Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A07AB60B7 for ; Mon, 16 May 2011 18:19:29 +0000 (UTC) Received: (qmail 58187 invoked by uid 500); 16 May 2011 18:19:26 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 58145 invoked by uid 500); 16 May 2011 18:19:26 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 58137 invoked by uid 99); 16 May 2011 18:19:26 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 May 2011 18:19:26 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RFC_ABUSE_POST,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jm_mcgrath@hotmail.com designates 65.55.90.177 as permitted sender) Received: from [65.55.90.177] (HELO snt0-omc3-s38.snt0.hotmail.com) (65.55.90.177) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 May 2011 18:19:18 +0000 Received: from SNT129-W54 ([65.55.90.137]) by snt0-omc3-s38.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 16 May 2011 11:18:57 -0700 Message-ID: Content-Type: multipart/alternative; boundary="_206a3e2a-b14b-434d-9630-7f51c8dcb7f9_" X-Originating-IP: [142.106.188.83] From: Jeff McGrath To: Date: Mon, 16 May 2011 14:18:53 -0400 Importance: Normal In-Reply-To: References: , MIME-Version: 1.0 X-OriginalArrivalTime: 16 May 2011 18:18:57.0424 (UTC) FILETIME=[B8BD7100:01CC13F5] X-Virus-Checked: Checked by ClamAV on apache.org Subject: RE: [users@httpd] Module Execution --_206a3e2a-b14b-434d-9630-7f51c8dcb7f9_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thanks Nick .. yes=2C a bit a of a hack.=20 There is a web filter (TruePass) that decrypts a secure cookie and set some= headers. I can customize ones of these headers with an UID that looks like= it's coming from an Oracle Access Manager 10g implementation (OAM_REMOTE_U= SER). I need the Oracle filter to them consume this header to SSO that user= into the Access Management system. The Oracle filter is coded to execute earlier in the authentication sequenc= e so I can never get that header set. The other problem (reverse proxy etc)= is that only the TP filter can decode the cookie and set the appropriate h= eaders. If you attempt to set them 'downstream'=2C they can't be set to rea= d them ... How would I implement mod_rewrite in this type of scenario? Note=2C the longer term solution is to swap out the TP authentication with = something native (X509 auth) ... however=2C this is an attempt at an 'inter= im' solution until another can be fully implemented and users migrated over= . Sincere thanks. Jeff > From: nick@webthing.com > Date: Mon=2C 16 May 2011 15:46:41 +0100 > To: users@httpd.apache.org > Subject: Re: [users@httpd] Module Execution >=20 >=20 > On 16 May 2011=2C at 14:52=2C Jeff McGrath wrote: >=20 > > Good morning ... I'm trying to levarage two different authentication mo= dules in our Apache 2.2 (Solaris 10/64 bit) as part of a POC. I need to ens= ure one fires first as I need to set a header for the second filter to cons= ume. Unfortunately=2C the second (Access Manager) keeps executing first ... > >=20 > > Anyone have some straight forward solution/steps to have implement the = module execution order as desired? >=20 > The modules themselves determine where they hook in to request processing= . >=20 > What header are you expecting an access or authentication module to set? > Sounds like an attempt at a hack to solve some underlying problem. > mod_rewrite is the 'usual' (but ugly) solution to such hacks. Alternativ= ely=2C > tell us the underlying problem=2C and maybe someone will have a better id= ea. >=20 > --=20 > Nick Kew >=20 > Available for work=2C contract or permanent > http://www.webthing.com/~nick/cv.html >=20 >=20 > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project= . > See for more info. > To unsubscribe=2C e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands=2C e-mail: users-help@httpd.apache.org >=20 = --_206a3e2a-b14b-434d-9630-7f51c8dcb7f9_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thanks Nick .. yes=2C a bit a of a hack.

There is a web filter (Tru= ePass) that decrypts a secure cookie and set some headers. I can customize = ones of these headers with an UID that looks like it's coming from an Oracl= e Access Manager 10g implementation (OAM_REMOTE_USER). I need the Oracle fi= lter to them consume this header to SSO that user into the Access Managemen= t system.

The Oracle filter is coded to execute earlier in the authe= ntication sequence so I can never get that header set. The other problem (r= everse proxy etc) is that only the TP filter can decode the cookie and set = the appropriate headers. If you attempt to set them 'downstream'=2C they ca= n't be set to read them ...

How would I implement mod_rewrite in thi= s type of scenario?

Note=2C the longer term solution is to swap out = the TP authentication with something native (X509 auth) ... however=2C this= is an attempt at an 'interim' solution until another can be fully implemen= ted and users migrated over.

Sincere thanks.

Jeff

>= =3B From: nick@webthing.com
>=3B Date: Mon=2C 16 May 2011 15:46:41 +01= 00
>=3B To: users@httpd.apache.org
>=3B Subject: Re: [users@httpd= ] Module Execution
>=3B
>=3B
>=3B On 16 May 2011=2C at 14:= 52=2C Jeff McGrath wrote:
>=3B
>=3B >=3B Good morning ... I'm = trying to levarage two different authentication modules in our Apache 2.2 (= Solaris 10/64 bit) as part of a POC. I need to ensure one fires first as I = need to set a header for the second filter to consume. Unfortunately=2C the= second (Access Manager) keeps executing first ...
>=3B >=3B
>= =3B >=3B Anyone have some straight forward solution/steps to have impleme= nt the module execution order as desired?
>=3B
>=3B The modules = themselves determine where they hook in to request processing.
>=3B >=3B What header are you expecting an access or authentication module t= o set?
>=3B Sounds like an attempt at a hack to solve some underlying = problem.
>=3B mod_rewrite is the 'usual' (but ugly) solution to such h= acks. Alternatively=2C
>=3B tell us the underlying problem=2C and may= be someone will have a better idea.
>=3B
>=3B --
>=3B Nick= Kew
>=3B
>=3B Available for work=2C contract or permanent
&g= t=3B http://www.webthing.com/~nick/cv.html
>=3B
>=3B
>=3B = ---------------------------------------------------------------------
&g= t=3B The official User-To-User support forum of the Apache HTTP Server Proj= ect.
>=3B See <=3BURL:http://httpd.apache.org/userslist.html>=3B f= or more info.
>=3B To unsubscribe=2C e-mail: users-unsubscribe@httpd.a= pache.org
>=3B " from the digest: users-digest-unsubscribe@httpd.= apache.org
>=3B For additional commands=2C e-mail: users-help@httpd.ap= ache.org
>=3B
= --_206a3e2a-b14b-434d-9630-7f51c8dcb7f9_--