httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pedro Félix <pedrofe...@cc.isel.ipl.pt>
Subject RE: OAuth WRAP apache module
Date Fri, 15 Jan 2010 18:33:55 GMT
Hi,

Thanks Ray and Joe for your help. I've followed Joe's advice and read the
"mod_auth_basic" module, which I found very instructive. I've already
managed to change this module, compile it under windows with cl.exe,
register it and handle "WRAP" auth schemes. I'm now starting to write the
WRAP token handling code.

Now, my main question is how to create a separate building environment for
this module. I've downloaded the httpd sources, and created several files in
the source tree (mod_auth_wrap.c, mod_auth_wrap.dep, mod_auth_wrap.mak). I'm
using the mod_auth_wrap.mak makefile (copied from mod_auth_basic.mak) to
build the module under windows. However, I would like to create a separate
building environment (not in the httpd source tree) with only my module and
all the artifacts required to build it under windows and linux. Any thoughts
or advices regarding this?

Thanks
Pedro Felix

 
> -----Original Message-----
> From: Ray Morris [mailto:support@bettercgi.com]
> Sent: quinta-feira, 14 de Janeiro de 2010 17:51
> To: modules-dev@httpd.apache.org
> Subject: Re: OAuth WRAP apache module
> 
>    Relevant examples can be found in the source,
> httpd-2.2.4/modules/aaa/ .
> Note that in this area there were significant changes between Apache
> 1.x
> and Apache 2.x.
> 
>     In Apache 2, authentication and authorization is correctly
> split between modules that interact with the client, implementing
> protocols like basic auth, digest auth, or OAuth WRAP, and the
> backend that actually verifies the credentials against a flat
> file, a dmb, an SQL database, etc.  In this way, the mode that does
> basic authentication doesn't have to be duplicated for different
> modules which check that user/pass against various types of storage.
> 
>     OAuth WRAP itself, being a protocol for interaction with the
> client,
> would be implemented similarly to basic authentication and digest
> authentication, so the relevant examples would include:
> httpd-2.2.4/modules/aaa/mod_auth_basic.c
> httpd-2.2.4/modules/aaa/mod_auth_digest.c
> 
>     Apart from interacting with the client using OAuth WRAP,
> you'll also probably want to check the validity of the token.
> mod_authn_file.c and mod_authn_dbd.c would be examples of
> that part.
> 
> > I'm familiar with ... but not with Apache or Apache modules.
> > Could some one point me to the relevant documentation
> 
>     Though there is some documentation on apache.org, if you
> want to quickly go from "not familiar with Apache" to "writing
> robust Apache modules", the book may be useful to you.  It's
> called "The Apache Modules Book".
> --
> Ray Morris
> support@bettercgi.com
> 
> Strongbox - The next generation in site security:
> http://www.bettercgi.com/strongbox/
> 
> Throttlebox - Intelligent Bandwidth Control
> http://www.bettercgi.com/throttlebox/
> 
> Strongbox / Throttlebox affiliate program:
> http://www.bettercgi.com/affiliates/user/register.php
> 
> 
> On 01/14/2010 11:08:25 AM, Pedro Félix wrote:
> > Hi,
> >
> > I want to develop an apache module for the OAuth WRAP protocol:
> >
> > 	1) Upon an unauthenticated request, the module should return a
> > 401
> > with header "WWW-Authenticate: WRAP"
> >
> > 	2) When the request contains the header "Authorization: WRAP
> > access_token=<token>", the module should validate this token and
> > extract the
> > user name from it.
> >
> > I already know the details of the WRAP protocol. My problem is how to
> > integrate this with Apache.
> >
> > I'm familiar with architectures/pipelines for HTTP processing (e.g
> > IIS or
> > ASP.NET), but not with Apache or Apache modules.
> > Could some one point me to the relevant documentation or code
> > frameworks/samples?
> >
> > Thanks
> > Regards
> > Pedro Félix
> >
> >
> >


Mime
View raw message