/ Zope / Apsis / Pound Mailing List / Archive / 2004 / 2004-05 / single sign on and declarative access control?

[ << ] [ >> ]

[ "bad starting read" with Pound 1.7 + ... ] [ Pound-current and PDF Files / "Weuffel, ... ]

single sign on and declarative access control?
"Bud P. Bruegger" <bud(at)comune.grosseto.it>		 2004-05-24 13:14:01 [ FULL ] 
Hello everyone,

I just discovered Pound and think it may be a much better choice than 
Apache for a development I had in mind:  a single sign on (for a single 
domain) and declarative access control system (similar to that of J2EE).  I 
would be interested in using pound as a basis for my architectonic 
component of "gateway host".

The architecture had in mind is as follows:

* a load-balancing router redirects traffic to one of the gatway hosts.

* a parallel farm of stateless gateway hosts that basically behave as 
reverse-proxies for:

* application servers on a protected internal LAN

The functionality of the gateway servers would include the following:

* SSL wrapper to offload ssl processing to the massively scalable "farm" of 
gateway hosts.  It seems this can be done by pound.  From a quick reading 
through the documentation, it seems that pound does not currently verify 
the certificates though--is this correct?

* cookie-based single-sign-on preferably based on client-cert-auth but also 
with username/password via html form (only over ssl).  To keep this simple, 
it should protect only a single domain (this makes it MUCH simpler compared 
to other products as PubCookie or Cosign).  Some background on the cookie 
maybe:  a single person can have multiple tokens of 
identification.  Different DNs map to the same Principal that is unique for 
the person.  The cookie contains the principal and the roles of this 
principal, other stuff, and an HMAC...

* declarative access control, possibly as a superset of J2EE's.  The 
advantage would be to do it independently of the technology of the 
application server (for example, J2EE).  I like the idea of defining access 
on logical URLs (see below) and of extensibility (e.g. by time of day, 
load, etc.).   For example, an URL pattern can require certain roles and 
possibly that the access is via SSL.

* Mapping from logical to physical URLs.  This allows to moves things 
around flexibly and to change technology in a transparent manner.

My initial idea was to prototype this on Apache using mod-python for 
implementing the single sign on and access control part (and mod-ssl, 
mod-proxy for the rest).

Can anyone give me ideas/feedback on:
* how sound the overall ideas is
* how Pound would fit in
* how to go about an implementation (at least as prototype).

many thanks in advance for any help

-b


-------------------------------------------------------------------------------------------------
Ing. Bud P. Bruegger, Ph.D.                 bud(at)comune.grosseto.it
Servizio Elaborazione Dati                    0564-488 577 (voice)
Comune di Grosseto                            0564- 21139 (fax)
Via Ginori, 43
58100 Grosseto

Collaborazione Open Source per la CIE e CNS http://www.comune.grosseto.it/cie/

Software Libero/Open Source in P.A.:  Non solo una buona idea,  ma una 
necessita'
MailBoxer