[MP2] [QUESTION] authentication modules (reuse of mod_auth_basic, mod_auth_digest, mod_auth_ntlm) an

------=_Part_22423_10893473.1201600260023
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello all Apache mod_perl2 module experts (I am a newbie with Apache),

Hope I am clear in my explanations (my English is not so good and I had a
lot of problems explaining my needs by mail. I am not sure that everybody
will read entirely this mail ;-)))))))

The direct question:
Is it possible to:
. use the mod_auth_basic module (or mod_auth_digest or mod_auth_ntlm) to
authenticate a client for the first request,
. then create a session tracking module (based on cookies) for the next
requests (I would write this last module in Perl)


The indirect question (good luck ;))

I am currently working on a project to develop a server hosting HTTP
applications developed with different technologies and I am in charge of the
session management (authentication along with SSO) for the HTTP-based
applications.
Applications are developed in
. PHP
. Servlet
I can not modify these applications (in term of authentication)

My objective is to "offer" SSO, meaning that the end-user will be asked
authentication only once, when accessing PHP or servlet (backend).
The idea: an Apache module will simulate an HTTP client against the PHP or
the servlet by sending basic authentication to PHP/servlet (ok, I simplify
the problem, because the PHP or servlet container could require another
authentication mechanism)

Apache would act as a front-end and would
. manage authentication against the client
. manage session tracking with cookies
. simulate the client authentication against the application (servlet or
PHP) by sending basic authentication to the servlet or PHP applications (or
any other mechanism, depending on the application authentication mechanism)

I will write a session tracking module (using the PerlAuthenHandler
handler). This module will manage:
. a cookie for session tracking
. the client simulation (using basic authentication or any other
mechanism) against the back-end (PHP/Servlet)

My requirement: this module has to be usable with any existing client
authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO
mod_auth_ntlm, ...)

For example,
.. a client (a web services based client) uses basic authentication for the
first request then a cookie is used for the next requests
.. a client (a browser) uses FORM authentication for the first request then a
cookie is used for the next requests.
.. a client uses NTLM authentication ....
.. a client uses digest authentication ....

I would imagine the Apache configuration as below


AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie
....


This would mean that :
.. MySessionModuleVerifyCookie would be first called, verifying if the
cookie is present and correct
.. If no cookie, then basic authent is requested
.. if basic authent ok, then MySessionModuleGenerateCookie generates a valid
cookie

Another example,

AuthType MySessionModuleVerifyCookie ntlm MySessionModuleGenerateCookie
.....



I searched for Apache modules fitting my needs. The Internet community
proposes a lot of modules but all of these modules mix the different phases
I described above (authentication between client and Apache, credentials
verifications, session creation)
For example,
.. mod_auth_pam: "The PAM authentication module implements Basic
authentication on top of the Pluggable Authentication Module library". This
means that the module implements basic authentication with PAM to verify
credentials but without cookie session tracking
.. mod_auth_cookie_mysql: implements only FORM authentication with SQL to
verify credentials with cookie session tracking
.. Apache::AuthTicket: implements only FORM authentication with any
credentials mechanism (the module is extensible) with cookie session
tracking
.. Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but does
not manage digest or form authentication

My question: is it possible to serialize authentication modules in the
AuthType Apache directive ? If so, how these modules interact each others.
Another way to ask the question: is it possible to use already existing
Apache module (basic, ntlm, digest, ...) to be included in a more global
authentication/session framework ? Advantage of such a solution is that I
can reuse the existing Apache modules (basic, ntlm, digest, ...),
concentrating on my session tracking module. (I read the mod_perl2
documentation and mod_perl2 offers only Basic and Digest authentication. It
does not offer NTLM authentication).

Last but not least, my session tracking module has to be developed in Perl !

Thanks

Gaetan

------=_Part_22423_10893473.1201600260023
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello all Apache mod_perl2 module experts (I am a newbie with Apache),

Hope I am clear in my explanations (my English is not so good and I had a lot of problems explaining my needs by mail. I am not sure that everybody will read entirely this mail ;-)))))))






The direct question:
Is it possible to:
   . use the mod_auth_basic module (or mod_auth_digest or mod_auth_ntlm) to authenticate a client for the first request,
   . then create a session tracking module (based on cookies) for the next requests (I would write this last module in Perl)







The indirect question (good luck ;))

I am currently working on a project to develop a server hosting HTTP applications developed with different technologies and I am in charge of the session management (authentication along with SSO) for the HTTP-based applications.






