SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Related Sites

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files

mod_auth_remote v1.0 - a single signon module using basic auth ( for Apache 2.0 )

srp@symonds.net; srp@grex.org

README mod_auth_remote ( Apache 2.0 authentication module )

This module is a very simple, lightweight method of setting up a single signon system across multiple web-applicaitions hosted on different servers.

The actual authentication & authorization system is deployed on a single server instead of each individual server. All other servers are built with mod_auth_remote enabled. When a request comes in, mod_auth_remote obtains the client username & password from the client via basic authentication scheme.

It then builds a HTTP header with authorization header built from the client's userid:passwd. mod_auth_remote then makes a HEAD request to the authentication server. On reciept of a 2XX response, the client is validated; for all other responses the client is not validated.

Why I wrote mod_auth_remote ?

I have a bunch of web applications running on a bunch of machines ...

  1. My authentication code is heavy & I don't want to implement it on all of your servers. (I use mod_perl and require a Database access to authenticate)
  2. Most of my web applications use a single signon
  3. Two different applications running under the same server could access 2 different authentication models without any pain

INSTALLATION

This module can be easily built statically into the httpd just like any other auth module. This module does not require any special library or external stuff to work !

mod_auth_remote keywords/directives

AuthRemoteServer : The remote server against which the authentication has to take place AuthRemotePort : The port on which the remote server is runing AuthRemoteURL : The (optional) path on the remote server which has to be accessed ( should have been AuthRemotePatch :-) )

As you would have noticed these 3 configuration directives are used to build the complete URL against which mod_auth_remote authenticates.

Sample Configuration for a httpd (my.server.com)

<Directory ~ "/application_1/"> 

 AuthType           Basic
 AuthName           CHICKEN_RUN
 AuthRemoteServer   auth1.saju.com
 AuthRemotePort     80
 AuthRemoteURL      /One/Auth/method
 require            valid-user

</Directory>

<Directory ~ "/application_2/"> 

 AuthType           Basic
 AuthName           BIG-CHIEF
 AuthRemoteServer   auth1.saju.com
 AuthRemotePort     80
 AuthRemoteURL      /luke/takes/a/walk
 require            valid-user

</Directory>

<Directory ~ "/application_3/"> 

 AuthType           Basic
 AuthName           ONE_RING
 AuthRemoteServer   www.sauron.com
 AuthRemotePort     1290
 AuthRemoteURL      /auth
 require            valid-user

</Directory>

When a request is made to http://my.server.com/application_1, mod_auth_remote uses the basic auth scheme to get the client's username:passwd and then authenticates the user against http://auth1.saju.com:80/One/Auth/method using basic auth.

Similiarily a request coming to http://my.server.com/application_3 is automatically authenticated against http://www.sauron.com:1290/auth

So, the biggest advantage here is that 'my.server.com' can host 3 different applications having 3 different user sets and 'my.server.com' need not host any sort of authentication infrastructure (like having access to LDAP server or DB etc), it need not have any authentication code at all !!

Similarily 10 different servers could access 'auth1.saju.com/<url>' for authenticating users without having to duplicating the authentication infrastructure 10 times !


Other Sites

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.