PAPI::RedirectGPoA - Helper for redirecting requests to GPoAs or ASes

SYNOPSIS

 sub handler
 {
    my $r=shift;
    ...
    $pa->save_request($db_key);
    if ($redir_url =~ /^wayf:/) {
 # The GPoA is a reference to connect to the adequate AS: Go to the WAYF URL
       ...
       if ($wayfurl =~ /^http/) {
          $poa->debug("PAPI#RedirectGPoA# Redirecting to external WAYF...
          ...
       }
       else {
          if ($wayfurl =~ /built-in/i || ! -r $wayfurl) {
             $poa->debug("PAPI#RedirectGPoA# Redirecting to built-in WAYF...
             ...
          }
          else {
             $poa->debug("PAPI#RedirectGPoA# Redirecting to internal WAYF...
             ...
          }
       }
       ...
    }
 # Redirect to a normal GPoA   
    else {
       $pa->debug("PAPI#RedirectGPoA# Redirecting to: $rurl...
       ...
    }
    ...
 }

DESCRIPTION

This mod_perl handler is used by a PAPI PoA for managing a request that must be redirected through a parent GPoA or an AS (through the PAPI WAYF interface) in order to obtain an assertion about the user intending to access the resource protected by this PoA. The handler function in this package, according to Apache mod_perl conventions, is registered as the handler for a request by the PAPI Main handler when no authorization tokens are received for the PoA and a query procedure is defined by means of the GPoA_URL configuration directive.

The function starts storing a register of the original request, so it can be processed when the response to the query is received. Afterward, it checks whether the request must be passed directly to a GPoA, or a WAYF service must be used in order to determine the appropriate AS to be queried. This is detected by looking for the special method wayf: at the beginning of the URL defined by the GPoA_URL directive.

If the request is going to be passed to a GPoA, the function prepares the appropriate redirect to the GPoA URL, passing the following parameters: a CHECK operation request, the original request identifier, and the URL to which the GPoA must redirect the user's browser to pass its response.

The WAYF Interface

As stated in the configuration section, three different methods can be used to request a WAYF decision: the built-in WAYF system (using the keyword built-in), an internal location (using a path to a file in the server file tree), or a external location (using an arbitrary URL).

Internal WAYF services

WAYF services internal to the PoA (either built-in or in an internal location) must comply to the following interface:

1. All interactions between the PoA and the WAYF service are performed using HTTP redirections. Data are passed through parameters in the HTTP request.

2. When the WAYF service is initially called from the PoA, the following parameters are set:

NEXTURL
Is the URL where the WAYF service must return control once the decision is made.
NOOFAS
Is the number of PAPI authentication servers know to this PoA.
ASIDn
Is the internal identifier for authentication server n at this PoA.
ASDESCn
Is the description for authentication server n at this PoA.
ASURLn
Is the URL associated to authentication server n at this PoA.
PAPIPOAREF
Is the reference for the original user's request at the PoA.
PAPIPOAURL
Is the original URL at the PoA that initiated the WAYF process.

3. When the WAYF decision has been taken (typically, after some user interaction), there shall be a redirection to the URL identified in the NEXTURL parameter in step 2 above. Through this redirection, the following parameters shall be passed:

PAPIPOAREF, PAPIPOAURL
The same values as above, so the whole process can return to the URL that initiated it, and perform the original user request.
ASID
The internal identifier of the authentication server (as originally passed in step 2 above) to be used in the attribute request process.

External WAYF

In those cases in which an external WAYF service is in use, a simpler interface can be used, since the external WAYF server is expected to make the user directly progress to the appropriate authentication server:

1. All interactions between the PoA and the WAYF service are performed using HTTP redirections. Data are passed through parameters in the HTTP request.

2. When the WAYF service is initially called from the PoA, the following parameters are set:

PAPIPOAREF
Is the reference for the original user's request at the PoA.
PAPIPOAURL
Is the original URL at the PoA that initiated the WAYF process.

3. When the WAYF decision has been taken (typically, after some user interaction), there shall be a redirection to the appropriate URL at the selected authentication server. Through this redirection, the following parameters shall be passed:

ATTREQ
In order to make the authentication server identify the request as an attribute request coming from a PoA (see the authentication server).
PAPIPOAREF, PAPIPOAURL
The same values as above, so the whole process can return to the URL that initiated it, and perform the original user request.

SEE ALSO

Main Handler

PAPI Configuration