I am attempting to authorize post content (SOAP methods) against ACLs,
but once the authorize handler grabs the HTTP body, the other handlers
can't process the content. I have been told that an input filter is the way to go, but those
return codes are ignored and I need to be able to return a 404. Also, I need to be able to
look at the entire body first before passing it on.
A work around is to proxy the request to a local virtual host to handle
the request AFTER it has been authorized, but then the SSL/TLS
information is lost. Also, this means that anyone on that box can bypass
the authorizer by simply calling the proxied virtual host.
I would like to do everything in a single pass so I can keep the SSL
info and make it harder for local apps to bypass ACLs.
Any ideas?
Thanks,
Andrew
|