Hello,
I have a question that is maybe a little too advanced for the usual list
so I'm hoping I can ask here.
I want to write an extension for Kerberos 5 Single Sign On using
GSSAPI. The problem is that GSSAPI is an iterative, multistep, statefull
exchange. The request response flow might look like the following:
C: GET /foo ---------->
<---------- S: 401 Unauthorized
WWW-Authenticate: Negotiate
C: GET /foo ---------->
Authorization: Negotiate <base64-token-1>
<---------- S: 401 Unauthorized
WWW-Authenticate: Negotiate <base64-token-2>
C: GET /foo ---------->
Authorization: Negotiate <base64-token-3>
<---------- S: 200
<data>
[Actually no state must be maintained for the initial request/response
and for the Kerberos mechanism there's usually only two tokens which
makes the whole exchange stateless. But for NTLMSSP there can be three
tokens exchanged as depicted above and GSSAPI places no limit on the
number of tokens exchanged for a given mechanism.]
I'm sure you can imagine the headaches involved with trying to perform
a stateful exchange over HTTP. In general the prevailing technique is
to use a session cookie to maintain the state during the exchange. For
example one might write this in PHP roughly like the following:
function authenticate() {
if (!isset($_SESSION["sso"])) {
$_SESSION["sso"] = sso_new();
}
$sso = $_SESSION["sso"];
$token = "";
$headers = apache_request_headers();
if (isset($headers["Authorization"])) {
$token = $headers["Authorization"];
$token = sso_do_gssapi($sso, $token);
switch (sso_status($sso)) {
case SSO_SUCCESS:
$_SESSION["auth"] = $sso;
case SSO_FAILURE:
unset($_SESSION["sso"]);
return $sso;
}
$token = " " . $token;
}
header("WWW-Authenticate: Negotiate" . $token);
header("HTTP/1.1 401 Unauthorized");
die("More processing required.");
}
I've read the tutorials and I have a working extension package but I
need a better understanding of ZE internals with respect to maintaining
state across requests. All of the examples register a dtor such that any
variable returned is garbage collected after the request completes. For
example, in the code above, if sso_new were to return a resource it is
automatically unset from $_SESSION. I need it to persist.
Ultimately I want to create one 'struct sso_context *' stored as a global
(or one per MINIT is ok) from which I will derive 'struct sso *' objects
in sso_new() that must persist for the life of the user's session. Can
someone recommend a good technique for this?
Thanks,
Mike
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