Applications are developed in
     . PHP
     . Servlet
I can not modify these applications (in term of authentication)

My objective is to "offer" SSO, meaning that the end-user will be asked authentication only once, when accessing PHP or servlet (backend).





The idea: an Apache module will simulate an HTTP client against the PHP or the servlet by sending basic authentication to PHP/servlet (ok, I simplify the problem, because the PHP or servlet container could require another authentication mechanism)






Apache would act as a front-end and would
    . manage authentication against the client
    . manage session tracking with cookies
   
.. simulate the client authentication against the application (servlet
or PHP) by sending basic authentication to the servlet or PHP
applications (or any other mechanism, depending on the application
authentication mechanism)

I will write a session tracking module (using the PerlAuthenHandler handler). This module will manage:
    . a cookie for session tracking
    . the client simulation (using basic authentication or any other mechanism) against the back-end (PHP/Servlet)





My requirement: this module has to be usable with any existing client authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO mod_auth_ntlm, ...)

For example,
. a client (a web services based client) uses basic
authentication for the first request then a cookie is used for the next
requests


.. a client (a browser) uses FORM authentication for the first request then a cookie is used for the next requests.
. a client uses NTLM authentication ....
. a client uses digest authentication ....

I would imagine the Apache configuration as below





<Location /docs_protected_access_basic>
AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie

 ....
</Location>

This would mean that :
. MySessionModuleVerifyCookie  would be first called, verifying if the cookie is present and correct
. If no cookie, then basic authent is requested
. if basic authent ok, then MySessionModuleGenerateCookie generates a valid cookie






Another example,
<Location /docs_protected_access_ntlm>


AuthType MySessionModuleVerifyCookie ntlm MySessionModuleGenerateCookie
....

</Location>


I searched for Apache modules fitting my
needs. The Internet community proposes a lot of modules but all of
these modules mix the different phases I described above
(authentication between client and Apache, credentials verifications,
session creation)
For example,

.. mod_auth_pam: "The PAM authentication module implements Basic
authentication on top of the Pluggable Authentication Module library".
This means that the module implements basic authentication with PAM to
verify credentials but without cookie session tracking

.. mod_auth_cookie_mysql: implements only FORM authentication with SQL to verify credentials with cookie session tracking
.
Apache::AuthTicket: implements only FORM authentication with any
credentials mechanism (the module is extensible) with cookie session
tracking


.. Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but does not manage digest or form authentication

My question: is it possible to serialize authentication modules in the AuthType Apache directive ? If so, how these modules interact each others.





Another way to ask the question: is it possible to use already existing Apache module
(basic, ntlm, digest, ...) to be included in a more global authentication/session framework ? Advantage of such a solution is that I can reuse the existing Apache modules
(basic, ntlm, digest, ...), concentrating on my session tracking module. (I read the mod_perl2 documentation and mod_perl2 offers only Basic and Digest authentication. It does not offer NTLM authentication).

Last but not least, my session tracking module has to be developed in Perl !





Thanks

Gaetan


------=_Part_22423_10893473.1201600260023--

Re: [MP2] [QUESTION] authentication modules (reuse of

Gaetan:

On Tue, 2008-01-29 at 10:51 +0100, titetluc titetluc wrote:
> Hello all Apache mod_perl2 module experts (I am a newbie with Apache),
>
> Hope I am clear in my explanations (my English is not so good and I
> had a lot of problems explaining my needs by mail. I am not sure that
> everybody will read entirely this mail ;-)))))))
>
> The direct question:
> Is it possible to:
> . use the mod_auth_basic module (or mod_auth_digest or
> mod_auth_ntlm) to authenticate a client for the first request,
> . then create a session tracking module (based on cookies) for the
> next requests (I would write this last module in Perl)
>
The cookie needs to be setup upon authentication, so you have to use an
authentication module other than the basic authentication, which does
not set up a cookie.
>
> The indirect question (good luck ;))
>
> I am currently working on a project to develop a server hosting HTTP
> applications developed with different technologies and I am in charge
> of the session management (authentication along with SSO) for the
> HTTP-based applications.
> Applications are developed in
> . PHP
> . Servlet
> I can not modify these applications (in term of authentication)
>
> My objective is to "offer" SSO, meaning that the end-user will be
> asked authentication only once, when accessing PHP or servlet
> (backend).
> The idea: an Apache module will simulate an HTTP client against the
> PHP or the servlet by sending basic authentication to PHP/servlet (ok,
> I simplify the problem, because the PHP or servlet container could
> require another authentication mechanism)
>
> Apache would act as a front-end and would
> . manage authentication against the client
> . manage session tracking with cookies
> . simulate the client authentication against the application
> (servlet or PHP) by sending basic authentication to the servlet or PHP
> applications (or any other mechanism, depending on the application
> authentication mechanism)
>
Take a look at the AuthCookie and AuthTicket modules, they can be used
to easily build a solution like the one you are indicating.

