0

I've been searching everywhere for a solution to do this, as well as trying many different things, and none of which so far work. Here's my problem. On an Apache server I need to process every html request under a certain directory/virtualhost/whatever and read a custom authentication cookie from another service. I need to decrypt and then read this auth cookie and then a.) redirect user to the login service (entirely different URL, not behind Apache), or b.) inject headers with basic information like username into the response and send the user to the document they requested.

I tried doing a CGI script where I would do a rewrite that would append the requested url as a query string to the cgi, which would execute the logic, and then redirect the user where necessary. But then I found out that the redirect will erase any headers I write. Next I tried using a cgi script with mod_ext_filter, which would be perfect but apparently you can't write headers with it, just the body (though someone please tell me I'm wrong about that, because it would be my solution). Finally I tried setting my cgi script as an action and adding it as a handler for .html paths but that just keeps giving me a "400 Bad Request" error (and doing Action verify_request test.rb makes apache run localhost/test.rb/{user}/index.html?). My last ditch effort might be to create a custom Apache module in C, but I'd really like to avoid this. (though if we're being really honest what I'd really like to do is write a custom REST API to handle this logic for our services)

So, what's the best way to implement this in Apache/should I even be putting this logic in Apache in the first place?

Improve this question

1 Answer 1

Reset to default
0

You seem to be wanting to reinvent a WebSSO system such as a Shibboleth SP, CAS, or many others. In which case, there is significant logic involved that cannot feasibly (or at least practically) be managed with Apache configuration alone.

If you really want to go-it-alone, I would really suggest that you roll a custom Apache module, although I believe mod_perl would give you the flexibility you need, without having to write any C -- and O'Reilly have a book on mod_perl. I certainly won't blame you if you think that writing C is preferable to Perl; I've written a (very) simple C module myself to manipulate a Apache's understanding of the user, based on a bespoke request header set by a trusted proxy, and it wasn't too onerous (remarkably trouble-free, actually).

Improve this answer
5
  • The reason I'm doing it this way is because I have to connect a web service behind Apache (using JBoss) and another service built on ASP.NET. The sign in service is already implemented by .NET, but the service so heavily relies on Forms Authentication (not that it would be impossible to remove) so for now I just need to add an extra cookie with basic information (username and the fact that it's a valid auth cookie is all I need) that causes the Apache server to redirect the user to the login service. These are internal testing services, not public facing. So it doesn't have to be too strong. Commented Sep 5, 2014 at 2:21
  • Also, to clarify. I only need a minimal amount of logic, just read the cookie, decrypt it, if valid then inject header data (username), if not then redirect to login service (with a redirect url query string leading back to the original request). Nothing very complex. I've already written it in a short script, I just need to have it be triggered correctly. Commented Sep 5, 2014 at 2:34
  • The thing is, you want the logic to be within Apache, as having it as a CGI would make the configuration way more complex, as your Apache would have to be configured to somehow trap the request, and maintain the request while it goes and makes some sort of sub-query to your CGI, process its response, and then continue with the original request -- lots of pain and uncertainly there. I would suggest you want mod_perl; you seem to be familiar with Ruby, so chances are reasonably you may be familiar with Perl. Like you say, the logic is fairly simple. Commented Sep 5, 2014 at 2:39
  • I see.. This is the first time I've had to mess around with complex Apache stuff, so I must confess I'm a little out of my element. I'm not opposed to writing it in C, but I had already tried that and ran into some seemingly arbitrary problems (see this other question I posted) with conditionally returning status codes from the main hook function and with AES decryption. Frankly I don't think this logic should be in Apache at all, but the people I'm working with disagree. Commented Sep 5, 2014 at 3:15
  • I'm not an expert here, but have you looked to use mod_security and a script to intercept and inject the header in conjunction with Apache ? Commented Sep 5, 2014 at 4:17

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.