I had a problem: Server A runs a web service, which requires users to authenticate using the standard HTTP authentication mechanism. Server B should have web pages that use AJAX to query A’s web services. Server B’s web pages also require authentication, using the same scheme, backend and database as server A. There are two problems:
- JavaScript web pages can only access web services/pages on the same server using
XMLHttpRequest, for security reasons. Solution: Use a forwarding/proxy service. E.g. to accesshttp://a.example.com/servicefromb.example.comadd a servicehttp://b.example.com/servicethat just forwards requests to the web service on A. This solution is quite straight forward. - Since B uses the same authentication scheme as A we need to forward authentication information passed to B’s forwarding service on to A. Unfortunately this is not straight-forward, since the Apache HTTP Server provides no easy way to read the full authentication information passed to it via a cgi-bin. The only available information is the
REMOTE_USERenvironment variable. This is not enough to construct a newAuthenticationheader, though, since password information is stored encrypted in the account database.Finally I found a solution in the Zope 2 documentation. Apache’smod_rewritecomes to the rescue. It allows you to read arbitrary HTTP headers and add arbitrary environment variables before executing a cgi-bin. The following recipe added to the appropriate.htaccessfile adds a HTTP_AUTHORIZATION variable:RewriteEngine on RewriteBase / RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^(.*)$ $1 [e=HTTP_AUTHORIZATION:%1]
Leave a Reply