> I will write a session tracking module (using the PerlAuthenHandler
> handler). This module will manage:
> . a cookie for session tracking
> . the client simulation (using basic authentication or any other
> mechanism) against the back-end (PHP/Servlet)
>
> My requirement: this module has to be usable with any existing client
> authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO
> mod_auth_ntlm, ...)
>

> For example,
> . a client (a web services based client) uses basic authentication for
> the first request then a cookie is used for the next requests
> . a client (a browser) uses FORM authentication for the first request
> then a cookie is used for the next requests.
> . a client uses NTLM authentication ....
> . a client uses digest authentication ....
>
> I would imagine the Apache configuration as below
>
>
> AuthType MySessionModuleVerifyCookie basic
> MySessionModuleGenerateCookie
> ....
>
>
> This would mean that :
> . MySessionModuleVerifyCookie would be first called, verifying if the
> cookie is present and correct
> . If no cookie, then basic authent is requested
> . if basic authent ok, then MySessionModuleGenerateCookie generates a
> valid cookie
>
> Another example,
>
> AuthType MySessionModuleVerifyCookie ntlm
> MySessionModuleGenerateCookie
> ....
>
>
>
> I searched for Apache modules fitting my needs. The Internet community
> proposes a lot of modules but all of these modules mix the different
> phases I described above (authentication between client and Apache,
> credentials verifications, session creation)
> For example,
> . mod_auth_pam: "The PAM authentication module implements Basic
> authentication on top of the Pluggable Authentication Module library".
> This means that the module implements basic authentication with PAM to
> verify credentials but without cookie session tracking
> . mod_auth_cookie_mysql: implements only FORM authentication with SQL
> to verify credentials with cookie session tracking
> . Apache::AuthTicket: implements only FORM authentication with any
> credentials mechanism (the module is extensible) with cookie session
> tracking
> . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but
> does not manage digest or form authentication
>
> My question: is it possible to serialize authentication modules in the
> AuthType Apache directive ? If so, how these modules interact each
> others.
> Another way to ask the question: is it possible to use already
> existing Apache module (basic, ntlm, digest, ...) to be included in a
> more global authentication/session framework ? Advantage of such a
> solution is that I can reuse the existing Apache modules (basic, ntlm,
> digest, ...), concentrating on my session tracking module. (I read the
> mod_perl2 documentation and mod_perl2 offers only Basic and Digest
> authentication. It does not offer NTLM authentication).
>
> Last but not least, my session tracking module has to be developed in
> Perl !
>
> Thanks
>
> Gaetan
Regards,
Rafael Caceres

Re: [MP2] [QUESTION] authentication modules (reuse of mod_auth_basic, mod_auth_digest, mod_auth_ntlm

------=_Part_15407_29677855.1201680823294
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Thank you for your answer Rafael

My comments are below

2008/1/29, Rafael Caceres :
>
> Gaetan:
>
> On Tue, 2008-01-29 at 10:51 +0100, titetluc titetluc wrote:
> > Hello all Apache mod_perl2 module experts (I am a newbie with Apache),
> >
> > Hope I am clear in my explanations (my English is not so good and I
> > had a lot of problems explaining my needs by mail. I am not sure that
> > everybody will read entirely this mail ;-)))))))
> >
> > The direct question:
> > Is it possible to:
> > . use the mod_auth_basic module (or mod_auth_digest or
> > mod_auth_ntlm) to authenticate a client for the first request,
> > . then create a session tracking module (based on cookies) for the
> > next requests (I would write this last module in Perl)
> >
> The cookie needs to be setup upon authentication, so you have to use an
> authentication module other than the basic authentication, which does
> not set up a cookie.


