------=_Part_15407_29677855.1201680823294
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Thank you for your answer Rafael

My comments are below

2008/1/29, Rafael Caceres :
>
> Gaetan:
>
> On Tue, 2008-01-29 at 10:51 +0100, titetluc titetluc wrote:
> > Hello all Apache mod_perl2 module experts (I am a newbie with Apache),
> >
> > Hope I am clear in my explanations (my English is not so good and I
> > had a lot of problems explaining my needs by mail. I am not sure that
> > everybody will read entirely this mail ;-)))))))
> >
> > The direct question:
> > Is it possible to:
> > . use the mod_auth_basic module (or mod_auth_digest or
> > mod_auth_ntlm) to authenticate a client for the first request,
> > . then create a session tracking module (based on cookies) for the
> > next requests (I would write this last module in Perl)
> >

> The cookie needs to be setup upon authentication, so you have to use an
> authentication module other than the basic authentication, which does
> not set up a cookie.



This is one of my problem: how can I link basic authentication with a cookie
?
One of the solution I proposed (but it it feasible with Apache
infrastructure and AuthType directive) was to declare different
authentication type with the AuthType directive


AuthType MySessionModuleVerifyCookie basic
MySessionModuleGenerateCookie
....


This would mean that :
.. MySessionModuleVerifyCookie would be first called, verifying if the
cookie is present and correct
.. If no cookie, then basic authent is requested
.. if basic authent ok, then MySessionModuleGenerateCookie generates a valid
cookie

In fact, my ultimate objective was to have an authentication framework based
on cookie.
It would be possible, with such a framework, to define client authentication
type.

The following example would mean: use cookie for authentication tracking,
but first request can be authenticated with SSL. If SSL not available, use
NTLM. If NTLM not available, use Form authentication.
SSL, NTLM and Form authentication woul be external module I would re-used


AuthType AuthentFrameworkCookie
AuthOrder SSL NTLM Form
....


Modules on Internet offer only one kind of authentication. Combining 2 (or
more) authentication type is hard to configure (see SSL with basic authent
http://www.modssl.org/docs/2.8/ssl_howto.html). And worse, combining
authentication type with cookie is harder.

Due to planning constraints, I will have to be less ... ambitious ;-)

>
> > The indirect question (good luck )
> >
> > I am currently working on a project to develop a server hosting HTTP
> > applications developed with different technologies and I am in charge
> > of the session management (authentication along with SSO) for the
> > HTTP-based applications.
> > Applications are developed in
> > . PHP
> > . Servlet
> > I can not modify these applications (in term of authentication)
> >
> > My objective is to "offer" SSO, meaning that the end-user will be
> > asked authentication only once, when accessing PHP or servlet
> > (backend).
> > The idea: an Apache module will simulate an HTTP client against the
> > PHP or the servlet by sending basic authentication to PHP/servlet (ok,
> > I simplify the problem, because the PHP or servlet container could
> > require another authentication mechanism)
> >
> > Apache would act as a front-end and would
> > . manage authentication against the client
> > . manage session tracking with cookies
> > . simulate the client authentication against the application
> > (servlet or PHP) by sending basic authentication to the servlet or PHP
> > applications (or any other mechanism, depending on the application
> > authentication mechanism)
> >

> Take a look at the AuthCookie and AuthTicket modules, they can be used
> to easily build a solution like the one you are indicating.



I already studied these modules, but they manage only form authentication.
In any case, I think I will use the AuthCookie module to build a POC.

> I will write a session tracking module (using the PerlAuthenHandler
> > handler). This module will manage:
> > . a cookie for session tracking
> > . the client simulation (using basic authentication or any other
> > mechanism) against the back-end (PHP/Servlet)
> >
> > My requirement: this module has to be usable with any existing client
> > authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO
> > mod_auth_ntlm, ...)
> >

>
> > For example,
> > . a client (a web services based client) uses basic authentication for
> > the first request then a cookie is used for the next requests
> > . a client (a browser) uses FORM authentication for the first request
> > then a cookie is used for the next requests.
> > . a client uses NTLM authentication ....
> > . a client uses digest authentication ....
> >
> > I would imagine the Apache configuration as below
> >
> >
> > AuthType MySessionModuleVerifyCookie basic
> > MySessionModuleGenerateCookie
> > ....
> >

