You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Johannes Müller <jo...@gmx.de> on 2009/06/16 18:36:59 UTC
Client authentication and authorization using client certificates
Hello,
there has been an increasing number of requests concerning a certificate
based authentication / authorization for the Apache httpd in the past few
weeks.
As you might remember, I started a discussion around that topic in July
2008.
Because of the somewhat missing interest on the mailing list at that time I
haven't persued this issue any longer.
This has changed lately. Therefore I decided to spend some hours on
finishing a
new authentication module called mod_auth_certificate
Please feel free to download it at*
https://sourceforge.net/projects/modauthcertific/
*You will also find some kind of short documentation in the archive.
*Features:*
- Works with Apache 2.0 / 2.2 / 2.3-trunk
- Apache sources won't have to be patched
- Supports fallback to basic authentication in case of cert auth failure
- Should work with all authorization modules coming with Apache (though I
wasn't able to check all of them).
- Easy to install without recompiling Apache
- Extremely easy to configure
My intention in this announcement is to arouse increased interest in
that topic by
providing something usable to the list. I still believe that better
native support for
client certificate based authentication and authorization will in future
offer
improved chances to the Apache webserver. I can think of smartcards
being an
increasingly used SSO alternative to NTLM especially in heterogeneous
environments.
I would appreciate it if you could take a look at the module and leave your
comments here.
Please note that this program is open source software and was released
under the
GPL.
Also my employer has nothing to do with the release of this work. It has
become
my private pleasure now :-)
Thanks and Greetings,
Johannes Müller
Re: Client authentication and authorization using client certificates
Posted by Eric Covener <co...@gmail.com>.
On Tue, Jun 16, 2009 at 5:24 PM, Johannes Müller<jo...@gmx.de> wrote:
> Eric Covener wrote:
>>
>> On Tue, Jun 16, 2009 at 12:36 PM, Johannes Müller<jo...@gmx.de> wrote:
>>
>>>
>>> Hello,
>>> Please note that this program is open source software and was released
>>> under
>>> the GPL.
>>>
>>
>> Regarding the license: That's going to prevent some interested
>> parties from clicking through, much less contributing to it.
>>
>>
>
> Better one would be Apache License 2.0 right?
> I'm not too deep into license issues...
That would remove the barrier and match the in-tree modules (if
there's no strong preference for another license, and the code is
yours to relicense)
--
Eric Covener
covener@gmail.com
Re: Client authentication and authorization using client
certificates
Posted by lambam80 <la...@hotmail.com>.
Johannes great news, mod_auth_certificate works !
I reckon you need => httpd-2.2.14 in order to use the UID.
See BUG https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
Initially I decided to wait for Fedora 13 with httpd-2.2.14
where they say the above BUG is fixed in HTTPD.
In the end I tested with an unofficial version of httpd-2.2.14 on Fedora 12.
Good work, Dave
---
Johannes Müller wrote:
>
> Eric Covener wrote:
>> On Tue, Jun 16, 2009 at 5:40 PM, Johannes Müller<jo...@gmx.de> wrote:
>>
>>> Yes should be no problem. Relicensing means I'll also have to remove
>>> current
>>> the current
>>> version and SVN revisions so there is no problem if someone already
>>> downloaded the
>>> GPLed release?
>>>
>>
>> IANAL: I don't see why, they're free to use it under those terms, and
>> you're free to change the terms of any subsequent release (or prior
>> release to other parties!)
>>
>>
>
>
> Released version 0.2 of mod_auth_certificate under Apache License 2.0
> Download at https://sourceforge.net/projects/modauthcertific/
>
> Any comments?
>
> Greetings,
> Johannes
>
>
--
View this message in context: http://old.nabble.com/Client-authentication-and-authorization-using-client-certificates-tp24058416p27919447.html
Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.
Re: Client authentication and authorization using client certificates
Posted by Johannes Müller <jo...@gmx.de>.
