Re: Security using Apache module

[Ivan Ristic <ivanr () webkreator com>]

stevenr () mastek com wrote:

> I have a web based J2EE application hosted on one box(Box1)  and a
> web-based report-generating server on another box (Box2). Both Box1 and
> Box2 talk to a common DB. A user logs into Box1 and is authenticated and
> the server stores a session id in a cookie. Then a link from the
> application points to Box2 and fetches a dynamically-generated report in
> PDF format by passing  required parameters in the URL to Box2.
>  
> Problem: 
> There is no session-related connection from Box1 and Box2. The reports
> application is a 3rd party tool, the only common point between the two
> boxes being that they talk HTTP using the Apache server ( version 1.3,
> fyi ). So it is possible for a user to craft the URL pointing to Box2
> and circumvent Box1 altogether.

> e. And lastly, anyone has a better idea ?

  Is report download the only function you expect from Box2? If so,
  rather then writing an Apache module it could be simpler to avoid
  sending users to Box2 altogether. Write a script on Box1 to
  authenticate the user, fetch the report from Box2, and send the
  report to the user.

  It this is not acceptable, and going back to the Apache module idea,
  there's this nice little module, mod_auth_remote:

  http://puggy.symonds.net/~srp/stuff/mod_auth_remote/

  You could use it to move the authentication functionality back to
  the Box1 and avoid writing an Apache module altogether. You could
  use it as is, or change the code to send the cookie instead.

  I didn't use it myself but the idea is wonderful.

--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]