summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Pazdziora <jpazdziora@redhat.com>2013-11-07 09:41:55 +0800
committerJan Pazdziora <jpazdziora@redhat.com>2013-11-07 09:41:55 +0800
commit2466bbe4e8d1852812529d3d3ddb70fa873451b0 (patch)
treeb12a04ded89cb7c6ac99843584f9125dd816d495
parent4c97701a1cb0391370e8100fdedc669e0889d9f0 (diff)
downloadmod_intercept_form_submit-2466bbe4e8d1852812529d3d3ddb70fa873451b0.tar.gz
mod_intercept_form_submit-2466bbe4e8d1852812529d3d3ddb70fa873451b0.tar.xz
mod_intercept_form_submit-2466bbe4e8d1852812529d3d3ddb70fa873451b0.zip
Amend documentation.
-rw-r--r--README4
-rw-r--r--docs/form_based_authentication_with_mod_intercept_form_submit.txt65
-rw-r--r--docs/typical_form_based_authentication.txt55
3 files changed, 124 insertions, 0 deletions
diff --git a/README b/README
index 2fe5b80..1334e13 100644
--- a/README
+++ b/README
@@ -9,6 +9,10 @@ REMOTE_USER environment variable if the authentication passes. If the
REMOTE_USER is already set (presumably by some previous module), no
authentication takes place.
+The assumption is that the application will be amended to trust the
+REMOTE_USER value if it is set and skip its own login/password
+validation (see the docs/ directory for outline of the interaction).
+
Module configuration
--------------------
diff --git a/docs/form_based_authentication_with_mod_intercept_form_submit.txt b/docs/form_based_authentication_with_mod_intercept_form_submit.txt
new file mode 100644
index 0000000..67adcc2
--- /dev/null
+++ b/docs/form_based_authentication_with_mod_intercept_form_submit.txt
@@ -0,0 +1,65 @@
+
+1. User accesses application's URL: http://app.example.com/hosts
+ 2. Browser issues HTTP GET request
+ to app.exmple.com for /hosts
+
+ --- GET /hosts --->
+
+ 3. Apache runs or hands the request over
+ to application
+ 4. Application does not find
+ valid session cookie
+ 5. Application redirects the
+ browser to logon page
+
+ <--- 302 Location /login?back=/hosts ---
+
+ 6. Browser accesses the logon page /login
+
+ --- GET /login?back=/hosts --->
+
+ 7. Apache runs or hands the request over
+ to application
+ 8. Application does not see POST
+ with login & password
+ 9. Application returns logon form
+
+ <--- 200 + page with logon form, action set back to /login ---
+
+10. User fills in the login and password and hits "Log in"
+ 11. Browser submits the form
+
+ --- POST /login --->
+
+ 12.1. Module mod_intercept_form_submit gets
+ invoked
+ 12.2. Module parses the post data, finds
+ the login & password, and runs
+ pam_authenticate
+ 12.3. If pam_authenticate passes, it sets the
+ REMOTE_USER environment variable
+ 12.4. (orig 12) Apache runs or hands the
+ request over to application
+ 13.1. Application gets run
+ 13.2. When it sees REMOTE_USER, it
+ trusts it
+ 13.3. (orig 13) Otherwise it validates
+ the login & password; if they
+ are not valid, go to 9 with
+ message "Bad login or password"
+ 14. Application creates session,
+ returns session cookies
+
+ <--- 302 Login /hosts with Set-Cookie ---
+
+ 15. Like 2, now with Cookie set
+
+ --- GET /hosts --->
+
+ 16. Apache runs or hands the request over
+ to application
+ 17. Application sees valid session
+ cookie, returns the page
+
+ <--- 200 + the /hosts page that user wanted to see ---
+
diff --git a/docs/typical_form_based_authentication.txt b/docs/typical_form_based_authentication.txt
new file mode 100644
index 0000000..a6079bb
--- /dev/null
+++ b/docs/typical_form_based_authentication.txt
@@ -0,0 +1,55 @@
+
+1. User accesses application's URL: http://app.example.com/hosts
+ 2. Browser issues HTTP GET request
+ to app.exmple.com for /hosts
+
+ --- GET /hosts --->
+
+ 3. Apache runs or hands the request over
+ to application
+ 4. Application does not find
+ valid session cookie
+ 5. Application redirects the
+ browser to logon page
+
+ <--- 302 Location /login?back=/hosts ---
+
+ 6. Browser accesses the logon page /login
+
+ --- GET /login?back=/hosts --->
+
+ 7. Apache runs or hands the request over
+ to application
+ 8. Application does not see POST
+ with login & password
+ 9. Application returns logon form
+
+ <--- 200 + page with logon form, action set back to /login ---
+
+10. User fills in the login and password and hits "Log in"
+ 11. Browser submits the form
+
+ --- POST /login --->
+
+ 12. Apache runs or hands the request over
+ to application
+ 13. Application validates the
+ login & password; if they
+ are not valid, go to 9 with
+ message "Bad login or password"
+ 14. Application creates session,
+ returns session cookies
+
+ <--- 302 Login /hosts with Set-Cookie ---
+
+ 15. Like 2, now with Cookie set
+
+ --- GET /hosts --->
+
+ 16. Apache runs or hands the request over
+ to application
+ 17. Application sees valid session
+ cookie, returns the page
+
+ <--- 200 + the /hosts page that user wanted to see ---
+