> >
> > This would mean that :
> > . MySessionModuleVerifyCookie would be first called, verifying if the
> > cookie is present and correct
> > . If no cookie, then basic authent is requested
> > . if basic authent ok, then MySessionModuleGenerateCookie generates a
> > valid cookie
> >
> > Another example,
> >
> > AuthType MySessionModuleVerifyCookie ntlm
> > MySessionModuleGenerateCookie
> > ....
> >

> >
> >
> > I searched for Apache modules fitting my needs. The Internet community
> > proposes a lot of modules but all of these modules mix the different
> > phases I described above (authentication between client and Apache,
> > credentials verifications, session creation)
> > For example,
> > . mod_auth_pam: "The PAM authentication module implements Basic
> > authentication on top of the Pluggable Authentication Module library".
> > This means that the module implements basic authentication with PAM to
> > verify credentials but without cookie session tracking
> > . mod_auth_cookie_mysql: implements only FORM authentication with SQL
> > to verify credentials with cookie session tracking
> > . Apache::AuthTicket: implements only FORM authentication with any
> > credentials mechanism (the module is extensible) with cookie session
> > tracking
> > . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but
> > does not manage digest or form authentication
> >
> > My question: is it possible to serialize authentication modules in the
> > AuthType Apache directive ? If so, how these modules interact each
> > others.
> > Another way to ask the question: is it possible to use already
> > existing Apache module (basic, ntlm, digest, ...) to be included in a
> > more global authentication/session framework ? Advantage of such a
> > solution is that I can reuse the existing Apache modules (basic, ntlm,
> > digest, ...), concentrating on my session tracking module. (I read the
> > mod_perl2 documentation and mod_perl2 offers only Basic and Digest
> > authentication. It does not offer NTLM authentication).
> >
> > Last but not least, my session tracking module has to be developed in
> > Perl !
> >
> > Thanks
> >
> > Gaetan

> Regards,
> Rafael Caceres
>
>


------=_Part_15407_29677855.1201680823294
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Thank you for your answer Rafael

My comments are below

2008/1/29, Rafael Caceres <rcaceres@aasa.com.pe>:

Gaetan:

On Tue, 2008-01-29 at 10:51 +0100, titetluc titetluc wrote:
> Hello all Apache mod_perl2 module experts (I am a newbie with Apache),
>
> Hope I am clear in my explanations (my English is not so good and I

> had a lot of problems explaining my needs by mail. I am not sure that
> everybody will read entirely this mail ;-)))))))
>
> The direct question:
> Is it possible to:
>    . use the mod_auth_basic module (or mod_auth_digest or

> mod_auth_ntlm) to authenticate a client for the first request,
>    . then create a session tracking module (based on cookies) for the
> next requests (I would write this last module in Perl)
>
The cookie needs to be setup upon authentication, so you have to use an

authentication module other than the basic authentication, which does
not set up a cookie.

This is one of my problem: how can I link basic authentication with a cookie ?
One of the solution I proposed (but it it  feasible with Apache infrastructure and AuthType directive) was to declare different authentication type with the AuthType directive


<Location /docs_protected_access_basic>
AuthType MySessionModuleVerifyCookie basic
MySessionModuleGenerateCookie
 ....
</Location>

This would mean that :
. MySessionModuleVerifyCookie  would be first called, verifying if the cookie is present and correct

.. If no cookie, then basic authent is requested
. if basic authent ok, then MySessionModuleGenerateCookie generates a valid cookie

In fact, my ultimate objective was to have an authentication framework based on cookie.

It would be possible, with such a framework, to define client authentication type.

The following example would mean: use cookie for authentication tracking, but first request can be authenticated with SSL. If SSL not available, use NTLM. If NTLM not available, use Form authentication.

SSL, NTLM and Form authentication woul be external module I would re-used

<Location /docs_protected_access>
AuthType AuthentFrameworkCookie
AuthOrder  SSL NTLM Form
 ....

