geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

This branch was created to contain the "native" auth_token components.

Browse Source 
This was required because autobuild restrictions are forcing us to build
the native components separate from the java components.
This commit is contained in:
Juan Carlos Luciani
2006-07-27 15:28:07 +00:00
parent d2a89a5f7a
commit b49318e38a
109 changed files with 24472 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
CASA-auth-token/native/server/ApacheSupport/2.2/README Normal file
View File

@@ -0,0 +1,108 @@
/***********************************************************************
*
* README for mod_authn_casa
*
***********************************************************************/
INTRODUCTION
mod_authn_casa is an Apache 2.2 Basic Authentication Provider that
can be configured to validate Basic Credentials carrying CASA
Authentication Tokens.
Clients sending CASA Authentication Tokens as part of the Basic Credentials
will format them in the following manner: "username:CasaAuthenticationToken",
where the username is set to "CasaPrincipal" and the CasaAuthenticationToken
is the token string obtained from the CASA Get Authentication Token API..
CONFIGURATION
To use mod_authn_casa as an authentication provider for a specific location
you must first tell Apache that it must load the module, you do this by
placing the module or a link to the module in the Apache server's modules
folder and by placing the following line in the server's httpd.conf file:
LoadModule authn_casa_module modules/mod_authn_casa.so
The following lines show how Apache is configured to use mod_authn_casa
for authenticating requests issued to mod_example:
<Location /example-info>
SetHandler example-handler
AuthType Basic
AuthName "CASA-Authentication"
AuthBasicProvider casa
Require valid-user
</Location>
Note that the name specified in the AuthName directive should match the name
configured under CASA for the authentication realm used by CASA to obtain
identity information for the service.
mod_authn_casa supports the following configuration directives:
UsernameCheck - This is a per-directory or per-location directive which
configures whether or not mod_authn_casa must verify that
the username is set to "CasaPrincipal". Possible values
for this directive are 'on' or 'off'. Default is 'off'.
To enable UsernameChack for a particular location using
CASA Authentication, include the following line inside
the location configuration block:
UsernameCheck on
CLIENT PROGRAMMING NOTES
HTTP Clients sending requests to a location being protected by the CASA
Authentication Provider must obtain an Authentication Token from the CASA
Client for authenticating to the Service identified as the "location" being
accessed in the HTTP Server. In the case of mod_example, the service name
would be "example-info". Once the client obtains an Authentication Token
from the CASA Client it must then include it in the HTTP Basic Authentication
header that it must include in the HTTP Request. The HTTP Basic Authentication
credentials should be in the following form:
Base64("CasaPrincipal":"AuthenticationToken")
SERVER PROGRAMMING NOTES
Apache modules being protected by the CASA Authentication Provider can obtain
the following information about the authenticated identity:
username - This is accessed via the r->user variable or by examining the IdentityId
environment variable associated with the request block. The username is the
user's unique id within the authentication realm. When the authentication realm
is an LDAP database, the username consists of the user's fdn.
Name of the source of identity data (Authentication Realm) - This is accessed by
examining the IdentityDataSourceName environment variable associated with the
request block.
URL to the source of identity data - This is accessed by examining the
IdentityDataSourceUrl environment variable associated with the request block.
Attributes of the authenticated identity - The attributes are set as environment
variables associated with the request block. The environment variable names match
the names of the attributes. The attributes associated with the authenticated
identity and expressed as environment variables are configured at the time that
the service is enabled for CASA Authentication.
Note that environment variables are contained in the r->subprocess_env table.
SECURITY CONSIDERATIONS
CASA Authenticatication Tokens when compromised can be used to either impersonate
a user or to obtain identity information about the user. Because of this it is
important that the tokens be secured by applications making use of them. It is
recommended that the tokens be transmitted using HTTPS.