diff options
-rw-r--r-- | README | 4 | ||||
-rw-r--r-- | docs/form_based_authentication_with_mod_intercept_form_submit.txt | 65 | ||||
-rw-r--r-- | docs/typical_form_based_authentication.txt | 55 |
3 files changed, 124 insertions, 0 deletions
@@ -9,6 +9,10 @@ REMOTE_USER environment variable if the authentication passes. If the REMOTE_USER is already set (presumably by some previous module), no authentication takes place. +The assumption is that the application will be amended to trust the +REMOTE_USER value if it is set and skip its own login/password +validation (see the docs/ directory for outline of the interaction). + Module configuration -------------------- diff --git a/docs/form_based_authentication_with_mod_intercept_form_submit.txt b/docs/form_based_authentication_with_mod_intercept_form_submit.txt new file mode 100644 index 0000000..67adcc2 --- /dev/null +++ b/docs/form_based_authentication_with_mod_intercept_form_submit.txt @@ -0,0 +1,65 @@ + +1. User accesses application's URL: http://app.example.com/hosts + 2. Browser issues HTTP GET request + to app.exmple.com for /hosts + + --- GET /hosts ---> + + 3. Apache runs or hands the request over + to application + 4. Application does not find + valid session cookie + 5. Application redirects the + browser to logon page + + <--- 302 Location /login?back=/hosts --- + + 6. Browser accesses the logon page /login + + --- GET /login?back=/hosts ---> + + 7. Apache runs or hands the request over + to application + 8. Application does not see POST + with login & password + 9. Application returns logon form + + <--- 200 + page with logon form, action set back to /login --- + +10. User fills in the login and password and hits "Log in" + 11. Browser submits the form + + --- POST /login ---> + + 12.1. Module mod_intercept_form_submit gets + invoked + 12.2. Module parses the post data, finds + the login & password, and runs + pam_authenticate + 12.3. If pam_authenticate passes, it sets the + REMOTE_USER environment variable + 12.4. (orig 12) Apache runs or hands the + request over to application + 13.1. Application gets run + 13.2. When it sees REMOTE_USER, it + trusts it + 13.3. (orig 13) Otherwise it validates + the login & password; if they + are not valid, go to 9 with + message "Bad login or password" + 14. Application creates session, + returns session cookies + + <--- 302 Login /hosts with Set-Cookie --- + + 15. Like 2, now with Cookie set + + --- GET /hosts ---> + + 16. Apache runs or hands the request over + to application + 17. Application sees valid session + cookie, returns the page + + <--- 200 + the /hosts page that user wanted to see --- + diff --git a/docs/typical_form_based_authentication.txt b/docs/typical_form_based_authentication.txt new file mode 100644 index 0000000..a6079bb --- /dev/null +++ b/docs/typical_form_based_authentication.txt @@ -0,0 +1,55 @@ + +1. User accesses application's URL: http://app.example.com/hosts + 2. Browser issues HTTP GET request + to app.exmple.com for /hosts + + --- GET /hosts ---> + + 3. Apache runs or hands the request over + to application + 4. Application does not find + valid session cookie + 5. Application redirects the + browser to logon page + + <--- 302 Location /login?back=/hosts --- + + 6. Browser accesses the logon page /login + + --- GET /login?back=/hosts ---> + + 7. Apache runs or hands the request over + to application + 8. Application does not see POST + with login & password + 9. Application returns logon form + + <--- 200 + page with logon form, action set back to /login --- + +10. User fills in the login and password and hits "Log in" + 11. Browser submits the form + + --- POST /login ---> + + 12. Apache runs or hands the request over + to application + 13. Application validates the + login & password; if they + are not valid, go to 9 with + message "Bad login or password" + 14. Application creates session, + returns session cookies + + <--- 302 Login /hosts with Set-Cookie --- + + 15. Like 2, now with Cookie set + + --- GET /hosts ---> + + 16. Apache runs or hands the request over + to application + 17. Application sees valid session + cookie, returns the page + + <--- 200 + the /hosts page that user wanted to see --- + |