httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ray Morris <supp...@bettercgi.com>
Subject Re: OAuth WRAP apache module
Date Thu, 14 Jan 2010 17:50:53 GMT
   Relevant examples can be found in the source,  
httpd-2.2.4/modules/aaa/ .
Note that in this area there were significant changes between Apache 1.x
and Apache 2.x.

    In Apache 2, authentication and authorization is correctly
split between modules that interact with the client, implementing
protocols like basic auth, digest auth, or OAuth WRAP, and the
backend that actually verifies the credentials against a flat
file, a dmb, an SQL database, etc.  In this way, the mode that does
basic authentication doesn't have to be duplicated for different
modules which check that user/pass against various types of storage.

    OAuth WRAP itself, being a protocol for interaction with the client,
would be implemented similarly to basic authentication and digest
authentication, so the relevant examples would include:
httpd-2.2.4/modules/aaa/mod_auth_basic.c
httpd-2.2.4/modules/aaa/mod_auth_digest.c

    Apart from interacting with the client using OAuth WRAP,
you'll also probably want to check the validity of the token.
mod_authn_file.c and mod_authn_dbd.c would be examples of
that part.

> I'm familiar with ... but not with Apache or Apache modules.
> Could some one point me to the relevant documentation

    Though there is some documentation on apache.org, if you
want to quickly go from "not familiar with Apache" to "writing
robust Apache modules", the book may be useful to you.  It's
called "The Apache Modules Book".
--
Ray Morris
support@bettercgi.com

Strongbox - The next generation in site security:
http://www.bettercgi.com/strongbox/

Throttlebox - Intelligent Bandwidth Control
http://www.bettercgi.com/throttlebox/

Strongbox / Throttlebox affiliate program:
http://www.bettercgi.com/affiliates/user/register.php


On 01/14/2010 11:08:25 AM, Pedro Félix wrote:
> Hi,
> 
> I want to develop an apache module for the OAuth WRAP protocol:
> 
> 	1) Upon an unauthenticated request, the module should return a  
> 401
> with header "WWW-Authenticate: WRAP"
> 
> 	2) When the request contains the header "Authorization: WRAP
> access_token=<token>", the module should validate this token and  
> extract the
> user name from it.
> 
> I already know the details of the WRAP protocol. My problem is how to
> integrate this with Apache.
> 
> I'm familiar with architectures/pipelines for HTTP processing (e.g  
> IIS or
> ASP.NET), but not with Apache or Apache modules.
> Could some one point me to the relevant documentation or code
> frameworks/samples?
> 
> Thanks
> Regards
> Pedro Félix
> 	
> 
> 


Mime
View raw message