PAPI::Main - Apache mod_perl access control handler implementing a PAPI PoA


Into the Apache configuration file:

 <Location /PAPILocation>
  PerlSendHeader On
  PerlAccessHandler PAPI::Main


Apache mod_perl >= 1.26, URI::Escape, Data::Dumper


The handler function in this package, according to Apache mod_perl conventions, is called to decide about access for the location it has been configured to control. Once handler is called, it performs the following actions:

  1. Take the Apache request object.
  2. Check whether it is an initial request

    Apache considers a request as initial if it comes from a direct HTTP request from the client and it is not fired by any Apache internal mechanism. In the case it is not initial, accept the request. In the case of an initial request, process it as follows.

  3. Check whether the requested URL matches any Pass_URL_Pattern

    If a match exists, continue with step 14.

    Otherwise, continue with step 4.

  4. Check whether the request is sent by a PAPI authentication server.

    In this case, the request is passed through the Cookie_Handler.

    Otherwise, continue with step 5.

  5. Check whether the request is sent by a PAPI WAYF server.

    In this case, the request is processed and passed to the selected PAPI authentication server.

    Otherwise, continue with step 6.

  6. Create a new ApachePoA object and configure it.
  7. Check whether this request is a normal request or comes from a response of a GPoA or an AS.

    In the first case, continue with step 10.

    In the case the request comes from a GPoA/AS answer, continue at step 8.

  8. Check the answer obtained from the GPoA/AS and the method and parameters of the request.

    If the answer obtained from the GPoA/AS has been positive, proceed to step 9.

    Otherwise, reject the request.

  9. Check whether the requested method was POST

    In that case, register POST_Handler to pass the request through it. Proceed to step 12.

    Otherwise, continue with step 10.

  10. Get the tokens (Hcook and Lcook) associated to this request.
  11. Check tokens.

    If the test with Lcook succeeds, continue.

    If the test with Lcook fails, check Hcook.

    If the test with Hcook succeeds, generate and send new Hcook and Lcook, and continue.

    If no Hcook is available, check for the definition of a GPoA and redirect the request if a parent GPoA exists, using RedirectGPoA.

    Otherwise, reject the request.

  12. Extract the assertion stored in the tokens and make them available through the appropriate Apache notes and request headers.
  13. Check whether this is a signoff request.

    In that case, generate values of Hcook and Lcook that will not be valid for any further request, and send them along with a redirection to the continuation URL.

    Otherwise, continue with step 14

  14. Generate new tokens (Lcook and/or Hcook) as appropriate.
  15. Check whether this is a local request.

    In this case, pass the request back to Apache in order to complete it.

    If it is a request for a remote location pass the request to the RewritingProxy handler.


PAPI Configuration