Just curious, why aren't you writing this as an apache module?
Is this of any use; it seems a bit dated, but could save you some effort:
http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html
--Wez.
On 12/21/05, Michael B Allen <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I have a question that is maybe a little too advanced for the usual list
> so I'm hoping I can ask here.
>
> I want to write an extension for Kerberos 5 Single Sign On using
> GSSAPI. The problem is that GSSAPI is an iterative, multistep, statefull
> exchange. The request response flow might look like the following:
>
> C: GET /foo ---------->
> <---------- S: 401 Unauthorized
> WWW-Authenticate: Negotiate
> C: GET /foo ---------->
> Authorization: Negotiate <base64-token-1>
> <---------- S: 401 Unauthorized
> WWW-Authenticate: Negotiate <base64-token-2>
> C: GET /foo ---------->
> Authorization: Negotiate <base64-token-3>
> <---------- S: 200
> <data>
>
> [Actually no state must be maintained for the initial request/response
> and for the Kerberos mechanism there's usually only two tokens which
> makes the whole exchange stateless. But for NTLMSSP there can be three
> tokens exchanged as depicted above and GSSAPI places no limit on the
> number of tokens exchanged for a given mechanism.]
>
> I'm sure you can imagine the headaches involved with trying to perform
> a stateful exchange over HTTP. In general the prevailing technique is
> to use a session cookie to maintain the state during the exchange. For
> example one might write this in PHP roughly like the following:
>
> function authenticate() {
> if (!isset($_SESSION["sso"])) {
> $_SESSION["sso"] = sso_new();
> }
> $sso = $_SESSION["sso"];
>
> $token = "";
> $headers = apache_request_headers();
> if (isset($headers["Authorization"])) {
> $token = $headers["Authorization"];
> $token = sso_do_gssapi($sso, $token);
> switch (sso_status($sso)) {
> case SSO_SUCCESS:
> $_SESSION["auth"] = $sso;
> case SSO_FAILURE:
> unset($_SESSION["sso"]);
> return $sso;
> }
> $token = " " . $token;
> }
>
> header("WWW-Authenticate: Negotiate" . $token);
> header("HTTP/1.1 401 Unauthorized");
> die("More processing required.");
> }
>
> I've read the tutorials and I have a working extension package but I
> need a better understanding of ZE internals with respect to maintaining
> state across requests. All of the examples register a dtor such that any
> variable returned is garbage collected after the request completes. For
> example, in the code above, if sso_new were to return a resource it is
> automatically unset from $_SESSION. I need it to persist.
>
> Ultimately I want to create one 'struct sso_context *' stored as a global
> (or one per MINIT is ok) from which I will derive 'struct sso *' objects
> in sso_new() that must persist for the life of the user's session. Can
> someone recommend a good technique for this?
>
> Thanks,
> Mike
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
