As Alexander proposed in other channel. I will remove the removal of
configure.jar and offer the old configuration method if user is using FF
< 4 so we don't have to make the extension compatible with this ancient
version. It will be done this way:
If FF < 4 is detected:
* in browserconfig.html steps 2 and 3 will be grayed-out and replaced
with step 2a with a link to ssbrowser.html and a description explaining
* ssbrowser.html will be enhanced by steps for autoconfiguration of FF
We can also show the steps in browserconfig, but I want to have it
somehow available even if user is not using FF<4 to keep general
awareness about the problem and also to be usable if version detection
fails. Other possible problem with steps in browserconfig is different
styles of buttons (to keep the same styles we would have to include same
css files and jquery.js to configure.jar, which I don't want to do).
On 10/02/2012 06:38 PM, Petr Vobornik wrote:
This effort is still a WIP but I wanted to sent it to allow comments on
You can visually check config pages on:
Note that installation of ca.crt and extentsion won't work because
fedorapeople server doesn't send proper headers.
If you wanto to build it and test it, to not mess up your FF profile,
make a new one:
firefox -P myprofilename --no-remote
So far I tested it only on FF15. It should be functional on FF4 and
later but it most likely won't work on FF3.6 (doesn't support
bootstrapping ext and xul overlay not tested). I will work on FF3.6
I didn't test installations of replicas.
Kerberos authentication extension
The extension should replace signed code (configure.jar) used for
Firefox configuration. Using privileged code is not possible since
Firefox 15  . Extension is bootstrapped which means it can be used
without browser restart on Firefox 4 and later.
How it works:
Extension listens on each page's document element for event
'kerberos-auth-config' which should be raised on custom data element.
Communication data is transferred through data element's attributes .
The only required attribute is 'method'. Currently there are two
possible values: 'configure' and 'can_configure'.
'can_configure' method serves for detecting if the extension is
installed. 'configure' method does the actual configuration. Possible
optional options for 'configure' can be found in
kerberosauth.js:kerberosauth.config_options. Currently they are:
'referer', 'native_gss_lib', 'trusted_uris', 'allow_proxies'. Result of
a method is stored in data element's 'answer' attribute. When
'configure' method is used, the extension asks the user if he wants to
configure the browser, it should prevent silent configuration by
* add UI for manual edit
* more configurations ie. for gss_lib, sspi (good with UI or with
enhanced config page)
* introspection of client (read ipa client install config and such)
Build and installation of Kerberos authentication extension
This patch is removing files associated with configure.jar and a build
of configure.jar with a build of kerberosauth.xpi (FF Kerberos
Currently the build is done in install phase of FreeIPA server. It is to
allow signing of the extension by singing certificate. The signing might
not be necessary because the only outcome is that in extension
installation FF doesn't show that the maker is not verified. It shows
text: 'Object signing cert'. This might be a bug in
Signing Cert", ca_db)) The value is in place of hostname parameter.
If the extension is not signed, it can be created in rpm build phase,
which should make upgrades easier. Current implementation doesn't handle
In order to keep extension and config pages not dependent on a realm, a
krb.js.teplate file was created. This template is used for creating a
/usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's
realm and domain information. This information can be then used by
config pages by importing this file.
Configuration pages changed to use new FF extension
browserconfig.html was changed to use new FF extension. The page is
completely Firefox specific therefore the title was changed from
'Configure browser' to 'Firefox configuration'. Instruction to import CA
cert in unauthorized.html are FF specific too, so they were moved to
browserconfig.html. Unauthorized.html text was changed to distinguish FF
config and other browsers. Now the page shows link for FF
(browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html
should be enhanced by more configurations and browsers later .
Unauthorized dialog in Web UI now links to http://../unauthorized.html
instead of https. This change is done because of FF strange handling of
extension installations from https sites . Firefox allows ext.
installation from https sites only when the certificate is signed by
some build-in CA. To allow custom CAs an option in about:config has to
be changed which don't help us at all because we wants to avoid manual
changes in about:config.
The design of browserconfig is inspired by Kyle Baker's design (2.1
Enhancements_v2.odt). It is not exactly the same. Highlighting of the
steps wasn't used because in some cases we can switch some steps.
Freeipa-devel mailing list