handling custom authentication

[Sam Carleton <sc...@miltonstreet.com>]

I am ISV developing a system that is using Apache.  All the frontend's
for system I am developing are all custom desktop applications, or web
browsers controls wrapped in my own code.  Thus users are not going to
be entering username and password, the username and password used will
be depended on which frontend being used.

It is time for me to implement authentication correctly.  I have two
objectives with respect to authentication:

1: Protect my customers from unauthorized users.
2: Protect myself from customers hacking the authorization system to
get access to features in which they have not purchased.

#1 looks straight forward:  If my impression is correct, I simply need
to implement my own custom provider to check the custom username and
password the frontends give it.

Q: Is there documentation out there somewhere on how to implementing a
new provider?

#2 looks a lot more tricky.  It seems that I will need to deviate from
the normal way Apache's authentication works.  For starters, NONE of
the configuration can be in the http.conf, not like it is now with
AuthType, AuthBasicProvider, etc.  There is a <Location> directives in
the conf that will have a custom directive for my custom Apache
module.  I would like to fully wire up this custom provider within
this directive.  To add to the complexity, there are different levels
of authentication:  None required, user, admin  and there will be
different locations under the <Location> directive for each, again,
this all needs to be wired up in code when the custom directive for my
custom Apache module is called.

Q: Any suggestions on how I might achieve this?

Sam

P.S.  I do NOT own the book on writing Apache Module in 2.0, just the
older 1.3 book.  Would any of this be addressed in that book?