httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: [users@httpd] authentication question
Date Tue, 12 May 2009 17:29:31 GMT
Ross Boylan wrote:
Without going into the details of the why and the when and the where, 
let's assume that if the organisation has decided to implement some 
global authentication scheme, and roll it out over time, then the first 
thing I would do, before starting to implement my own temporary and 
maybe conflicting solution, is finding out what this scheme really is, 
how it works, if it has plugins for Apache or anything else, etc..

Even if the instances that be have temporarily suspended the general 
rollout for whatever reason, it may still be so that they would welcome 
anyone willing to look at it and roll it out on his own for a new project.
Better still, since their general rollout has been suspended, they may 
even have some competent people with some free time, to help doing so.

And it may also be so that this scheme does have an easy-to-use plugin 
which does provide an authenticated user-id for Apache to use, and that 
it allows users to login only once per day (with a nice login page) no 
matter what application they want to use, and that it frees the 
departmental level of taking care of managing user-ids and so on.

One can at least hope, and there would not be much lost by asking.

So let's suppose it does work with Apache (*), and any user hitting this 
Apache server ends up authenticated from an Apache point of view.

Then it is time to start figuring out how each application running under 
Apache might get hold of this Apache-level user-id for its own purposes 
of access-control or authorization or customisation.

And there may be issues there, because not all applications are flexible 
in how they can get a user-id.

But then there also exists an arsenal of ways in Apache to get hold of 
the Apache user-id and pass it on to applications in a specific way.
I am thinking of mod_rewrite, request filters, etc..

But without knowing at least what the upper-level authentication method 
even looks like, it is all a bit pointless to elaborate.

And if the application is not Apache-based, then it may also be the time 
to go have a look at the support forum for the application in question, 
and ask if and how it can interface to the global SSO solution.

(*) and if it doesn't, then there would be some serious reason to 
question the wisdom of the overall scheme, not only by one department, 
but by many I would presume.
Despite many years in this business, and despite having lived through 
some really interesting cases, I can't quite imagine that an IT 
department of a large university would adopt a scheme which does not 
work with Apache.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message