blob: 67adcc2fe96e9e83d3bd8e2b6e6ff7d42d8a74e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
1. User accesses application's URL: http://app.example.com/hosts
2. Browser issues HTTP GET request
to app.exmple.com for /hosts
--- GET /hosts --->
3. Apache runs or hands the request over
to application
4. Application does not find
valid session cookie
5. Application redirects the
browser to logon page
<--- 302 Location /login?back=/hosts ---
6. Browser accesses the logon page /login
--- GET /login?back=/hosts --->
7. Apache runs or hands the request over
to application
8. Application does not see POST
with login & password
9. Application returns logon form
<--- 200 + page with logon form, action set back to /login ---
10. User fills in the login and password and hits "Log in"
11. Browser submits the form
--- POST /login --->
12.1. Module mod_intercept_form_submit gets
invoked
12.2. Module parses the post data, finds
the login & password, and runs
pam_authenticate
12.3. If pam_authenticate passes, it sets the
REMOTE_USER environment variable
12.4. (orig 12) Apache runs or hands the
request over to application
13.1. Application gets run
13.2. When it sees REMOTE_USER, it
trusts it
13.3. (orig 13) Otherwise it validates
the login & password; if they
are not valid, go to 9 with
message "Bad login or password"
14. Application creates session,
returns session cookies
<--- 302 Login /hosts with Set-Cookie ---
15. Like 2, now with Cookie set
--- GET /hosts --->
16. Apache runs or hands the request over
to application
17. Application sees valid session
cookie, returns the page
<--- 200 + the /hosts page that user wanted to see ---
|