On Aug 3, 2010, at 2:26 PM, Joshua Scott Emmons wrote:
> Thank you for the information and sorry for the late reply.
>
>> I'm aware of a perl script which behaves like a filter, so I don't see any
>> real difficulty in the writing, but before you begin that work you might
>> pause to remember that there are cosign filters for IIS6, IIS7, lighttpd and
>> JAAS, in addition to the Apache 1.3.x and 2.x filters.
>
> The only filters I was aware of were Apache, IIS, J2EE. The lighttpd one
> might indeed work for us. Where could I find information on that? I've been
> looking at http://cosign.sourceforge.net/filter.shtml and haven't found much
> information there.
You can find the lighttpd filter source in the filters/lighttpd directory in
the source tarball or git repo. In most respects, it should have feature parity
with the apache filters. The documentation is non-existent. I had it working
with php running via FastCGI on a test webmail server, and it seemed stable and
functional. Beyond that, I'm not aware of anyone else using it. I'd love to
have you try it out.
Keep in mind that it's had little formal testing, and compiling it isn't
trivial. I last tested with lighttpd 1.4.20. My notes are at the end of this
message. Again, they're a little out of date. Running the configure script with
--enable-lighttpd=<path_to_lighttpd_src> should generate the correct build
lines based on your arguments to configure and write them to
filters/lighttpd/lighttpd-build.conf. Copy the contents of that file and add
them to <lighttpd_src_root>/src/Makefile.am, then follow the additional steps
in my notes.
If you get a basic setup working, I can help out with additional questions
about configuration.
> On the subject of filter development, is there a sandbox or some public test
> implementation of the cosign CGI and cosignd that I can point my burgeoning
> filter at to test it out?
No, but that's an interesting idea. I'll look into that.
andrew
--
# edit lighttpd-1.4.20/src/Makefile.am and insert the following lines
# after the mod_setenv lines.
# change cosign_src to the path to the patched cosign source
cosign_src=/usr/src/cosign
lib_LTLIBRARIES += mod_cosign.la
mod_cosign_la_SOURCES = \
$(cosign_src)/filters/lighttpd/mod_cosign.c \
$(cosign_src)/filters/lighttpd/logging.h \
$(cosign_src)/common/argcargv.c \
$(cosign_src)/common/fbase64.c \
$(cosign_src)/common/mkcookie.c \
$(cosign_src)/common/rate.c \
$(cosign_src)/version.c \
$(cosign_src)/filters/common/connect.c \
$(cosign_src)/filters/common/cookiefs.c \
$(cosign_src)/filters/common/sparse.c \
$(cosign_src)/filters/common/cosign.h
# remove -DKRB or -DGSS if you don't want krb5 support or GSSAPI.
# change or remove the krb5 include path, depending on your installation
# of krb5 (or lack of it).
mod_cosign_la_CPPFLAGS = -DLIGHTTPD -DHAVE_LIBSSL -DKRB -DGSS \
-I$(cosign_src)/filters/lighttpd \
-I$(cosign_src)/common -I$(cosign_src)/filters/common \
-I/usr/local/mit-k5/include \
-I$(cosign_src)/libsnet
mod_cosign_la_CFLAGS = $(AM_CFLAGS)
mod_cosign_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined
# remove the krb5 libraries if you're not building with krb5.
mod_cosign_la_LIBADD = $(common_libadd) -lssl -lcrypto $(PCRE_LIB) \
-L/usr/local/mit-k5/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err \
-L$(cosign_src)/libsnet/.libs -lsnet
# after you've modified the Makefile.am:
# cd /path/to/lighttpd-1.4.20
# cp configure{,.orig}
# autoreconf -fv (which should run aclocal, autoconf and automake for you)
# ./configure --with-the-same-settings-you-used-to-build-lighttpd-before
# make
# cp src/.libs/mod_cosign.so /path/to/lighttpd/modules
# edit the lighttpd.conf. you'll need the following entries:
cosign.crypto = ( "cert" => "/path/to/cert.pem",
"key" => "/path/to/cert.key",
"cadir" => "/path/to/CA" )
cosign.host = "weblogin-test.itcs.umich.edu"
cosign.redirect = "https://weblogin-test.itcs.umich.edu/";
cosign.post-error-redirect =
"http://weblogin-test.itcs.umich.edu/posterror.html";
cosign.protected = "disable"
cosign.service = "cosign-example.staff.itd"
# make sure the URL handler is available
$HTTP[ "url" ] =~ "^/cosign/valid" {
cosign.protected = "disable"
}
# protect some path
$HTTP[ "url" ] =~ "^/protected/" {
cosign.protected = "enable"
}
# stop and start lighttpd. you should be cosign protected.
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
