SURVIVOR: Web Authentication Module Specification

Specification

  1. Web Authentication modules must be reentrant. That is, if a module is run more than once simultaneously, all instances must run to completion without interference.

  2. Web Authentication modules must not change their process group by any means, including via setsid(), setpgid(), setpgrp(), or any similar function.

  3. Each module must place its source code in a directory underneath survivor/src/modules/webauth/ with the following conventions:
    1. The name of the directory must be webauth/modulename/.

    2. A Makefile.in must be present, with directives for clean, veryclean, all, install, and install-remote.

      The install should, except in exceptional circumstances, install the module into @prefix@/mod/webauth, owned by @INST_USER@ and @INST_GROUP@, mode 555.

      The install-remote directive should be the same as install, except where it does not make sense for the module to be installed as part of a remote distribution. (Web Authentication modules typically do not need to be installed remotely.)

    3. Documentation describing the module should be in doc/wam-modulename.html

  4. Web Authentication modules do not accept any command line arguments, but instead receive their required data via a SurvivorWebAuthRequest element provided in an XML document on stdin.

    The optional ModuleOption elements should conform to the Module XML Argument Specification.

  5. Web Authentication modules should not write output files.

  6. Web Authentication modules must generate output on stdout consisting of an XML document containing a SurvivorWebAuthResult element.

    The attribute AuthOK values are as follows:

    • yes: Successful authentication, username and optionally group memberships included.
    • deferred: Authentication incomplete. The module has handled the request (as for a cgi), and sw should transmit any content in the Deferral element and then exit.
    • no: Authentication failed.

  7. Web Authentication modules must exit with one of the following values (as defined in include/survivor.H):
    • MODEXEC_OK: Authentication request successfully processed.
    • MODEXEC_PROBLEM: An error occurred in processing the request.
    • MODEXEC_MISCONFIG: The module is misconfigured and is unable to process the request.

$Date: 2006/11/20 00:09:53 $
$Revision: 0.4 $
 keywords