Hello Apache-Pros,
I'm currently looking for a solution to fulfill the following
authentication requirements:
- Endusers do have a smartcard based ssl client certificate and a password
or later OTP generator (e.g. RSA SecurID)
The scenario should be as following:
- If it's possible for the user to use his smartcard and he tries to
connect to the apache driven website, standard ssl client authentication is
done. The tomcat application behind reads the environment variable
SSL_CLIENT_S_DN and knows about the user and that he authenticated using
his certificate. - FINE
But:
- If it's NOT possible for the user to use his smartcard, for example, he
sits in an internet cafe, he has to use a password or later otp. The user
accesses the same url. The apache should recognise, that no ssl client
certificate is presented and therefore asks to enter username and password.
After successful authentication, the web application asks for
SSL_CLIENT_S_DN which then is empty. Therefore, the application queries
REMOTE_USER and therefore knows, the username and that he authenticates
without certificates.
The webapp then offers functionality to the enduser depending on the used
authentication mechanism.
What I tried so far is the following (apache 2.2.8):
KeepAlive Off
<Location />
SSLVerifyClient optional
SSLVerifyDepth 10
</Location>
SSLOptions +FakeBasicAuth +StrictRequire
SSLUserName SSL_CLIENT_S_DN_CN
RewriteEngine on
RewriteLog /tmp/rewrite.log
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule .* /authtest/digest/index.html [L]
RewriteCond %{SSL:SSL_CLIENT_VERIFY} =SUCCESS
RewriteRule .* /authtest/ssl/index.html [L]
<Location /authtest/ssl>
SSLVerifyClient require
SSLVerifyDepth 10
</Location>
<Location /authtest/digest>
AuthType Digest
AuthName "realm"
AuthUserFile /etc/realm/digest
Require valid-user
</Location>
If a certificate is presented, the auth is done for / and then apache
redirects to /authtest/ssl. If no cert is presented, first auth fails and
apache redirects to /authtest/otp which then tries to do digest
authentication.
The problem with this setup is, that it seems not very stable. Sometimes it
works, but sometimes not (mostly not). It has probably something to do with
caching but I'm simply not sure about that. I already tried KeepAlive off
Secondly, since the web application is the same for certificate and
password / otp based authentication, two differend entrypoints to the
application seems somehow sub-optimal :-)
Third, I really would like to place an apache reverse proxy in front of the
web application which then does the client authentication, but I'm
wondering, how to transfer the information of the authenticated user and
authentication type to the webapp / tomcat??
Best regards and thank you!
Markus
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|