Eric Covener wrote:
> On Tue, Jun 16, 2009 at 5:40 PM, Johannes Müller<jo...@gmx.de> wrote:
>
>> Yes should be no problem. Relicensing means I'll also have to remove current
>> the current
>> version and SVN revisions so there is no problem if someone already
>> downloaded the
>> GPLed release?
>>
>
> IANAL: I don't see why, they're free to use it under those terms, and
> you're free to change the terms of any subsequent release (or prior
> release to other parties!)
>
>
Released version 0.2 of mod_auth_certificate under Apache License 2.0
Download at https://sourceforge.net/projects/modauthcertific/
Any comments?
Greetings,
Johannes
Re: Client authentication and authorization using client certificates
Posted by Eric Covener <co...@gmail.com>.
On Tue, Jun 16, 2009 at 5:40 PM, Johannes Müller<jo...@gmx.de> wrote:
> Yes should be no problem. Relicensing means I'll also have to remove current
> the current
> version and SVN revisions so there is no problem if someone already
> downloaded the
> GPLed release?
IANAL: I don't see why, they're free to use it under those terms, and
you're free to change the terms of any subsequent release (or prior
release to other parties!)
--
Eric Covener
covener@gmail.com
Re: Client authentication and authorization using client certificates
Posted by Johannes Müller <jo...@gmx.de>.
Ruediger Pluem wrote:
> On 06/16/2009 11:24 PM, Johannes Müller wrote:
>
>> Eric Covener wrote:
>>
>>> On Tue, Jun 16, 2009 at 12:36 PM, Johannes Müller<jo...@gmx.de> wrote:
>>>
>>>
>>>> Hello,
>>>> Please note that this program is open source software and was
>>>> released under
>>>> the GPL.
>>>>
>>>>
>>> Regarding the license: That's going to prevent some interested
>>> parties from clicking through, much less contributing to it.
>>>
>>>
>>>
>> Better one would be Apache License 2.0 right?
>>
>
> Correct. So relicensing it to Apache License 2.0 brings you in a better
> position here. AFAIU you are the only author and contributor to this
> module so far. So this should be easy.
>
> Regards
>
> Rüdiger
>
Yes should be no problem. Relicensing means I'll also have to remove
current the current
version and SVN revisions so there is no problem if someone already
downloaded the
GPLed release?
Greetings
Johannes
Re: Client authentication and authorization using client certificates
Posted by Ruediger Pluem <rp...@apache.org>.
On 06/16/2009 11:24 PM, Johannes Müller wrote:
> Eric Covener wrote:
>> On Tue, Jun 16, 2009 at 12:36 PM, Johannes Müller<jo...@gmx.de> wrote:
>>
>>> Hello,
>>> Please note that this program is open source software and was
>>> released under
>>> the GPL.
>>>
>>
>> Regarding the license: That's going to prevent some interested
>> parties from clicking through, much less contributing to it.
>>
>>
> Better one would be Apache License 2.0 right?
Correct. So relicensing it to Apache License 2.0 brings you in a better
position here. AFAIU you are the only author and contributor to this
module so far. So this should be easy.
Regards
Rüdiger
Re: Client authentication and authorization using client certificates
Posted by Johannes Müller <jo...@gmx.de>.
Eric Covener wrote:
> On Tue, Jun 16, 2009 at 12:36 PM, Johannes Müller<jo...@gmx.de> wrote:
>
>> Hello,
>> Please note that this program is open source software and was released under
>> the GPL.
>>
>
> Regarding the license: That's going to prevent some interested
> parties from clicking through, much less contributing to it.
>
>
Better one would be Apache License 2.0 right?
I'm not too deep into license issues...
Re: Client authentication and authorization using client certificates
Posted by Eric Covener <co...@gmail.com>.
On Tue, Jun 16, 2009 at 12:36 PM, Johannes Müller<jo...@gmx.de> wrote:
> Hello,
> Please note that this program is open source software and was released under
> the GPL.
Regarding the license: That's going to prevent some interested
parties from clicking through, much less contributing to it.
--
Eric Covener
covener@gmail.com