blob: 63ec40ef53aac782d04693e7b8d51e282e6d8acd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
1. User accesses application's URL: http://app.example.com/hosts
2. Browser issues HTTP GET request
to app.exmple.com for /hosts
--- GET /hosts --->
3. Apache runs or hands the request over
to application
4. Application does not find
valid session cookie
5. Application redirects the
browser to logon page
<--- 302 Location /login?back=/hosts ---
6. Browser accesses the logon page /login
--- GET /login?back=/hosts --->
7. Apache runs or hands the request over
to application
8. Application does not see POST
with login & password
9. Application returns logon form
<--- 200 + page with logon form, action set back to /login ---
10. User fills in the login and password and hits "Log in"
11. Browser submits the form
--- POST /login --->
12.1. Module mod_intercept_form_submit gets
invoked
12.2. Module parses the post data, finds
the login & password
12.3. If login not in InterceptFormLoginSkip,
runs pam_authenticate
12.4. If login in InterceptFormLoginSkip and
InterceptFormClearRemoteUserForSkipped
on, clears possible existing
REMOTE_USER / r->user
12.5. If InterceptFormPasswordRedact on,
replaces the password in the POST
data with [REDACTED]
12.6. If pam_authenticate passes, module sets
the REMOTE_USER environment variable and
r->user
12.7. If pam_authenticate passes and
mod_lookup_identity loaded, it gets
called
12.8. (orig 12) Apache runs or hands the
request over to application
13.1. Application gets run
13.2. When it sees REMOTE_USER, it
trusts it
13.3. (orig 13) Otherwise it validates
the login & password; if they
are not valid, go to 9 with
message "Bad login or password"
14. Application creates session,
returns session cookies
<--- 302 Location /hosts with Set-Cookie ---
15. Like 2, now with Cookie set
--- GET /hosts --->
16. Apache runs or hands the request over
to application
17. Application sees valid session
cookie, returns the page
<--- 200 + the /hosts page that user wanted to see ---
|