httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: [users@httpd] authentication question
Date Mon, 11 May 2009 17:23:26 GMT
Ross Boylan wrote:
> On Mon, 2009-05-11 at 11:21 -0400, Nick Owen wrote:
>> On Sat, May 9, 2009 at 12:34 PM, Ross Boylan <> wrote:
>>> Suppose I have apache running in front of a web application and
>>> subversion.
>>> I am thinking of a scenario in which the web application provides a
>>> login page.  However, the user may also browse to web pages served by
>>> subversion.
>>> Is there a way that my app can have someone log in and then pass the
>>> identity and authentication "up" to appache?  In particular, I'd want
>>> this authentication used if the user browsed over to the subversion
>>> repository.
>>> I'm assume a common source, e.g., LDAP, will provide user and password
>>> information that is the same for my app and apache.
>>> A final wrinkle is that the application itself may access subversion via
>>> http:// (https?) using either the identity of the user or, perhaps, a
>>> separate identity the application runs under.
>> Have you investigated single sign-on solutions such as CAS and OpenSSO?
> No.  That's certainly relevant, since the university is moving toward
> single sign on.  I'm not sure of the exact technology, but I believe
> it's from IBM.  However, how do I make Apache aware of the single sign
> on?

That /is/ a very good question, if maybe slightly mis-targeted.
Your problem will not so much be to make Apache aware of the single sign-on.
Your problem will be to make the various applications running under 
Apache aware of the single sign-on.

For example, take the case of SVN.
Where /can/ SVN obtain a user-id ?

Then you mentioned another application, self-written apparently.
Where /can/ that application obtain a user-id ?

(By /can/, I mean : what mechanism is already built-in into this 

The question is : does there exist any /standard/ mechanism, implemented 
in all kinds of applications that can run under Apache, to obtain a 
user-id ? The answer is basically no, because Apache (and HTTP) do not 
define such a standard mechanism.

The situation is different for java servlet engines (like Tomcat), 
because all servlet engines are supposed to follow the official Java 
Servlet Specification, which does provide a standard mechanism for an 
application to obtain a user-id.  So any servlet can just call a jvm 
library function to get the user-id, and any servlet that needs one does 
it the same way.

> We're probably going to need an alternative before the single sign on is
> working.  There are also a significant usability issues with the current
> single signon system (for those few areas its active).
Probably for the reasons above.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message