Ian Bicking: the old part of his blog

Re: More on single-signon

We had much the same situation within a tomcat-hosted application. It had to support instantaneous detection of changing user privileges and authenticate against ldap, rdbms, and flatfile resources. I was astonished to find that there was no library already out there to do this; it seems like a pretty common need. I ended up writing a java Filter class to do the work of intercepting requests and checking whether they were authenticated; if not we send them to whatever resource is appropriate for authentication (a login form or a client cert in our case). Two small support classes solved the 'check arbitrary backend' issue.

We addressed efficiency by updating a MRU role cache in memory. Adding a bit of code to update the cache externally from events (like deleting an Employee from an ldap server) took care of the last part. It works very well and I never saw the horrible performance hit I expected from filtering every request. (This situation is why I asked you whether WebWare had filters).

Apache 2.0 has protocol Filters, which allow you to do the same thing (they're not as well documented, though). I can't see why the same approach wouldn't work well enough; you should be able to call the various mod_auth backends to do the real work, ending up with a sort of mod_meta_auth I guess.

Comment on More on single-signon
by Jeff Duffy

Comments:

The equivalent in Webware would be something in the SitePage.awake() method, or something like LoginKit which I've found flexible enough for most any authentication I've needed to do. I also have a WSGI middleware for this (that I haven't used much), and http://www.pythonweb.org has something similar for WSGI.

This is how people tend to do it... but it only works in one environment. Which is one of several reasons there's so much pressure to have a homogenous environment. But I think it should be resolvable, at least on the Apache level, without binding it to any particular language or programming environment.

# Ian Bicking