Hi! Sorry for the delay. You could do the same as the web interface does when logging a user in, which is a POST to the /system/sessions resource in the graylog2 server. That will return a session id and a validity timestamp (this is currently fixed to 8 hours).
The web interface will then take the username and session-id, catenate them with a tab character and AES encrypt them to yield the final cookie field called sessionid. Which means that in order to write the cookie you need to have the application.secret of the web interface as well as the user credentials. The server also supports generating access tokens, even though it's not document anywhere yet, but the web interface only relies on the cookie method described above. The underlying problem is that you need to set up authentication state in two separate applications, so I think this would get tricky and can break easily whenever our code changes. Best, Kay On Wednesday, January 22, 2014 2:09:31 PM UTC+1, Егор Морозов wrote: > > Thanks for the information. > > So what about the cookie generation? We have one page that authenticates > the users in Atlassian products by generating a cookie, I think that it > should be possible to do the same with Graylog2. > > On Wednesday, January 22, 2014 12:44:15 PM UTC+2, Kay Röpke wrote: >> >> Hi! >> >> Graylog2 0.20 web interface currently only supports authenticating via >> username/password and after that relies on its own session cookie to >> authenticate against the graylog2 servers. >> To support client certificates we would need add that as an >> authentication mechanism. In fact we have received one or two questions >> about allowing certificates to be used for authentication, but so far this >> has been low priority, to be honest. >> >> For this to work sensibly and securely, we would need to support some >> kind of certificate management for all the connections between the user, >> web interface process and graylog2 server (as well as mongodb which stores >> the user's data and session information). That was well beyond the scope of >> this release, so we decided to not support it for now. >> >> If you need this feature, could you please file an issue over at github: >> https://github.com/Graylog2/graylog2-web-interface/issues?milestone=&state=open? >> >> BTW, it wouldn't be as easy as in the 0.1x versions, because starting in >> 0.20 the server authenticates all requests, too, and it has no knowledge >> about the first proxy server. >> >> Thanks, >> Kay >> >> >> On Wednesday, January 22, 2014 10:47:33 AM UTC+1, Егор Морозов wrote: >>> >>> Hello everyone! >>> >>> We've been using Graylog2 0.1x for a long time, it was simple enough to >>> patch it and make using SSL_CLIENT_S_DN_CN Apache env variable. As now it's >>> powered using a binary, this is much more painful to do the same so I >>> wonder if it's somehow possible to make it use any of the variables passed >>> by a proxy (nginx/Apache) to authenticate the user. >>> >>> Alternative approach that I can see is to generate the cookie using perl >>> or php script, but as I have no experience with Java, I can't really >>> understand how to generate the same cookie (like graylog2-web does). Could >>> someone describe this? >>> >>> Thanks! >>> >> -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
