Included on this page:
mod_pubcookie is an Apache module, written in C, that uses
the Apache API and the OpenSSL cryptography library to add
Pubcookie-based authentication to the Apache web server. mod_pubcookie
specifically implements the application server component of
Pubcookie.
mod_pubcookie provides the following functionality:
- user authentication via a separate Pubcookie login server
- per-application authentication session management
- per-application inactivity and hard timeouts
- per-application logout
- logging
This functionality can be configured server-wide or on a
per-application basis via the modules run-time configuration
directives.
Apache's authentication features are traditionally turned
on and off by run-time configuration directives. This is no
different with mod_pubcookie; it simply extends the types
of authentication already handled by Apache to include a site's
own Pubcookie-based authentication type(s). See AuthType
for details.
mod_pubcookie uses the REMOTE_USER environment variable
to make each authenticated user's identity (usually, a username)
available to applications.
Pubcookie provides authentication not authorization: it identifies
who someone is, not what he or she is permitted to do. Therefore,
mod_pubcookie leaves authorization decisions up to other modules,
and, unless some other specialized authorization module is
installed, this means Apache's core module.
Apache's core module is designed to provide authorization
for "basic" authentication. Authorization is configured
with the require directive. When paired with authentication
provided by mod_pubcookie, Apache's core authorization works
with one drawback: if Pubcookie-based authentication succeeds
but Apache's core authorization fails, Apache will challenge
the user to authenticate as if basic authentication had
just failed. As a result, most browsers will present
the user with a pop-up dialog box, which can be confusing
to users who just authenticated themselves (successfully,
mind you) via their site's Pubcookie login service. (Of course,
these are unauthorized users, so they're going to be dismayed
regardless.)
There are two ways to avoid this predicament. First, a site
can load a custom authorization module to override authorization
by Apache's core module when Pubcookie-based authentication
is used. Or, an application can tell the core module that
all authenticated users are authorized (that is, use require
valid-user) and implement authorization on its own.
mod_pubcookie provides control over authentication as Apache
generally does: via run-time configuration directives placed
in Apache config files or per-directory .htaccess files. Simiarly,
information is passed to applications the usual Apache way:
indirectly through environment variables. There is no Pubcookie
API in the usual programmatic sense; so there are no library
calls that an application must incorporate.
The implication for application design is that authentication
is controlled by the layout of an application on the filesystem
itself: some directories are Pubcookie-protected and other's
aren't. So an application controls what happens to users by
directing them to URLs (usually directories) that have the
appropriate directives applied to them. Perhaps authentication
is required in one directory, logout features in another,
and free-reign everywhere else.
Some of the advantages of this module approach are:
- it performs and scales better since it's done thru the
Apache API
- it works well for applications and static content (e.g.
HTML files, images)
- it offers a solution independent from the languages used
to implement applications
- it requires the inclusion of no external code in applications
- it promotes consistent use of Pubcookie among applications
|
![[Pubcookie Home Page]](/img/41x35-rings-only.gif){kind=small}
