Apache Auth

Jeff Anderson jefferya at programmerq.net
Sun Dec 30 12:45:05 MST 2007


Apache can do simpleauth, but it can also authenticate against other
sources. You can authenticate against an ldap, pam users, kerberos, etc...
Apache authentication is really very very nice. It is also a lowest
common denominator between web apps. Many web apps can be configured (or
very easily modified) to honor the current apache user instead of its
own authentication mechanism. That way, if I present the ugly box, all
the web apps that are protected are now all available to the user, so
they can click back and forth between apps without having to log in
multiple times.
If I can make any app log in to this common authentication system
through its own interface, it will be completely transparent to the user.
This is easier than writing extensions for each web app that I want to
use to allow authentication from other web apps.
Also, I can create a database-driven session database, so if someone
logs into a web app via server A, when they click a link to server B, I
can have the web app there make a call that checks the database to see
if the user authenticated against server A, and then automatically
authenticate them on server B.
So there you have the boring 'why' that I avoided earlier.

The reason I am interested in doing this is at work, there are some
rather silly hoops you have to jump through to get to certain features--
1) login on server A, get a menu of features/items
2) click a link to open a ticket, ticket system is a different web app
on server B.
3) login again on server B for ticket system
4) go back to server A, click on another link on server C
5) the link is for a feature embedded deep inside another web app that
forces a screen to be shown before prompting for username and password
6) move past forced-screen
7) login again
8) click on the link to take you to where you wanted to go in the first
place

All these apps and servers are maintained by different people. It would
be much nicer to just give everyone a bit of code for their web app (be
it a joomla app, custom site, django, drupal, mediawiki, trac, etc...)
and have all the apps on all the servers play nicely together. The end
result would be a cleaner, more professional system. The apache
authentication from the server side is the lowest common denominator,
and would make it the easiest to integrate as many web apps as possible.

Jeff Anderson
Steve wrote:
> I could be wrong here, but I think simpleauth is the only
> authentication apache directly supports.
> There might be a way to pull it off using server side includes, but I
> highly doubt it.
> Someone care to correct me if I'm wrong here?
>
>
> On Dec 30, 2007 12:25 PM, Jeff Anderson <jefferya at programmerq.net> wrote:
>   
>> Steve wrote:
>>     
>>> You are going to need to use PHP or PERL and create a login box, tie
>>> it into a backend DB such as MySQL or PostGRES or even just a flat
>>> file.
>>> A ton of examples can be found here...
>>> http://www.hotscripts.com/search?q=authentication&cat=All
>>>
>>> The easiest way is probably a simple PHP script that checks for the
>>> presence of an authentication cookie, and if not present then it will
>>> direct the user to a login box for the pages being viewed.
>>> Something along the lines of
>>>
>>> <?php
>>> $auth  = $_COOKIE['auth'];
>>> if(!$auth){
>>>     die("You must login to view this page!");
>>> }else{
>>>    ShowPage();
>>> }
>>> ?>
>>>
>>> Sincerely,
>>> Steve Morrey
>>>
>>> On Dec 30, 2007 12:08 PM, Jeff Anderson <jefferya at programmerq.net> wrote:
>>>
>>>       
>>>> Hello,
>>>>
>>>> I am not going to bore you with 'why' but this is what I want to do:
>>>> Authenticate a user behind the apache authentication from the server-side.
>>>> Basically I want to get rid of the box if I have a password area on apache.
>>>>
>>>> The user would provide their credentials in the login form of <insert
>>>> your web app or framework here> and the web app would make a call or run
>>>> a command that tells apache that the current user is trying to
>>>> authenticate. Apache processes the request just like it had come from
>>>> the http request packet in the user agent.
>>>>
>>>> I am not interested in alternatives to this, as I have thought of many
>>>> of them already, and rejected them.
>>>> Any and all insight is appreciated, even if you don't have a solution.
>>>>
>>>> Thanks!
>>>>
>>>> Jeff Anderson
>>>>
>>>>
>>>>
>>>> /*
>>>> PLUG: http://plug.org, #utah on irc.freenode.net
>>>> Unsubscribe: http://plug.org/mailman/options/plug
>>>> Don't fear the penguin.
>>>> */
>>>>
>>>>
>>>>         
>>> /*
>>> PLUG: http://plug.org, #utah on irc.freenode.net
>>> Unsubscribe: http://plug.org/mailman/options/plug
>>> Don't fear the penguin.
>>> */
>>>
>>>
>>>       
>> Hello,
>>
>> This is a nice alternative, but I still want it to be apache
>> authentication. I've done the alternative authentications plenty of
>> times, but it still isn't apache authentication. I want the same
>> authentication to happen, so if I have the apache mod_kerberos
>> installed, I want to be able to have that handle the authentication
>> without presenting the ugly box to my users.
>> Thanks for the reply!
>>
>> Jeff Anderson
>>
>>
>>
>> /*
>> PLUG: http://plug.org, #utah on irc.freenode.net
>> Unsubscribe: http://plug.org/mailman/options/plug
>> Don't fear the penguin.
>> */
>>
>>     
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://plug.org/pipermail/plug/attachments/20071230/226dc67b/attachment.bin 


More information about the PLUG mailing list