httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prasanna cg <>
Subject [users@httpd] Apache 2.2 - Query String Validation Capability
Date Thu, 14 Aug 2014 11:09:17 GMT
Hello there,

I am a beginner in Apache and trying to figure out a way to validate a query string in the
request handled by Apache and proxy the request to backend application only upon validation
of the query string value. I am using Oracle HTTP Server 11g (Apache 2.2) 

For Example My current Virtual Host directive is like this. Please excuse me if this is lengthy.
<Location /fed/idp>
 # Standalone weblogic that contains the custom code
 WebLogicHost <hostname>.<domain>.com
 WebLogicPort 7499
 # If Client Certificate Authentication successful in Apache,
 # redirect to AD Authentication for 2nd Factor
 RewriteEngine On
 # If referenceid is not found in the query string, it means the user is first time user.
 # Send him to custom code for 2nd factor AD AuthN
 RewriteCond %{QUERY_STRING} !referenceid
 # Application deployed in Weblogic for AD AuthN
 RewriteRule .* /authenticator/internal/Processor [L]

In the above piece, I am passing the request to a custom AD Authentication module deployed
in my Weblogic if Certificate AuthN succeeds to perform a 2-factor AuthN.

1) For a first time user, upon certificate AuthN success in Apache, his request will not contain
a query string named "referenceid" (which is set by my custom AuthN module that gets invoked
in #2 below ) and so the user will be directed to AD Authentication module for 2nd factor

2) Upon successful AD Authentication, I will set a random "referenceid:value" in the original
request URL as query string and redirect back to Apache.

3) Now when Apache receives this access request from #2 above, Cert AuthN will not be invoked
as there will be a SSL session maintained. But to identify whether this user access has to
be sent to AD AuthN, i currently validate the existence of referenceid in query string. 

However, I want to actually validate whether the value of referenceid in the query string
matches with what i have set in #2. If successful, I do not want the second factor AuthN to
be invoked. The user must be proxied to the backend application directly.

It would be helpful if you can shed some lights on how to achieve this. 

Prasanna CG
View raw message