This is one of my problem: how can I link basic authentication with a cookie
?
One of the solution I proposed (but it it feasible with Apache
infrastructure and AuthType directive) was to declare different
authentication type with the AuthType directive


AuthType MySessionModuleVerifyCookie basic
MySessionModuleGenerateCookie
....


This would mean that :
.. MySessionModuleVerifyCookie would be first called, verifying if the
cookie is present and correct
.. If no cookie, then basic authent is requested
.. if basic authent ok, then MySessionModuleGenerateCookie generates a valid
cookie

In fact, my ultimate objective was to have an authentication framework based
on cookie.
It would be possible, with such a framework, to define client authentication
type.

The following example would mean: use cookie for authentication tracking,
but first request can be authenticated with SSL. If SSL not available, use
NTLM. If NTLM not available, use Form authentication.
SSL, NTLM and Form authentication woul be external module I would re-used


AuthType AuthentFrameworkCookie
AuthOrder SSL NTLM Form
....


Modules on Internet offer only one kind of authentication. Combining 2 (or
more) authentication type is hard to configure (see SSL with basic authent
http://www.modssl.org/docs/2.8/ssl_howto.html). And worse, combining
authentication type with cookie is harder.

Due to planning constraints, I will have to be less ... ambitious ;-)

>
> > The indirect question (good luck ;))
> >
> > I am currently working on a project to develop a server hosting HTTP
> > applications developed with different technologies and I am in charge
> > of the session management (authentication along with SSO) for the
> > HTTP-based applications.
> > Applications are developed in
> > . PHP
> > . Servlet
> > I can not modify these applications (in term of authentication)
> >
> > My objective is to "offer" SSO, meaning that the end-user will be
> > asked authentication only once, when accessing PHP or servlet
> > (backend).
> > The idea: an Apache module will simulate an HTTP client against the
> > PHP or the servlet by sending basic authentication to PHP/servlet (ok,
> > I simplify the problem, because the PHP or servlet container could
> > require another authentication mechanism)
> >
> > Apache would act as a front-end and would
> > . manage authentication against the client
> > . manage session tracking with cookies
> > . simulate the client authentication against the application
> > (servlet or PHP) by sending basic authentication to the servlet or PHP
> > applications (or any other mechanism, depending on the application
> > authentication mechanism)
> >
> Take a look at the AuthCookie and AuthTicket modules, they can be used
> to easily build a solution like the one you are indicating.


I already studied these modules, but they manage only form authentication.
In any case, I think I will use the AuthCookie module to build a POC.

> I will write a session tracking module (using the PerlAuthenHandler
> > handler). This module will manage:
> > . a cookie for session tracking
> > . the client simulation (using basic authentication or any other
> > mechanism) against the back-end (PHP/Servlet)
> >
> > My requirement: this module has to be usable with any existing client
> > authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO
> > mod_auth_ntlm, ...)
> >
>
> > For example,
> > . a client (a web services based client) uses basic authentication for
> > the first request then a cookie is used for the next requests
> > . a client (a browser) uses FORM authentication for the first request
> > then a cookie is used for the next requests.
> > . a client uses NTLM authentication ....
> > . a client uses digest authentication ....
> >
> > I would imagine the Apache configuration as below
> >
> >
> > AuthType MySessionModuleVerifyCookie basic
> > MySessionModuleGenerateCookie
> > ....
> >
> >
> > This would mean that :
> > . MySessionModuleVerifyCookie would be first called, verifying if the
> > cookie is present and correct
> > . If no cookie, then basic authent is requested
> > . if basic authent ok, then MySessionModuleGenerateCookie generates a
> > valid cookie
> >
> > Another example,
> >
> > AuthType MySessionModuleVerifyCookie ntlm
> > MySessionModuleGenerateCookie
> > ....
> >
> >
> >
> > I searched for Apache modules fitting my needs. The Internet community
> > proposes a lot of modules but all of these modules mix the different
> > phases I described above (authentication between client and Apache,
> > credentials verifications, session creation)
> > For example,
> > . mod_auth_pam: "The PAM authentication module implements Basic
> > authentication on top of the Pluggable Authentication Module library".
> > This means that the module implements basic authentication with PAM to
> > verify credentials but without cookie session tracking
> > . mod_auth_cookie_mysql: implements only FORM authentication with SQL
> > to verify credentials with cookie session tracking
> > . Apache::AuthTicket: implements only FORM authentication with any
> > credentials mechanism (the module is extensible) with cookie session
> > tracking
> > . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but
> > does not manage digest or form authentication
> >
> > My question: is it possible to serialize authentication modules in the
> > AuthType Apache directive ? If so, how these modules interact each
> > others.
> > Another way to ask the question: is it possible to use already
> > existing Apache module (basic, ntlm, digest, ...) to be included in a
> > more global authentication/session framework ? Advantage of such a
> > solution is that I can reuse the existing Apache modules (basic, ntlm,
> > digest, ...), concentrating on my session tracking module. (I read the
> > mod_perl2 documentation and mod_perl2 offers only Basic and Digest
> > authentication. It does not offer NTLM authentication).
> >
> > Last but not least, my session tracking module has to be developed in
> > Perl !
> >
> > Thanks
> >
> > Gaetan
> Regards,
> Rafael Caceres
>
>

