As Alexander proposed in other channel. I will remove the removal of configure.jar and offer the old configuration method if user is using FF < 4 so we don't have to make the extension compatible with this ancient version. It will be done this way:

If FF < 4 is detected:
* in browserconfig.html steps 2 and 3 will be grayed-out and replaced with step 2a with a link to ssbrowser.html and a description explaining the problem * ssbrowser.html will be enhanced by steps for autoconfiguration of FF < 4.

We can also show the steps in browserconfig, but I want to have it somehow available even if user is not using FF<4 to keep general awareness about the problem and also to be usable if version detection fails. Other possible problem with steps in browserconfig is different styles of buttons (to keep the same styles we would have to include same css files and jquery.js to configure.jar, which I don't want to do).



On 10/02/2012 06:38 PM, Petr Vobornik wrote:
This effort is still a WIP but I wanted to sent it to allow comments on
chosen approaches.

You can visually check config pages on:
http://pvoborni.fedorapeople.org/config/unauthorized.html
resp. http://pvoborni.fedorapeople.org/config/browserconfig.html

Note that installation of ca.crt and extentsion won't work because
fedorapeople server doesn't send proper headers.

If you wanto to build it and test it, to not mess up your FF profile,
make a new one:
firefox -ProfileManager
firefox -P myprofilename --no-remote

So far I tested it only on FF15. It should be functional on FF4 and
later but it most likely won't work on FF3.6 (doesn't support
bootstrapping ext and xul overlay not tested). I will work on FF3.6
support ASAP.

I didn't test installations of replicas.

Patch descriptions:

Kerberos authentication extension
---------------------------------

The extension should replace signed code (configure.jar) used for
Firefox configuration. Using privileged code is not possible since
Firefox 15 [1] [2]. Extension is bootstrapped which means it can be used
without browser restart on Firefox 4 and later.

How it works:
Extension listens on each page's document element for event
'kerberos-auth-config' which should be raised on custom data element.
Communication data is transferred through data element's attributes [3].
The only required attribute is 'method'. Currently there are two
possible values: 'configure' and 'can_configure'.
'can_configure' method serves for detecting if the extension is
installed. 'configure' method does the actual configuration. Possible
optional options for 'configure' can be found in
kerberosauth.js:kerberosauth.config_options. Currently they are:
'referer', 'native_gss_lib', 'trusted_uris', 'allow_proxies'. Result of
a method is stored in data element's 'answer' attribute. When
'configure' method is used, the extension asks the user if he wants to
configure the browser, it should prevent silent configuration by
malicious pages.

Possible enhancement:
* add UI for manual edit
* more configurations ie. for gss_lib, sspi (good with UI or with
enhanced config page)
* introspection of client (read ipa client install config and such)

Ticket: https://fedorahosted.org/freeipa/ticket/3094

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=546848
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=757046
[3]
https://developer.mozilla.org/en-US/docs/Code_snippets/Interaction_between_privileged_and_non-privileged_pages


Build and installation of Kerberos authentication extension
-----------------------------------------------------------

This patch is removing files associated with configure.jar and a build
of configure.jar with a build of kerberosauth.xpi (FF Kerberos
authentication extension).

Currently the build is done in install phase of FreeIPA server. It is to
allow signing of the extension by singing certificate. The signing might
not be necessary because the only outcome is that in extension
installation FF doesn't show that the maker is not verified. It shows
text: 'Object signing cert'. This might be a bug in
httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object
Signing Cert", ca_db)) The value is in place of hostname parameter.

If the extension is not signed, it can be created in rpm build phase,
which should make upgrades easier. Current implementation doesn't handle
upgrades yet.

In order to keep extension and config pages not dependent on a realm, a
krb.js.teplate file was created. This template is used for creating a
/usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's
realm and domain information. This information can be then used by
config pages by importing this file.

Ticket: https://fedorahosted.org/freeipa/ticket/3094

Configuration pages changed to use new FF extension
---------------------------------------------------

browserconfig.html was changed to use new FF extension. The page is
completely Firefox specific therefore the title was changed from
'Configure browser' to 'Firefox configuration'. Instruction to import CA
cert in unauthorized.html are FF specific too, so they were moved to
browserconfig.html. Unauthorized.html text was changed to distinguish FF
config and other browsers. Now the page shows link for FF
(browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html
should be enhanced by more configurations and browsers later [1].

Unauthorized dialog in Web UI now links to http://../unauthorized.html
instead of https. This change is done because of FF strange handling of
extension installations from https sites [2]. Firefox allows ext.
installation from https sites only when the certificate is signed by
some build-in CA. To allow custom CAs an option in about:config has to
be changed which don't help us at all because we wants to avoid manual
changes in about:config.

The design of browserconfig is inspired by Kyle Baker's design (2.1
Enhancements_v2.odt). It is not exactly the same. Highlighting of the
steps wasn't used because in some cases we can switch some steps.

Ticket: https://fedorahosted.org/freeipa/ticket/3094

[1] https://fedorahosted.org/freeipa/ticket/823
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383




--
Petr Vobornik

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to