Le Vendredi 22 Novembre 2013 20:52 CET, Yuri D'Elia <wav...@thregr.org> a écrit:
> On 11/21/2013 12:10 PM, Daniel Berteaud wrote:
> > Here's a patch to enable external auth (handled by apache) on the rest
> > interface.
> > I'm using a webSSO (the excellent LemonLDAP::NG) to control access to my
> > web applications. In this mode, LemonLDAP::NG handles the auth, and just
> > set REMOTE_USER when someone is correctly authenticated. So the app
> > never has access to the password, and so, do not have access to a
> > PHP_AUTH_PW variable.
>
> Does LemonLDAP forward all the headers of the request (it should, right)?
It should yes (unless I override it).
>
> Because the X-Authorization header should *still* be required.
> Checking for REMOTE_USER only allows for CSRF attacks, which was a real
> PITA to fix.
>
> But it's entirely reasonable not to have the clear text.
> I committed a slightly different validation method which only checks the
> password for consistency (if it exists).
>
> Please check if this is enough.
>
Thanks, I'll try current GIT next week and will keep you informed
--
Daniel Berteaud
FIREWALL-SERVICES SARL.
Société de Services en Logiciels Libres
Technopôle Montesquieu
33650 MARTILLAC
Tel : 05 56 64 15 32
Fax : 05 56 64 15 32
Web : http://www.firewall-services.com
