Hi, Andrew:
My answers inline:
On Wed, Dec 4, 2013 at 10:52 PM, Andrew Mortensen <and...@weblogin.org>wrote:
>
> On Dec 4, 2013, at 4:35 PM, Zhen Qian <zq...@umich.edu> wrote:
>
> > Service B currently configured to look for any incoming cosign cookies
> and will pass them along. It will also look for any associated proxy cookie
> files and pass the cookies inside. This means that multiple cookies are
> attached to the request (e.g. one for serviceB, one for serviceC), both
> will be passed along. It will also check if there are proxy cookies to pass
> and send those. This means we would be sending 4-5 cookies at serviceC ,
> but this seems alright in practice.
>
> Hm. That sounds more like throwing everything at the problem hoping
> something will stick.
>
Yes, it is for now, unfortunately.
>
> Isn't service B already configured to retrieve proxy cookies for service
> C?
Yes.
> As I understand it, you've got service A getting proxy cookies for B and
> C, and sending them both to B; B retrieves a proxy cookie for C, and sends
> that one AND the one passed from service A on to service C.
>
It should be "B TRIES to retrieve a proxy cookie for C based on the proxy
cookie for B from A. But it failed to locate the proxy cookie file. And I
think that is why the error status message "unable to locate the proxy
cookie for service" is returned to service A.
On the other hand, obviously the proxy cookie for C which is passed from A
does not do the trick, either.
>
> > > The result is serverA gets "Unable to locate the proxy cookie for
> service" status message from serviceB. So I guess it is due to the serviceB
> cannot use the proxy cookie from serviceA to locate the proxy cookie file,
> and furthermore the proxy cookie for serviceC is not effective.
> >
> > Does it work if you *only* send the service B cookie?
> >
> > The workflow works if I attached the proxy cookie to serviceB I got from
> browser by login in to serviceB web interface. So this means that serviceB
> can use that proxy cookie, locate the proper proxy cookie file locally in
> /var/cosign/proxy, and find the cookie for serviceC and pass it along.
>
> A "proxy cookie" is one retrieved by mod_cosign from cosignd, not copied
> from your browser's cookie jar. :)
>
Sorry, I should say the CoSign cookie for service B from browser.
So if I pass that CoSign cookie value to B, B can find the proxy cookie for
C file based it, and we can pass C's authentication.
>
> Does service B work when you have service A send only the proxy cookie for
> service B?
>
No. It does not work with service A sending only proxy cookie for B.
It does work, as I said above, with service A sending browser CoSign cookie
for B.
> > Are you working in UMich? Will you be able to help with the CoSign proxy
> cookie setting?
>
> I don't work for umich, sorry.
>
Sigh...
- Zhen
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
