PAPI::RedirectGPoA - Helper for redirecting requests to GPoAs or ASes

SYNOPSIS

 sub handler
 {
    my $r=shift;

...

    $pa->save_request($db_key);
    if ($redir_url =~ /^wayf:/) {
 # The GPoA is a reference to connect to the adequate AS: Go to the WAYF URL
       ...
       if ($wayfurl =~ /^http/) {
          $poa->debug("PAPI#RedirectGPoA# Redirecting to external WAYF...
          ...
       }
       else {
          if ($wayfurl =~ /built-in/i || ! -r $wayfurl) {
             $poa->debug("PAPI#RedirectGPoA# Redirecting to built-in WAYF...
             ...
          }
          else {
             $poa->debug("PAPI#RedirectGPoA# Redirecting to internal WAYF...
             ...
          }
       }
       ...
    }
 # Redirect to a normal GPoA   
    else {
       $pa->debug("PAPI#RedirectGPoA# Redirecting to: $rurl...
       ...
    }
    ...
 }

DESCRIPTION

This mod_perl handler is used by a PAPI PoA for managing a request that must be redirected through a parent GPoA or an AS (through the PAPI WAYF interface) in order to obtain an assertion about the user intending to access the resource protected by this PoA. The handler function in this package, according to Apache mod_perl conventions, is registered as the handler for a request by the PAPI Main handler when no authorization tokens are received for the PoA and a query procedure is defined by means of the GPoA_URL configuration directive.

The function starts storing a register of the original request, so it can be processed when the response to the query is received. Afterward, it checks whether the request must be passed directly to a GPoA, or a WAYF service must be used in order to determine the appropriate AS to be queried. This is detected by looking for the special method wayf: at the beginning of the URL defined by the GPoA_URL directive.

If the request is going to be passed to a GPoA, the function prepares the appropriate redirect to the GPoA URL, passing the following parameters: a CHECK operation request, the original request identifier, and the URL to which the GPoA must redirect the user's browser to pass its response.

The WAYF Interface

As stated in the configuration section, three different methods can be used to request a WAYF decision: the built-in WAYF system (using the keyword built-in), an internal location (using a path to a file in the server file tree), or a external location (using an arbitrary URL).

Internal WAYF services

WAYF services internal to the PoA (either built-in or in an internal location) must comply to the following interface:

1. All interactions between the PoA and the WAYF service are performed using HTTP redirections. Data are passed through parameters in the HTTP request.

2. When the WAYF service is initially called from the PoA, the following parameters are set:

NEXTURL: Is the URL where the WAYF service must return control once the decision is made.
NOOFAS: Is the number of PAPI authentication servers know to this PoA.
ASIDn: Is the internal identifier for authentication server n at this PoA.
ASDESCn: Is the description for authentication server n at this PoA.
ASURLn: Is the URL associated to authentication server n at this PoA.
PAPIPOAREF: Is the reference for the original user's request at the PoA.
PAPIPOAURL: Is the original URL at the PoA that initiated the WAYF process.

3. When the WAYF decision has been taken (typically, after some user interaction), there shall be a redirection to the URL identified in the NEXTURL parameter in step 2 above. Through this redirection, the following parameters shall be passed:

PAPIPOAREF, PAPIPOAURL: The same values as above, so the whole process can return to the URL that initiated it, and perform the original user request.
ASID: The internal identifier of the authentication server (as originally passed in step 2 above) to be used in the attribute request process.

External WAYF

In those cases in which an external WAYF service is in use, a simpler interface can be used, since the external WAYF server is expected to make the user directly progress to the appropriate authentication server: