Woo-hoo, cloud computing.

(Thousands of teens start screaming.)

Enough already. What I found rather disenchanting was the lack of a tiny tool to enforce mandatory access control and usage monitoring. Furthermore, the few implementations available to mere mortals are rather technologically challenged, to put it mildly. This left me no chance but to come up with a concept of my own. The result is a PHP-based SOAP/REST proxy. Naturally, PHP doesn't make this tool fast or nice, but it allows for a quick drafting of a prototype. Eventually, an extension of das Schäfchen would seem natural since it can already be used as a reverse HTTP proxy with authentication.

There are some interesting questions arising from any such concept. For example, the ability to accept streaming service calls is highly important to keep the duration of data presence on the proxy low by pushing it to the backend as soon as it arrives. However, no such pushing should happen until the user is authenticated, which happens with protocol-specific mechanisms, unless access for that particular service has been configured to accept anonymous users. Furthermore, in case one only trusts the proxy but not the services behind it, the proxy should strip authentication information, i.e. modify the stream during its redirection. This requirement is fundamentally incompatible with the SAX API and eventually will lead to another parser model. In the meantime, however, an alternative non-streaming mode is available as well. Further insufficiencies can be found in the way PHP interacts with Apache. There is no simple way to retrieve all the original headers. Therefore, the tools contains some workarounds until it can run in standalone mode.

After some hacking, it has turned out to work fairly well at around ~500 lines of code. The first release is scheduled for the end of the month.