(This figure from Andrei Rodionov.)
Web Engineering Group (WEG)
"Where the Rubber Meets the Web"
Leonard Sitongia
Version 0.0.3
Web Authentication Infrastructure
The document describes the design of web authentication services provided by the UCAR web server environment. These services were designed and developed by Jeff Boote (SCD/VETS).
The authentication mechanism works within the context of a clustered web server. A number of identical systems serve as the front-end to the web presense. The multiplicity of nodes (individual systems) provides for load balancing and also for fault tolerance through failover.
(This figure from Andrei Rodionov.)
Each node runs a number of instances of the Apache web server program. The node has multiple network interfaces to provide for external and internal access (with regard to the UCAR security perimeter), the failover mechanism, and proxy services. These are summarized in the following diagram. The primary interface to the outside world is eth1:0, with the assigned address of the cluster node in the 128.117.223 subnet. HTTP requests come in on that interface and soon hit the content cache. If the requested content is already in the cache, then the request is satisfied. Requests for other content the misses the cache, where the web server configuration in httpd.conf is configured to proxy the request to the virtual server hostname with a "-p" suffix, which through DNS is translated into the loopback interface on the cluster node, 127.0.0.1. The original request was to a virtual host, for example www.scd.ucar.edu, which invokes the httpd.conf elements appropriate for that virutual host.
The eth1 external interface is the physical (real) address of the network interface. There are also the virtual eth1:0 interface, that is used for high-availability and can be transferred to another node by heartbeat system in case of the phisycal interface failure. eth1:0 is a webcluster interface that is used in the Round-Robin DNS pool to load-balance http requests between the cluster nodes.
The eth0 interface is the internal interface. Access to the cluster node from inside UCAR should be addressed to the name of that interface.
The Apache process itself is designed to be modular, with the modules processing the HTTP request through a chain of processing phases. The HTTP request enters the core of the Apache web server software, were fundamental parts of the request processing are handled. Most of the work in the Apache server is handled by modular components, not the core. The request flows through a series of modules, as dictated by matching the content of the request, the configuration of the web server (through httpd.conf) and the services that the modules register with the Apache server. The request is processed in a number of identifiable phases, which are listed in the right-most column in the following diagram.
(This figure is from a paper by Octavian Andrei Dragoi, of the University of
Waterloo, reproduced with permission.)
The work done by the UCAR web environment's authentication service is done in the Authorize/Authenticate phase.
The UCAR web authentication mechanism supplements other authentication methods that are available under the Apache web server. For example, basic Apache authentication ("basic auth") provides basic password-protected access to individual users or groups of users and is configured through the AuthType Apache directive. Similarly, the UCAR web authentication mechanism is selected using the AuthType directive. There are a many modules available for the Apache server, including a large number of authentication modules. For example, modules are available from the Apache open source community for authentication using LDAP and also using Kerberos, which are both technologies that are being explored in UCAR.
The authentication modules bring about a series of transations with a security service infrastructure involving certificates managed by the web servers and a web authentication server that serves as a gateway to the primary UCAR authentication server that is managed by the UCAR computer security group (and provides authentication to the UCAR Timecard system, for example).
The modules written by Jeff Boote consist of mod_gateway (handling authentication of the user and web browser through standard secure certificates) and mod_authserv (handling authentication of the user to the UCAR "gatekeeper database").
The following diagram provides an overview of the authentication steps.
This software is available to webmasters of Apache servers in UCAR/NCAR divisions and programs. The document "mod_gateway HOWTO" documents how to acquire and install the software.
The following diagram provides a map of the detailed transations between the authentication components, which are the client browser, the UCAR web cluster (node), the WEG authentication virtual web server ("Auth"), the WEG authentication gateway ("wns") and the UCAR Security authentication server ("AuthServ"). In the case of a division or program web server, the "web cluster" would be replaced by the local web server.
