httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] authentication question
Date Mon, 11 May 2009 17:23:26 GMT
Ross Boylan wrote:
> On Mon, 2009-05-11 at 11:21 -0400, Nick Owen wrote:
>> On Sat, May 9, 2009 at 12:34 PM, Ross Boylan <ross@biostat.ucsf.edu> wrote:
>>> Suppose I have apache running in front of a web application and
>>> subversion.
>>>
>>> I am thinking of a scenario in which the web application provides a
>>> login page.  However, the user may also browse to web pages served by
>>> subversion.
>>>
>>> Is there a way that my app can have someone log in and then pass the
>>> identity and authentication "up" to appache?  In particular, I'd want
>>> this authentication used if the user browsed over to the subversion
>>> repository.
>>>
>>> I'm assume a common source, e.g., LDAP, will provide user and password
>>> information that is the same for my app and apache.
>>>
>>> A final wrinkle is that the application itself may access subversion via
>>> http:// (https?) using either the identity of the user or, perhaps, a
>>> separate identity the application runs under.
>> Have you investigated single sign-on solutions such as CAS and OpenSSO?
> 
> No.  That's certainly relevant, since the university is moving toward
> single sign on.  I'm not sure of the exact technology, but I believe
> it's from IBM.  However, how do I make Apache aware of the single sign
> on?

That /is/ a very good question, if maybe slightly mis-targeted.
Your problem will not so much be to make Apache aware of the single sign-on.
Your problem will be to make the various applications running under 
Apache aware of the single sign-on.

For example, take the case of SVN.
Where /can/ SVN obtain a user-id ?

Then you mentioned another application, self-written apparently.
Where /can/ that application obtain a user-id ?

(By /can/, I mean : what mechanism is already built-in into this 
application)

The question is : does there exist any /standard/ mechanism, implemented 
in all kinds of applications that can run under Apache, to obtain a 
user-id ? The answer is basically no, because Apache (and HTTP) do not 
define such a standard mechanism.

The situation is different for java servlet engines (like Tomcat), 
because all servlet engines are supposed to follow the official Java 
Servlet Specification, which does provide a standard mechanism for an 
application to obtain a user-id.  So any servlet can just call a jvm 
library function to get the user-id, and any servlet that needs one does 
it the same way.

> 
> We're probably going to need an alternative before the single sign on is
> working.  There are also a significant usability issues with the current
> single signon system (for those few areas its active).
> 
Probably for the reasons above.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message