</Location>

Modules on Internet offer only one kind of authentication. Combining 2 (or more) authentication type is hard to configure (see SSL with basic authent http://www.modssl.org/docs/2.8/ssl_howto.html). And worse, combining authentication type with cookie is harder.


Due to planning constraints, I will have to be less ... ambitious ;-)

>

> The indirect question (good luck )
>
> I am currently working on a project to develop a server hosting HTTP
> applications developed with different technologies and I am in charge
> of the session management (authentication along with SSO) for the

> HTTP-based applications.
> Applications are developed in
>      . PHP
>      . Servlet
> I can not modify these applications (in term of authentication)
>
> My objective is to "offer" SSO, meaning that the end-user will be

> asked authentication only once, when accessing PHP or servlet
> (backend).
> The idea: an Apache module will simulate an HTTP client against the
> PHP or the servlet by sending basic authentication to PHP/servlet (ok,

> I simplify the problem, because the PHP or servlet container could
> require another authentication mechanism)
>
> Apache would act as a front-end and would
>     . manage authentication against the client

>     . manage session tracking with cookies
>     . simulate the client authentication against the application
> (servlet or PHP) by sending basic authentication to the servlet or PHP
> applications (or any other mechanism, depending on the application

> authentication mechanism)
>
Take a look at the AuthCookie and AuthTicket modules, they can be used
to easily build a solution like the one you are indicating.

I already studied these modules, but they manage only form authentication. In any case, I think I will use the AuthCookie module  to build a POC.


> I will write a session tracking module (using the PerlAuthenHandler
> handler). This module will manage:

>     . a cookie for session tracking
>     . the client simulation (using basic authentication or any other
> mechanism) against the back-end (PHP/Servlet)
>
> My requirement: this module has to be usable with any existing client

> authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO
> mod_auth_ntlm, ...)
>

> For example,
> . a client (a web services based client) uses basic authentication for
> the first request then a cookie is used for the next requests

> . a client (a browser) uses FORM authentication for the first request
> then a cookie is used for the next requests.
> . a client uses NTLM authentication ....
> . a client uses digest authentication ....

>
> I would imagine the Apache configuration as below
>
> <Location /docs_protected_access_basic>
> AuthType MySessionModuleVerifyCookie basic
> MySessionModuleGenerateCookie
>  ....

> </Location>
>
> This would mean that :
> . MySessionModuleVerifyCookie  would be first called, verifying if the
> cookie is present and correct
> . If no cookie, then basic authent is requested

> . if basic authent ok, then MySessionModuleGenerateCookie generates a
> valid cookie
>
> Another example,
> <Location /docs_protected_access_ntlm>
> AuthType MySessionModuleVerifyCookie ntlm

> MySessionModuleGenerateCookie
> ....
> </Location>
>
>
> I searched for Apache modules fitting my needs. The Internet community
> proposes a lot of modules but all of these modules mix the different

> phases I described above (authentication between client and Apache,
> credentials verifications, session creation)
> For example,
> . mod_auth_pam: "The PAM authentication module implements Basic

> authentication on top of the Pluggable Authentication Module library".
> This means that the module implements basic authentication with PAM to
> verify credentials but without cookie session tracking

> . mod_auth_cookie_mysql: implements only FORM authentication with SQL
> to verify credentials with cookie session tracking
> . Apache::AuthTicket: implements only FORM authentication with any
> credentials mechanism (the module is extensible) with cookie session

> tracking
> . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but
> does not manage digest or form authentication
>
> My question: is it possible to serialize authentication modules in the

> AuthType Apache directive ? If so, how these modules interact each
> others.
> Another way to ask the question: is it possible to use already
> existing Apache module (basic, ntlm, digest, ...) to be included in a

> more global authentication/session framework ? Advantage of such a
> solution is that I can reuse the existing Apache modules (basic, ntlm,
> digest, ...), concentrating on my session tracking module. (I read the

> mod_perl2 documentation and mod_perl2 offers only Basic and Digest
> authentication. It does not offer NTLM authentication).
>
> Last but not least, my session tracking module has to be developed in

> Perl !
>
> Thanks
>
> Gaetan
Regards,
Rafael Caceres




------=_Part_15407_29677855.1201680823294--