You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Erik Norgaard <no...@locolomo.org> on 2007/04/08 12:29:06 UTC
Client certificate based authentication
Hi:
I want to setup apache to request the client certificate and setup the
secure connection if the certificate is issued from any of a number of
trusted CAs. Then, my handler will check the distinguished name to
verify the user is known and give access with that users credentials.
I have two questions:
First, this might me a stupid question, but I haven't found (or
understood) how this works. When you have multiple handlers each being
called in different stages of the request handling, how do you pass
information from one handler to the next?
I am thinking of a separate authentication handler (not authorization as
that depends on the action the user wants to do), how to I pass on
authentication details to the response handler?
Second, my idea is to have one domain name, to authenticate one simply
switch to https, the server should request the client certificate. Is
this possible? or must I create a separate domain for secure access?
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
Re: Client certificate based authentication
Posted by Jonathan Vanasco <jv...@2xlp.com>.
On Apr 9, 2007, at 11:55 AM, Geoffrey Young wrote:
> while pnotes is a gem, keep in mind that there are official
> channels for
> communication of user data when rolling your own authentication
> mechanism - authentication handlers are expected to set $r->user() and
> $r->connection->auth_type().
ack! yes,
sorry, I only meant to answer this portion:
"When you have multiple handlers each
>>> being called in different stages of the request handling, how do
>>> you
>>> pass information from one handler to the next?"
NOT the following more specific question:
>>> I am thinking of a separate authentication handler (not
>>> authorization
>>> as that depends on the action the user wants to do), how to I
>>> pass on
>>> authentication details to the response handler
// Jonathan Vanasco
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
| SyndiClick.com
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
| FindMeOn.com - The cure for Multiple Web Personality Disorder
| Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
| RoadSound.com - Tools For Bands, Stuff For Fans
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
Re: Client certificate based authentication
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
Jonathan Vanasco wrote:
>
> On Apr 8, 2007, at 6:29 AM, Erik Norgaard wrote:
>
>> First, this might me a stupid question, but I haven't found (or
>> understood) how this works. When you have multiple handlers each
>> being called in different stages of the request handling, how do you
>> pass information from one handler to the next?
>> I am thinking of a separate authentication handler (not authorization
>> as that depends on the action the user wants to do), how to I pass on
>> authentication details to the response handler?
>
>
> pnotes
> http://perl.apache.org/docs/2.0/api/Apache2/RequestUtil.html#C_pnotes_
while pnotes is a gem, keep in mind that there are official channels for
communication of user data when rolling your own authentication
mechanism - authentication handlers are expected to set $r->user() and
$r->connection->auth_type().
furthermore, I know from experience that some folks have a difficult
time understanding the phase separation, so I'll just say it for
clarity's sake... you don't need to pass some special flag to the
response handler saying "this user has been authenticated" or anything
like that - if the user fails authentication they won't ever make it to
your response handler.
this might help you a bit:
http://www.modperlcookbook.org/chapters/ch13.pdf
especially the final two recipes, which involve rolling your own auth
mechanism.
HTH
--Geoff
Re: Client certificate based authentication
Posted by Jonathan Vanasco <jv...@2xlp.com>.
On Apr 8, 2007, at 6:29 AM, Erik Norgaard wrote:
> First, this might me a stupid question, but I haven't found (or
> understood) how this works. When you have multiple handlers each
> being called in different stages of the request handling, how do
> you pass information from one handler to the next?
> I am thinking of a separate authentication handler (not
> authorization as that depends on the action the user wants to do),
> how to I pass on authentication details to the response handler?
pnotes
http://perl.apache.org/docs/2.0/api/Apache2/RequestUtil.html#C_pnotes_
> Second, my idea is to have one domain name, to authenticate one
> simply switch to https, the server should request the client
> certificate. Is this possible? or must I create a separate domain
> for secure access?
it should be possible -- but you'll have browser messages when you
switch from http to https and the reverse
// Jonathan Vanasco
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
| SyndiClick.com
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
| FindMeOn.com - The cure for Multiple Web Personality Disorder
| Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
| RoadSound.com - Tools For Bands, Stuff For Fans
| Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -