Thanks to everyone who responded! Though I cannot say which way we will go with this, I'm glad at least to have a couple possible directions.
-- Chris Africa Web Project Manager Department of Mechanical Engineering University of Michigan 734-764-8482 Fridays: 734-730-6221 AIM/iChat/Skype ID: baiewola On Jul 11, 2008, at 12:59 PM, Mark Montague wrote: > > Hi, Chris, > > Yes, you are correct: a client (such as a web browser or a command- > line Subversion client) has to implement redirection in order to be > used with cosign. > > But, redirection alone is not enough. The client also has to be > able to handle cookies. And keep in mind that unless you took the > cookies from a running web browser where the user already > authenticated via cosign, the client will be redirected to the > central weblogin server which will provide a login page for the user > to provide their user name and password on. So the client should > support HTML forms and the HTTP POST method, and should also provide > some way to display content and get a username and password from a > user. > > In other words, for a client to use cosign, it has to meet many of > the basic feature requirements for a web browser. > > These requirements are not unique to cosign -- Shibboleth, > PubCookie, and other systems also share these same requirements. > > If you want to implement "single sign on" authentication for a > command line client that does not implement redirection, cookies, > user input, etc., then I suggest either Kerberos plus SPNEGO over > HTTP, or, alternatively, X.509 client certificates (PKI). cosign > has at least basic support for both SPNEGO and X.509 -- if the > client has a Kerberos ticket or X.509 certificate which satisfies > the factor requirements of the cosign-protected service, the central > cosign weblogin server will accept them and the user will not be > prompted for their username and password. (However, the University > of Michigan does not currently have SPNEGO or X.509 enabled on its > production weblogin servers; contact [EMAIL PROTECTED] if you have > a need for them). > > I have no idea if the Subversion command line client supports either > SPNEGO or X.509, but, if it did not, you could always add support > for them and submit patches back to the Subversion project. > > I hope this helps. And, hopefully, other people will also chime in > with their ideas and suggestions. > > Mark Montague > ITCS Web/Database Production Team > The University of Michigan > [EMAIL PROTECTED] > > > > > On Fri, Jul 11, 2008 12:35 PM, Chris Africa <[EMAIL PROTECTED]> wrote: >> I sent this question to the subversion user group and didn't >> receive any responses. I apologize if you are getting it twice. >> >> Is anyone using Cosign to authenticate Subversion repositories >> with Apache 2? >> >> I've been successful in getting the web site set up and viewable in >> a browser, but no one can connect to the Subversion server via >> https. We get 302 errors, which I believe from my investigations >> are related to the fact that the client doesn't know how to handle >> redirection. Removing the Cosign authentication directives >> eliminates the error. >> >> If someone else *has* done this successfully, maybe I just need to >> recheck my configurations. >> >> Thanks! >> >> -- >> Chris Africa >> Web Project Manager >> Department of Mechanical Engineering >> University of Michigan >> 734-764-8482 >> Fridays: 734-730-6221 >> AIM/iChat/Skype ID: baiewola >> >> ------------------------------------------------------------------------- >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! >> Studies have shown that voting for your favorite open source project, >> along with a healthy diet, reduces your potential for chronic >> lameness >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08 >> _______________________________________________ >> Cosign-discuss mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss >> >> >> > > > > !DSPAM:4877918a94495479454042! > > > ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
