Jarod Malestein wrote: > Yes, that is the correct way to set REMOTE_USER. I was initially hoping > that the problem was caused by the SetGlobalNotification(), and this was > a side effect. (There is some code that tries to hook into the > GL_CONFIGURATION_CHANGE notification, but this caused problems with .NET > in "integrated" mode. It will be removed in the next iteration of the > cosignmodule.)
Yes, I noticed that code in Cosign.cpp. We've not traced any problems to that particular bit of code. What specific symptoms did you encounter in Integrated Mode that are prompting you to remove config change notification? > > My only concerns are: does it make sense to set auth type as "Cosign". > I think that's great, but I wonder if any web apps or other modules in > IIS 7 expect certain types of authentication. In particular, if they > require some methods to be implemented such as GetPassword() and > GetToken(). However, we can cross that bridge when we come to it. It seems to me that it would be okay to set AUTH_TYPE to "Cosign". Creating authentication modules for IIS7 seems to be supported since MS has provided a public API for it, and setting auth type appropriately is a logical step for an authentication module. > > I'll roll your patch into the next CosignModule release since it is, > after all, the correct way to behave. Also, please note that the next > release of the CosignModule will be v3-compatible only. > Thanks for reviewing the patch so quickly. So you're saying that there will be no v2-compatible 1.0.0-beta3 release (or v2-compatible 1.0.0 stable release for that matter)? I think it will be slightly confusing to substantially change the protocol support in CosignModule at a point when the versioning indicates what traditionally is expected to be a path nearing a stable release. For the sake of deployments betting on upcoming stability of a v2-compatible CosignModule, I think there is utility in at least publishing the "best" version (ie., most feature complete, stable, etc.) of the existing path for CosignModule as version 1.0.0, with the move to non-backward compatible v3-only support in version 1.1.0 or even 2.0.0 and only after notifying the community that this is the intended direction of the software. To do otherwise, in theory, would be to change horses in mid-stream, mid-stream being a request from the community for final testing before a v2-supporting CosignModule-1.0.0 release, as the "beta" status indicates. > > Jarod > > > Darian Anthony Patrick wrote: >> Synopsis >> ======== >> >> The current version of CosignModule (version 1.0.0 beta 2) and trunk are >> incompatible with ASP.NET applications that subscribe to global events >> using handlers defined in global.asax. >> >> This problem was brought to our attention by a user with a set of >> applications requiring the use of the Application_BeginRequest event. >> We noted the that problem also arises when >> Application_AuthenticateRequest is used. >> >> The incompatibility arises due to REMOTE_USER being set incorrectly in >> CosignModule.cpp. >> >> CosignModule trunk uses HttpContext->SetServerVariable() to set >> REMOTE_USER instead of the more appropriate (according to Microsoft's >> documentation) mechanism[1] required by IIS7, >> IAuthenticationProvider->SetUser(). The attached patch, crafted by Kong >> Ung and Darian Patrick, addresses this issue. >> >> Discussion >> ========== >> >> It appears that IIS7 contains code that expects to set REMOTE_USER >> internally, based on the value passed to >> IAuthenticationProvider->SetUser(). >> >> By using Red Gate's .NET Reflector to inspect classes noted in the >> stacktrace from the resulting server error page, we found that >> CosignModule causes problems by using HttpContext->SetServerVariable() >> to set REMOTE_USER. >> >> We believe that this is due to IIS7/ASP.NET-internal code expecting >> REMOTE_USER to be NULL or unset at the time that it attempts to set >> REMOTE_USER itself, using >> HttpServerVarsCollection.SetServerVariableManagedOnly(). It is >> difficult to say with certainty exactly what is happening since the >> source code for IIS7 is not readily available for examination. However, >> we can say with certainty that the attached patch effectively corrects >> the issue. >> >> The attached Global.asax file may be used to replicate the problem. >> Placing this file at the root of an ASP.NET application that is >> protected with CosignModule will cause the error depicted in the >> attached PNG. >> >> [1] http://msdn.microsoft.com/en-us/library/ms689307.aspx >> >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------------ >> >> OpenSolaris 2009.06 is a cutting edge operating system for enterprises >> looking to deploy the next generation of Solaris that includes the latest >> innovations from Sun and the OpenSource community. Download a copy and >> enjoy capabilities such as Networking, Storage and Virtualization. >> Go to: http://p.sf.net/sfu/opensolaris-get >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Cosign-discuss mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/cosign-discuss >> > -- ________________________________________________________________________ Darian Anthony Patrick Senior Programmer Analyst, Application Security Office of Information Systems & Computing Voice: (215) 573-1955 Networking & Telecommunications Unit E-mail: [email protected] University of Pennsylvania Jabber/XMPP: [email protected] --- CFC7 DF03 337E F7F6 1829 71ED 1038 88AF 3C88 E55C ________________________________________________________________________ ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
