httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [users@httpd] Authentication via x509 or password/otp
Date Mon, 14 Jul 2008 15:26:39 GMT

Hello Apache-Pros,

I'm currently looking for a solution to fulfill the following
authentication requirements:

- Endusers do have a smartcard based ssl client certificate and a password
or later OTP generator (e.g. RSA SecurID)

The scenario should be as following:
- If it's possible for the user to use his smartcard and he tries to
connect to the apache driven website, standard ssl client authentication is
done. The tomcat application behind reads the environment variable
SSL_CLIENT_S_DN and knows about the user and that he authenticated using
his certificate. - FINE
- If it's NOT possible for the user to use his smartcard, for example, he
sits in an internet cafe, he has to use a password or later otp. The user
accesses the same url. The apache should recognise, that no ssl client
certificate is presented and therefore asks to enter username and password.
After successful authentication, the web application asks for
SSL_CLIENT_S_DN which then is empty. Therefore, the application queries
REMOTE_USER and therefore knows, the username and that he authenticates
without certificates.

The webapp then offers functionality to the enduser depending on the used
authentication mechanism.

What I tried so far is the following (apache 2.2.8):

     KeepAlive Off
     <Location />
          SSLVerifyClient      optional
          SSLVerifyDepth       10

     SSLOptions           +FakeBasicAuth +StrictRequire
     SSLUserName          SSL_CLIENT_S_DN_CN

     RewriteEngine        on
     RewriteLog           /tmp/rewrite.log
     RewriteCond          %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
     RewriteRule          .* /authtest/digest/index.html [L]
     RewriteCond          %{SSL:SSL_CLIENT_VERIFY} =SUCCESS
     RewriteRule          .* /authtest/ssl/index.html [L]

    <Location /authtest/ssl>
          SSLVerifyClient      require
          SSLVerifyDepth       10

    <Location /authtest/digest>
          AuthType             Digest
          AuthName             "realm"
          AuthUserFile         /etc/realm/digest
          Require              valid-user
If a certificate is presented, the auth is done for / and then apache
redirects to /authtest/ssl. If no cert is presented, first auth fails and
apache redirects to /authtest/otp which then tries to do digest

The problem with this setup is, that it seems not very stable. Sometimes it
works, but sometimes not (mostly not). It has probably something to do with
caching but I'm simply not sure about that. I already tried KeepAlive off

Secondly, since the web application is the same for certificate and
password / otp based authentication, two differend entrypoints to the
application seems somehow sub-optimal :-)

Third, I really would like to place an apache reverse proxy in front of the
web application which then does the client authentication, but I'm
wondering, how to transfer the information of the authenticated user and
authentication type to the webapp / tomcat??

Best regards and thank you!


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message