httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul B. Henson" <hen...@acm.org>
Subject authorization by filesystem ACL
Date Wed, 23 Jul 2008 21:24:12 GMT

I'd like to implement a web service that implements authorization based on
the underlying file system ACL.

Basically, when a request is made, if a file/directory is world readable,
it should just be served with no authentication required. However, if a
file is not world readable, authentication should be requested, and access
should only be granted if the successfully authenticated user would receive
such access based on the ACL. Obviously, if a file is not world readable,
it would need to be accessible to the web server process in order to
actually read the ACL or deliver the file.

I implemented a similar system years ago under Apache 1.3 with the
mod_auth_dce module, and am trying to replicate similar behavior under
Apache 2 on top of Solaris ZFS.

I would like to delegate the actual authentication to a separate module (in
my case, LDAP authentication, but it could theoretically work with any
authentication module that verifies a username/password).

There are two approaches I'm currently considering. Both share the same
first steps.

Initially, hook into the authentication layer. For a given request, if the
resource requested is world readable, do not request authentication and
deliver as necessary. If the request is not world readable, and no
authentication was provided, require authentication. If authentication was
provided, skip the request and pass it on to the actual underlying
authentication module (LDAP, etc) to verify the username/password is
correct.

For the authorization layer, I'm thinking I can either evaluate the ACL
within my module, or dynamically convert the ACL into Apache require
user/group configuration to be processed by an existing authorization
module.

I haven't worked on an Apache module since 1.3, and was hoping for a little
feedback before I dug in.

Does there already exist any module that performs similarly to this?

Is it feasible within the Apache 2 framework to sometimes require
authentication and sometimes not within a particular directory? Will one
module be able to require authentication, but be able to delegate the
actual performance of that authentication to another? And finally, Would it
be possible for one module to dynamically generate require configuration
for a request that is then interpreted by another module?

Thanks much for any assistance...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

Mime
View raw message