication on top of the Pluggable Authentication Module library".
> This means that the module implements basic authentication with PAM to
> verify credentials but without cookie session tracking
> . mod_auth_cookie_mysql: implements only FORM authentication with SQL
> to verify credentials with cookie session tracking
> . Apache::AuthTicket: implements only FORM authentication with any
> credentials mechanism (the module is extensible) with cookie session
> tracking
> . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but
> does not manage digest or form authentication
> My question: is it possible to serialize authentication modules in the
> AuthType Apache directive ? If so, how these modules interact each
> others.
> Another way to ask the question: is it possible to use already
> existing Apache module (basic, ntlm, digest, ...) to be included in a
> more global authentication/session framework ? Advantage of such a
> solution is that I can reuse the existing Apache modules (basic, ntlm,
> digest, ...), concentrating on my session tracking module. (I read the
> mod_perl2 documentation and mod_perl2 offers only Basic and Digest
> authentication. It does not offer NTLM authentication).
> Last but not least, my session tracking module has to be developed in
> Perl !
> Thanks
> Gaetan

Rafael Caceres