Hi guys,

We want to protect a particular area of our web site by using an
external authentication engine. That external engine must be called
beforehand (most likely using a server side redirect) and based on its
response we may or may not proceed.

Obviously we need to be absolutely sure that we get this response from
that particular engine (and not someone in between) and if possible we
would like to achieve this with using standard modules (such as
mod_rewrite).

It is only allowed to call a particular url (on our web site) when we a
positive response is received from that particular authentication
engine. Is there any way to enforce this with mod_rewrite (or possibly
a different module)?

Thanks in advance,
Gerco

[ Post a follow-up to this message ]

Gerco wrote:
> Hi guys,
>
> We want to protect a particular area of our web site by using an
> external authentication engine. That external engine must be called
> beforehand (most likely using a server side redirect) and based on its
> response we may or may not proceed.
>
> Obviously we need to be absolutely sure that we get this response from
> that particular engine (and not someone in between) and if possible we
> would like to achieve this with using standard modules (such as
> mod_rewrite).
>
> It is only allowed to call a particular url (on our web site) when we a
> positive response is received from that particular authentication
> engine. Is there any way to enforce this with mod_rewrite (or possibly
> a different module)?

here is the set up we have at work -
The protected website has an internal address (192. or a 10. address).
There is a firewall rule which says it cannot be reached except through *thi
s*
proxy - this is the critical bit.
In your case, the proxy would be where your security engine would sit, do it
s
bit and proxies requests (Apache mod_ rewrite on) to your internal protected
website.

In the above scenario, no one (not even internal users on the Lan) can go
directly to the protected site except through the proxy ... which is what I
think you are after. Creating another proxy and spoofing its IP address is a
lso
not posssible because of the firewall rule.

--
Some men rob you with a six-gun -- others with a fountain pen.
-- Woodie Guthrie

[ Post a follow-up to this message ]

I see, this will work if the security engine is able to call the
protected web site. However, in our case it is the other way around.
The web site calls the security engine (which is nothing more than a
web service) and based on its response it should allow access to its
protected area.

Btw, both the security engine as well as the web site reside in the
same data center, allowing for some level of trust.

Is it perhaps possible to configure something that if a response is
retrieved from a particular ip (the security engine), then (and only
then) it is forwarded to the protected url. But how to ensure this
protected url is not called directly then. And how can I be sure the
response is from the security engine and is not tampered with.

[ Post a follow-up to this message ]

Gerco wrote:
> I see, this will work if the security engine is able to call the
> protected web site. However, in our case it is the other way around.

And that's the problem. The security engine must redirect to your site
and this unmasks the URL of your "protected" area, which can be
bookmarked and called directly, of course. It might even be indexed by
search engines (if you don't use some disallow statements in your
robots.txt), because google finds new URLs also with its toolbar with
enabled PageRank feature (at least tests have shown that, no direct
links were set to a specific test page, but the page was requested by a
browser with the google toolbar and enabled pagerank feature).

> Is it perhaps possible to configure something that if a response is
> retrieved from a particular ip (the security engine),

No, you can check only the totally unreliable HTTP-request header
"referer". But it an be spoofed, or it is empty (e.g. removed by privacy
software, cacheing proxies, direct call).

Why don't you use the directory protection provided by mod_auth?

http://httpd.apache.org/docs/2.0/mod/mod_auth.html
http://httpd.apache.org/docs/2.0/howto/auth.html

--
Robert

[ Post a follow-up to this message ]