earlier replies
Replying to @phaus
@phaus REMOTE_USER stays in the Apache process AFAIK. Some mod_rewrite magic will surely help?
2
@stilkov actually not. Java was a netty server. Running as its own process on its own port. And there it works just fine. PHP was PHP-FPM.
1
@phaus And the connection to Netty from Apache was pure HTTP? Surely not, but rather mod_jk?
1
@stilkov yes. definitely no mod_jk. I hate apps, depending on Apaches/Frontend remote_user header instead of doing their own basic-auth.
2
@phaus And for the record, I disagree :-) I don't see why apps should be doing their own basic auth
1
@stilkov for example to achieve a clear logout? To do an auth against LDAP (Apache module is buggy). To offer different Auth Methodes?
1
@phaus All of these are infrastructure issues, not application issues - not at all related to business functionality
2
@stilkov IMHO Authentication is part of the service. And from the past i am pretty sure, that a fat&complex Webserver config is not good.
1
@phaus Fire up your own server that just has the auth part, and proxy traffic through to your app. Still preferable IMO.
1
@stilkov As soon an App needs complex Location Rules, i always consider doing this within the app. e.g. supporting oAuth and BasicAuth.
1
Replying to @phaus
@phaus That means your app needs to change when your auth requirements change. I prefer clearer separation of concerns, and multiple apps

Sep 26, 2012 · 10:06 AM UTC

2
Replying to @stilkov
@stilkov normally your app knows what resource needs to be protected, your WebServer does not. Had that funny Problem in FlowControl.
1
@phaus That's the difference between authentication and authorization. I'd never try to do the latter outside of the app
1
more replies
Replying to @stilkov
@stilkov And you still can use your apache auth files. e.g. with github.com/phaus/play-file-a… ;-).