You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Sylvain Perrot <Sy...@b-i.com> on 2007/01/08 17:37:54 UTC
PerlAuthenHandler, PerlAuthzHandler, Reverse Proxy and Web Services Problem
Hi,
I am trying to develop a secured Reverse Proxy which use the
PerlAuthenHandler/PerlAuthzHandler to accept or reject the connection.
The synoptic is the following:
CLIENT -> RP (linux, apache2, modperl) -> Windows Server (.Net
Application, .Net Web Service)
My RP configuration is the following :
<VirtualHost *:80>
ServerAdmin myemail@domain.tld
ServerName www.domain.tld
ProxyPreserveHost On
ProxyPass / http://ip:port/
ProxyPassReverse / http://ip:port/
<LocationMatch /(?i)protectedResource>
PerlAuthenHandler Apache2::myAuthzModule
PerlAuthzHandler Apache2::myAuthzModule
Require foobar
</LocationMatch>
</VirtualHost>
The root of the Reverse Proxy URL is not protected but when any request
is done regarding the protectedResource, myAuthzModule is taking care
about checking if access is granted.
The module myAuthzModule is checking if the user is correctly
authenticated to allow the access to the resources (return
Apache2::Const::OK) else it returns a HTTP 302 Code to redirect the user
to the login page.
First, As I am new to modperl development, I would like to validate my
configuration :)
As I understood, PerlAuthenHandler and PerlAuthzHandler are working in
parallel, and the first who give back a OK wins ...
Next, if I try to access to any protectedResource behind the URL
http://www.domain.tld/protectedResource/page.aspx, The protection is
working fine !
But, as soon I want to access to a web service (for example, a Flash
application which shoud access to WebService in the protected
Resources), I've got a problem :
The security check is correctly done, but the returned content type is
modified from text/xml to text/html (I checked the HTTP Header using
"Live HTTP Headers" in FireFox.
The problem is that the Web Service WSDL is not returned at all when it
is accessed behing a protected area (so, though my perl modules) ... But
it is working fine when I de-activate the
PerlAuthenHandler/PerlAuthzHandler mechanism.
(this is my problem, since Flash required the access to the WSDL)
Do you have any idea about my problem ???
Best regards
Sylvain
Re: PerlAuthenHandler, PerlAuthzHandler, Reverse Proxy and Web Services
Problem
Posted by Issac Goldstand <ma...@beamartyr.net>.
Frank Wiles wrote:
>
> The best way to think about it is like this:
>
> PerlAccessHandler ----> is this IP allowed?
> PerlAuthenHandler ----> is this username allowed?
> PerlAuthzHandler ----> is this group allowed?
>
Small correction:
PerlAccessHandler ----> Is this machine allowed, regardless of
the user? (if not, don't bother
checking the user)
PerlAuthenHandler ----> Can we determine which user is
attempting to access (if not, don't
bother checking if he's allowed)
PerlAuthzHandler ----> Is the authenticated user allowed?
RE: PerlAuthenHandler, PerlAuthzHandler, Reverse Proxy and Web Services Problem
Posted by Sylvain Perrot <Sy...@b-i.com>.
Hi,
Thanks for the explanation about the 3 Handlers :) It means that the
first handler who returns OK stop the process since the auth is
successfull ...
About the mechanism, it is working in all case But it makes the WSDL
generation failed : .net web server wsdl are generated on the fly if you
access to the http://url/service.asmx?WSDL
I am really confused about this !!! As soon I remove the Auth mechanism
from Apache, the WSDL generation is working back !
The only difference I notice is that Content-Type is not correct in the
Header (but I don't even know if it is the cause or the result of the
problem)
I really don't know what could be the problem ...
Nobody faces the same type of behavior ???
Best regards,
Sylvain
-----Original Message-----
From: Frank Wiles [mailto:frank@wiles.org]
Sent: lundi, 8. janvier 2007 20:00
To: Sylvain Perrot
Cc: Modperl Mailing List
Subject: Re: PerlAuthenHandler, PerlAuthzHandler, Reverse Proxy and Web
Services Problem
On Mon, 8 Jan 2007 17:37:54 +0100
"Sylvain Perrot" <Sy...@b-i.com> wrote:
> First, As I am new to modperl development, I would like to validate my
> configuration :) As I understood, PerlAuthenHandler and
> PerlAuthzHandler are working in parallel, and the first who give back
> a OK wins ...
It's not in parallel, it's in order. PerlAccessHandler, then
PelrAuthenHandler, then PerlAuthzHandler.
The best way to think about it is like this:
PerlAccessHandler ----> is this IP allowed?
PerlAuthenHandler ----> is this username allowed?
PerlAuthzHandler ----> is this group allowed?
> Next, if I try to access to any protectedResource behind the URL
> http://www.domain.tld/protectedResource/page.aspx, The protection is
> working fine !
>
> But, as soon I want to access to a web service (for example, a Flash
> application which shoud access to WebService in the protected
> Resources), I've got a problem :
> The security check is correctly done, but the returned content type is
> modified from text/xml to text/html (I checked the HTTP Header using
> "Live HTTP Headers" in FireFox.
>
> The problem is that the Web Service WSDL is not returned at all when
> it is accessed behing a protected area (so, though my perl
> modules) ... But it is working fine when I de-activate the
> PerlAuthenHandler/PerlAuthzHandler mechanism.
> (this is my problem, since Flash required the access to the WSDL)
>
> Do you have any idea about my problem ???
Ok I'm confused, you say it works then it doesn't, but then it
does if you turn off your auth?
Is the problem that the content type changes or what?
---------------------------------
Frank Wiles <fr...@wiles.org>
http://www.wiles.org
---------------------------------
Re: PerlAuthenHandler, PerlAuthzHandler, Reverse Proxy and Web
Services Problem
Posted by Frank Wiles <fr...@wiles.org>.
On Mon, 8 Jan 2007 17:37:54 +0100
"Sylvain Perrot" <Sy...@b-i.com> wrote:
> First, As I am new to modperl development, I would like to validate my
> configuration :)
> As I understood, PerlAuthenHandler and PerlAuthzHandler are working in
> parallel, and the first who give back a OK wins ...
It's not in parallel, it's in order. PerlAccessHandler, then
PelrAuthenHandler, then PerlAuthzHandler.
The best way to think about it is like this:
PerlAccessHandler ----> is this IP allowed?
PerlAuthenHandler ----> is this username allowed?
PerlAuthzHandler ----> is this group allowed?
> Next, if I try to access to any protectedResource behind the URL
> http://www.domain.tld/protectedResource/page.aspx, The protection is
> working fine !
>
> But, as soon I want to access to a web service (for example, a Flash
> application which shoud access to WebService in the protected
> Resources), I've got a problem :
> The security check is correctly done, but the returned content type is
> modified from text/xml to text/html (I checked the HTTP Header using
> "Live HTTP Headers" in FireFox.
>
> The problem is that the Web Service WSDL is not returned at all when
> it is accessed behing a protected area (so, though my perl
> modules) ... But it is working fine when I de-activate the
> PerlAuthenHandler/PerlAuthzHandler mechanism.
> (this is my problem, since Flash required the access to the WSDL)
>
> Do you have any idea about my problem ???
Ok I'm confused, you say it works then it doesn't, but then it
does if you turn off your auth?
Is the problem that the content type changes or what?
---------------------------------
Frank Wiles <fr...@wiles.org>
http://www.wiles.org
---------------------------------