Is it possible to do HTTP authentication using the Coalevo Security Service?
The good news is that the answer is"Yes, it is possible!". The bad news is, that it is a hack and would need some development and enhancements to work properly.
Hands on
Let's apply the Feynman Problem Solving Algorithm:
(1) write down the problem;
(2) think very hard;
(3) write down the answer.
(Attributed to Murray Gell-Mann)
Step 1: Write down the Problem
An incoming HTTP/HTTPS request handled by an Apache 2.2 server should be authenticated against the Coalevo security service, and it's user database.
Step 2: Think very hard
What are you waiting for?
Step 3: Write down the answer
An incoming HTTP/HTTPS request handled by an Apache 2.2 server is authenticated via the mod_authnz_external, which uses a hardcoded function and the uRadiusLib project for authentication against the Coalevo RADIUS Service, which authenticates using the Coalevo Security Service.
Now. What is the hack and what are the possible enhancements?
- To avoid loading the dictionary for every single request, I have modified uRadiusLib to do it just once.
- Every single request hits the RADIUS Service. A local in-memory authentication cache (LRU) would be nice. memcached doesn't make much sense, given that the RADIUS Server has an in-memory cache mechanism anyway.
- Probably a retry should be implemented
- Too much hardcoded info; some configuration should definately come from a config file (but maybe not read every single time).
But :) It works, and it represents a proof of concept. And yes, I have tried the the radius modules, including xradius, but I couldn't get them to work properly (xradius for example blocked on subsequent requests, the standard radius one didn't work at all against 2.2).
0 comments:
Post a Comment