------=_Part_15407_29677855.1201680823294
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Thank you for your answer Rafael

My comments are below

Re: [MP2] [QUESTION] authentication modules (reuse of mod_auth_basic, mod_auth_digest, mod_auth_ntlm

On Wed 30 Jan 2008, titetluc titetluc wrote:
> This would mean that :
> . MySessionModuleVerifyCookie =A0would be first called, verifying if the
> cookie is present and correct
> . If no cookie, then basic authent is requested
> . if basic authent ok, then MySessionModuleGenerateCookie generates a val=
id
> cookie

Sorry, but I haven't really understood what you are trying to achieve. I=20
assume you understand the difference between authentication and authorizati=
on=20
and how they work together. If not try to figure that out first.

1) Perhaps you want to replace a specialized cookie named Authorization hea=
der=20
with a general purpose cookie. (The Authorization header is nothing else th=
an=20
a specialized cookie.)

This can easily be done by forging the Authorization header in a request ph=
ase=20
that comes before (or even in) Auth if the general purpose cookie is there=
=20
and correct. In a phase after Auth (like Fixup) you can then add your cooki=
e=20
if it is not there. Then all your documents would have to be secured by=20
normal Auth-configuration. This can be done with Apache 1.3, 2.0 and 2.2.

2) If you are looking for a more general solution (which I believe you are)=
=20
then for Apache 2.0+ have a look at the Auth*Authoritative directives, e.g.=
=20
AuthBasicAuthoritative. Almost all Auth-modules implement such a directive.=
=20
Your specialized-cookie-module would also have to implement such one. Then=
=20
you can chain Authentication-modules together. If an Authentication module =
is=20
authoritative it returns HTTP_UNAUTHORIZED if the user identity cannot be=20
verified. If it is not authoritative it returns DECLINED instead passing th=
e=20
responsibility to the next authentication module.

3) With Apache 2.2 came authentication providers. They allow to chain=20
different identity verification sources. But all of them are based on the=20
same identity information that is passed in by the client (browser). Among=
=20
geoff's modules is one that provides a perl interface to that.

Torsten

Re: [MP2] [QUESTION] authentication modules (reuse of mod_auth_basic, mod_auth_digest, mod_auth_ntlm

Am Dienstag 29 Januar 2008 10:51:00 schrieb titetluc titetluc:
> Hello all Apache mod_perl2 module experts (I am a newbie with Apache),
>
> Hope I am clear in my explanations (my English is not so good and I had a
> lot of problems explaining my needs by mail. I am not sure that everybody
> will read entirely this mail ;-)))))))
>
> The direct question:
> Is it possible to:
> . use the mod_auth_basic module (or mod_auth_digest or mod_auth_ntlm) to
> authenticate a client for the first request,
> . then create a session tracking module (based on cookies) for the next
> requests (I would write this last module in Perl)
>
>
> The indirect question (good luck ;))
>
> I am currently working on a project to develop a server hosting HTTP
> applications developed with different technologies and I am in charge of
> the session management (authentication along with SSO) for the HTTP-based
> applications.
> Applications are developed in
> . PHP
> . Servlet
> I can not modify these applications (in term of authentication)

