|
Bud P. Bruegger
bud at comune.grosseto.it
Mon May 23 04:55:44 EDT 2005
At 09.20 23/05/2005 +0200, Graham Dumpleton wrote: >Some questions for you about this. > >How does this information fit into the larger scheme of what you are >trying to do? Are you trying to separate this out into a separate >handler phase so that you don't have to duplicate that code in every >mod_python content handler? Are mod_python content handlers being used >exclusively to deliver up content, or are you just using mod_python >as a way of processing the SSL stuff and content handler phases would >be handled by non mod_python handlers such as PHP, CGI or static >page delivery? Hi Graham, I suppose my problem is closest to the last option you mention above. Here is some more background on what I'm trying to do. The objective is an access control system that works with the various European eID cards and basically is a reverse-proxy that centralizes authentication and authorization. Behind the reverse-proxy, any kind of application servers (from static pages, mod-python, php, servlets, etc.; normally on separate hosts) are foreseen. It is an extension of the official Belgian approach http://www.belgium.be/zip/Belgian_eID_Authentication_Reverse_Proxy_Users_Guide.pdf. The overall request processing would more or less follow this pattern: mod-ssl > mod-personID > mod-RBAC > mod-rewrite ---------> mod-remoteAuth ... mod-ssl and -rewrite are off the shelf. What I am trying to add based on mod-python are: mod-personID takes the data from mod-ssl (mostly SSL_CLIENT_S_DN) and depending on which eID card was used, maps to an internationally unique personID: * for the Belgian, Finish, and Estonian eIDs, it simply takes the subject serial number and prefixes it with a country id * for the Italian CIE, it extracts the card number from the subject CN and looks up a corresponding unique person ID in LDAP * for the Italian CNS, it cuts the person ID from the subj. CN string and prefixes it * etc. mod-RBAC is then a role-based access control module--I yet have to start with that one.. If the access to the resouce is granted, the internationally unique person id generated by mod-personID is transferred to the application server behind the proxy in a custom http-header. mod-remoteAuth takes this header as input to fake local Basic Auth (in the case of Apache, either as simple mod-python access handler that sets req.user or also as pure configuration (using mod-rewrite)). The concept of Loginhandler is really interesting. My doubt is whether it would execute before mod-rewrite clicks in? Many thanks for your support! cheers -b ------------------------------------------------------------------------------------------------- Ing. Bud P. Bruegger, Ph.D. +39-0564-488577 (voice), -21139 (fax) Servizio Elaborazione Dati e-mail: bud at comune.grosseto.it Comune di Grosseto http://www.comune.grosseto.it/cie/ Via Ginori, 43 http://OpenPortalGuard.sf.net 58100 Grosseto (Tuscany, Italy) jabber: bud at amessage.info Free Software in Public Administration: not just a good idea, but a necessity Perfection is attained, not when there is nothing more to be added, but when there is nothing more to be taken away -- Antoine de Saint-Exupery
|