Am Dienstag 29 Januar 2008 10:51:00 schrieb titetluc titetluc:
> Hello all Apache mod_perl2 module experts (I am a newbie with Apache),
>
> Hope I am clear in my explanations (my English is not so good and I had a
> lot of problems explaining my needs by mail. I am not sure that everybody
> will read entirely this mail ;-)))))))
>
> The direct question:
> Is it possible to:
> . use the mod_auth_basic module (or mod_auth_digest or mod_auth_ntlm) to
> authenticate a client for the first request,
> . then create a session tracking module (based on cookies) for the next
> requests (I would write this last module in Perl)
>
>
> The indirect question (good luck )
>
> I am currently working on a project to develop a server hosting HTTP
> applications developed with different technologies and I am in charge of
> the session management (authentication along with SSO) for the HTTP-based
> applications.
> Applications are developed in
> . PHP
> . Servlet
> I can not modify these applications (in term of authentication)


So , as far as I understood your problem. the first thing you should consider
is writing an own mod_perl handler for the authentication phase, that way you
don't have to care about the technologie of the sites below. To read about
the request phase look at:

http://perl.apache.org/docs/2.0/user...t_Cycle_Phases

This is independent of what module you use, the point is at what time of the
request you do the authentification.
Tracking the user with a cookie is a "normal" thing. The problems would start,
if the apps need to know which user logged in or not. if so you have to find
a way to pass them the user id or what data the apps requires.

>
> My objective is to "offer" SSO, meaning that the end-user will be asked
> authentication only once, when accessing PHP or servlet (backend).
> The idea: an Apache module will simulate an HTTP client against the PHP or
> the servlet by sending basic authentication to PHP/servlet (ok, I simplify
> the problem, because the PHP or servlet container could require another
> authentication mechanism)
>
> Apache would act as a front-end and would
> . manage authentication against the client
> . manage session tracking with cookies
> . simulate the client authentication against the application (servlet
> or PHP) by sending basic authentication to the servlet or PHP applications
> (or any other mechanism, depending on the application authentication
> mechanism)


So , probably, you could set HTTP-header variables or environment variables,
depending on what the application requires.

>
> I will write a session tracking module (using the PerlAuthenHandler
> handler). This module will manage:
> . a cookie for session tracking
> . the client simulation (using basic authentication or any other
> mechanism) against the back-end (PHP/Servlet)

I don't think to have to rwrite anything, have a look at Apache(2)::Cookie or
CGI::Cookie.


> My requirement: this module has to be usable with any existing client
> authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO
> mod_auth_ntlm, ...)

Look at Apache::Session::Wrapper;

>
> For example,
> . a client (a web services based client) uses basic authentication for the
> first request then a cookie is used for the next requests
> . a client (a browser) uses FORM authentication for the first request then
> a cookie is used for the next requests.
> . a client uses NTLM authentication ....
> . a client uses digest authentication ....
>
> I would imagine the Apache configuration as below
>
>
> AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie
> ....
>

>
> This would mean that :
> . MySessionModuleVerifyCookie would be first called, verifying if the
> cookie is present and correct
> . If no cookie, then basic authent is requested
> . if basic authent ok, then MySessionModuleGenerateCookie generates a valid
> cookie
>
> Another example,
>
> AuthType MySessionModuleVerifyCookie ntlm MySessionModuleGenerateCookie
> ....
>

>
>
> I searched for Apache modules fitting my needs. The Internet community
> proposes a lot of modules but all of these modules mix the different phases
> I described above (authentication between client and Apache, credentials
> verifications, session creation)
> For example,
> . mod_auth_pam: "The PAM authentication module implements Basic
> authentication on top of the Pluggable Authentication Module library". This
> means that the module implements basic authentication with PAM to verify
> credentials but without cookie session tracking
> . mod_auth_cookie_mysql: implements only FORM authentication with SQL to
> verify credentials with cookie session tracking
> . Apache::AuthTicket: implements only FORM authentication with any
> credentials mechanism (the module is extensible) with cookie session
> tracking
> . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but does
> not manage digest or form authentication
>
> My question: is it possible to serialize authentication modules in the
> AuthType Apache directive ? If so, how these modules interact each others.
> Another way to ask the question: is it possible to use already existing
> Apache module (basic, ntlm, digest, ...) to be included in a more global
> authentication/session framework ? Advantage of such a solution is that I
> can reuse the existing Apache modules (basic, ntlm, digest, ...),
> concentrating on my session tracking module. (I read the mod_perl2
> documentation and mod_perl2 offers only Basic and Digest authentication. It
> does not offer NTLM authentication).


Again, I think the solution to your problems is in writing a customized
handler for the authentification phase.

--
Regards
Rolf Schaufelberger