AFS WEB SECURE DESIGN DOCUMENT Functionality (common to both Servers) Any URL beginning with /afs is handled by the plug-in. If a username and password accompanies the request then the plug-in attempts to authenticate the user with AFS and uses that token for serving the request. However in the absense of any Authentication header it attempts to serve the request as it normally would (without the plug-in). If the request returns an OK status, the document is served as is. If it returns HTTP status FORBIDDEN, then the plug-in responds with an AUTHENTICATION_REQUIRED response with a part of the URL giving the /afs/ as the part of the WWW-Authenticate header. Netscape Enterprise Server Plug-in The Netscape Server is multithreaded (each incoming HTTP request is handled by a thread). This design led to the requirement of per thread authentication credentials for AFS, (without which there would be one common token for all the threads handling requests for possibly different users). Since the AFS kernel cache manager only provides per process authentication credentials (using Process Authentication Groups or PAG's), the plug-in required a user-space cache manager. Within this user space cache manager a data structure stores the authentication credentials in a manner similar to PAG's (first two bits used). The user space cache manager provides the capability of per thread authentication required for the Netscape Server. The Netscape Server API provides an initialization routine using which the user space cache manager is started up. Unlike the Apache Server plug-in, the Netscape AFS Web Secure Server does not have to be on an AFS client machine. Configuration files permit the administrator to specify disk cache directories other than that used by any other cache managers. Therefore it is possible to have more than one user space cache manager running on the same machine along with a kernel cache manager. The configuration allows the administrator to specify what URL it should look for files in AFS. Tokens for user credentials are obtained and cached in the user-space cache manager, which essentially is a port of the kernel cache manager into user-space. Apache Server Module The Apache Server software provides an API for adding modules to the web server and for creating handlers for requests. AFS Web Secure for Apache is built as a standard Apache module (mod_afs.c) along with a library (libapacheafs.a) and two binaries (weblog_starter and weblog). The web server is not multithreaded but each request is served by child processes (the number of which is configurable). AFS Authentication requires each child process to communicate with the weblog process over a UNIX pipe (file locking is used to provide exclusive access to the pipe). The child processes send authentication credentials (username, password and cellname) to the weblog process which authenticates the user with AFS using the ka_AuthenticateUserGeneral system call (as in klog). Once an AFS token is obtained it gets the token fro the cache manager using the lpioctl system call and sends the token back to the child process that requested it. Note that since AFS permits one token per cell per PAG, it is essential for each of the child processes to be in a unique PAG. The lsetpag system call is used on startup to ensure each child process and the weblog process belong to a unique PAG. Once the child process obtains the token from the weblog process it sets it using the lpioctl system call to set a token. It can then access files in AFS with the appropriate ACL's. Caching of tokens is done at two levels - the weblog process caches all tokens for all user credentials that it recieves from all Apache child processes. Each child process in turn caches the credentials it recieves. Token times are configurable using the SetAFSCacheExpiration directive. The kernel cache manager may cache tokens for the time specified using the SetAFSTokenExpiration directive. This is similar to using klog -lifetime