So , as far as I understood your problem. the first thing you should consider
is writing an own mod_perl handler for the authentication phase, that way you
don't have to care about the technologie of the sites below. To read about
the request phase look at:

http://perl.apache.org/docs/2.0/user/handlers/http.html#HTTP _Request_Cycle_Phases

This is independent of what module you use, the point is at what time of the
request you do the authentification.
Tracking the user with a cookie is a "normal" thing. The problems would start,
if the apps need to know which user logged in or not. if so you have to find
a way to pass them the user id or what data the apps requires.

>
> My objective is to "offer" SSO, meaning that the end-user will be asked
> authentication only once, when accessing PHP or servlet (backend).
> The idea: an Apache module will simulate an HTTP client against the PHP or
> the servlet by sending basic authentication to PHP/servlet (ok, I simplify
> the problem, because the PHP or servlet container could require another
> authentication mechanism)
>
> Apache would act as a front-end and would
> . manage authentication against the client
> . manage session tracking with cookies
> . simulate the client authentication against the application (servlet
> or PHP) by sending basic authentication to the servlet or PHP applications
> (or any other mechanism, depending on the application authentication
> mechanism)

So , probably, you could set HTTP-header variables or environment variables,
depending on what the application requires.

>
> I will write a session tracking module (using the PerlAuthenHandler
> handler). This module will manage:
> . a cookie for session tracking
> . the client simulation (using basic authentication or any other
> mechanism) against the back-end (PHP/Servlet)
I don't think to have to rwrite anything, have a look at Apache(2)::Cookie or
CGI::Cookie.


> My requirement: this module has to be usable with any existing client
> authentication type (mod_auth_basic, mod_auth_digest, BUT ALSO
> mod_auth_ntlm, ...)
Look at Apache::Session::Wrapper;

>
> For example,
> . a client (a web services based client) uses basic authentication for the
> first request then a cookie is used for the next requests
> . a client (a browser) uses FORM authentication for the first request then
> a cookie is used for the next requests.
> . a client uses NTLM authentication ....
> . a client uses digest authentication ....
>
> I would imagine the Apache configuration as below
>
>
> AuthType MySessionModuleVerifyCookie basic MySessionModuleGenerateCookie
> ....
>
>
> This would mean that :
> . MySessionModuleVerifyCookie would be first called, verifying if the
> cookie is present and correct
> . If no cookie, then basic authent is requested
> . if basic authent ok, then MySessionModuleGenerateCookie generates a valid
> cookie
>
> Another example,
>
> AuthType MySessionModuleVerifyCookie ntlm MySessionModuleGenerateCookie
> ....
>
>
>
> I searched for Apache modules fitting my needs. The Internet community
> proposes a lot of modules but all of these modules mix the different phases
> I described above (authentication between client and Apache, credentials
> verifications, session creation)
> For example,
> . mod_auth_pam: "The PAM authentication module implements Basic
> authentication on top of the Pluggable Authentication Module library". This
> means that the module implements basic authentication with PAM to verify
> credentials but without cookie session tracking
> . mod_auth_cookie_mysql: implements only FORM authentication with SQL to
> verify credentials with cookie session tracking
> . Apache::AuthTicket: implements only FORM authentication with any
> credentials mechanism (the module is extensible) with cookie session
> tracking
> . Apache::AuthCookieNTLM manages only NTLM and Basic with cookie but does
> not manage digest or form authentication
>
> My question: is it possible to serialize authentication modules in the
> AuthType Apache directive ? If so, how these modules interact each others.
> Another way to ask the question: is it possible to use already existing
> Apache module (basic, ntlm, digest, ...) to be included in a more global
> authentication/session framework ? Advantage of such a solution is that I
> can reuse the existing Apache modules (basic, ntlm, digest, ...),
> concentrating on my session tracking module. (I read the mod_perl2
> documentation and mod_perl2 offers only Basic and Digest authentication. It
> does not offer NTLM authentication).

Again, I think the solution to your problems is in writing a customized
handler for the authentification phase.

--
Regards
Rolf Schaufelberger