Mailing-List: contact modules-dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: modules-dev@httpd.apache.org
Received-SPF: pass (athena.apache.org: domain of pedrofelix@cc.isel.ipl.pt
 designates 192.104.48.14 as permitted sender)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=2008.1; d=cc.isel.ipl.pt;
	h=Received:From:To:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:Thread-Index:Content-Language;
	b=jVyjJb/9ogn/WTykfaMBl0Q6+r/yHqDvgBW0C04tnwxjRCM6jiy/j4FlRA/nXaJO23aDf66KgkJ/u/d5fmg4drxzJ6ZrWSBRXpFXUkmuAj3w23FvIzjYQe1xYCLI64TV;
From: =?iso-8859-1?Q?Pedro_F=E9lix?= <pedrofelix@cc.isel.ipl.pt>
To: <modules-dev@httpd.apache.org>
References: <003b01ca953c$2f75b4e0$8e611ea0$@isel.ipl.pt>
 (from	pedrofelix@cc.isel.ipl.pt on Thu Jan 14 11:08:25 2010)
 <1263491453.14175.0@raydesk1.bettercgi.com>
In-Reply-To: <1263491453.14175.0@raydesk1.bettercgi.com>
Subject: RE: OAuth WRAP apache module - attaching groups to a request
Date: Sat, 16 Jan 2010 11:18:52 -0000
Message-ID: <009501ca969d$af1c4da0$0d54e8e0$@isel.ipl.pt>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thread-Index: AcqVQjYCenJEQ3k2QUSAvLLt1GLn4gBWafdw
Content-Language: pt

Hi,

First of all, thanks for the help.

In my journey to develop an OAuth Wrap extension to Apache's HTTPD, my
current question is:

	- A token received via the WRAP protocol can contain more
information that just a username. One example of this extra information =
are
groups, roles or permissions. The goal of my module is to process the =
token,
extract this information and associate it with the request, so that this
information is available to downstream modules or applications (e.g
subversion or trac).

	- A request record already has a place to put the username but not a
place for this extra information.

	- Apparently, the request_rec::notes table should be used to place
information that is going to be consumed by downstream modules. However, =
I
want this information to also be available to handler apps (e.g a trac
plugin).  =20

	- So, what is the best place to put this extra info?=20

Thanks,
Pedro Felix


> -----Original Message-----
> From: Ray Morris [mailto:support@bettercgi.com]
> Sent: quinta-feira, 14 de Janeiro de 2010 17:51
> To: modules-dev@httpd.apache.org
> Subject: Re: OAuth WRAP apache module
>=20
>    Relevant examples can be found in the source,
> httpd-2.2.4/modules/aaa/ .
> Note that in this area there were significant changes between Apache
> 1.x
> and Apache 2.x.
>=20
>     In Apache 2, authentication and authorization is correctly
> split between modules that interact with the client, implementing
> protocols like basic auth, digest auth, or OAuth WRAP, and the
> backend that actually verifies the credentials against a flat
> file, a dmb, an SQL database, etc.  In this way, the mode that does
> basic authentication doesn't have to be duplicated for different
> modules which check that user/pass against various types of storage.
>=20
>     OAuth WRAP itself, being a protocol for interaction with the
> client,
> would be implemented similarly to basic authentication and digest
> authentication, so the relevant examples would include:
> httpd-2.2.4/modules/aaa/mod_auth_basic.c
> httpd-2.2.4/modules/aaa/mod_auth_digest.c
>=20
>     Apart from interacting with the client using OAuth WRAP,
> you'll also probably want to check the validity of the token.
> mod_authn_file.c and mod_authn_dbd.c would be examples of
> that part.
>=20
> > I'm familiar with ... but not with Apache or Apache modules.
> > Could some one point me to the relevant documentation
>=20
>     Though there is some documentation on apache.org, if you
> want to quickly go from "not familiar with Apache" to "writing
> robust Apache modules", the book may be useful to you.  It's
> called "The Apache Modules Book".
> --
> Ray Morris
> support@bettercgi.com
>=20
> Strongbox - The next generation in site security:
> http://www.bettercgi.com/strongbox/
>=20
> Throttlebox - Intelligent Bandwidth Control
> http://www.bettercgi.com/throttlebox/
>=20
> Strongbox / Throttlebox affiliate program:
> http://www.bettercgi.com/affiliates/user/register.php
>=20
>=20
> On 01/14/2010 11:08:25 AM, Pedro F=E9lix wrote:
> > Hi,
> >
> > I want to develop an apache module for the OAuth WRAP protocol:
> >
> > 	1) Upon an unauthenticated request, the module should return a
> > 401
> > with header "WWW-Authenticate: WRAP"
> >
> > 	2) When the request contains the header "Authorization: WRAP
> > access_token=3D<token>", the module should validate this token and
> > extract the
> > user name from it.
> >
> > I already know the details of the WRAP protocol. My problem is how =
to
> > integrate this with Apache.
> >
> > I'm familiar with architectures/pipelines for HTTP processing (e.g
> > IIS or
> > ASP.NET), but not with Apache or Apache modules.
> > Could some one point me to the relevant documentation or code
> > frameworks/samples?
> >
> > Thanks
> > Regards
> > Pedro F=E9lix
> >
> >
> >