Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Thoughts on how to resolve "require user chains to basic
auth" issue (Gavin Carr)
----------------------------------------------------------------------
Message: 1
Date: Tue, 12 Sep 2006 21:36:45 +1000
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Thoughts on how to resolve "require
user chains to basic auth" issue
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hi John,
On Mon, Sep 11, 2006 at 09:35:01AM -0500, John Wade wrote:
> First thanks to Gavin and all for putting together a great module, this
> is clean, straightforward, and manageable and really meets our needs.
> Thanks!
You're welcome, and thanks. :-)
> Back in April there was a discussion on this list about the issue of
> apache reverting to basic authentication when the config has a "require
> user" directive, but the authenticated user is not authorized to access
> the directory. Gavin had responded that the behavior was
> "non-optimal" but that no one had had time to look at it in depth.
>
> I took a look at it, and my guess is that the problem is that in the
> cases where we are not using tokens, (i.e. either require valid-user or
> require user) the module authenticates users, but does not authorize
> them. Since the "auth_tkt_check function is registered as
> APR_HOOK_FIRST, the authorization for both of these cases is passed down
> the chain and handled by the "check_user_access" function in mod_auth
> (see /modules/aaa/mod_auth.c in the apache 2.0 source tree) Since
> mod_auth knows nothing about mod_auth_tkt, it returns HTTP_UNAUTHORIZED
> which triggers the basic auth retry instead of the preferred redirect to
> the TKTAuthUnauthURL
I think you're basically correct - this is authz land interacting badly
with our authentication module. It seems to be a recognised problem
for others as well - compare this paragraph from the PubCookie docs
http://www.pubcookie.org/docs/overview-apache.html#authz
> It would seem that there are two possible solutions to this.
>
> 1. Add a directive to the mod_auth_tkt configuration like:
> TKTAuthRequire. This could use the same syntax as "require user" or
> "require valid-user". We would then have to implement the
> authorization check by replicating the code from the "check_user_access"
> function in mod_auth.c in the "auth_tkt_check" function with the
> appropriate changes to redirect to the TKTAuthUnauthURL if the user is
> not authorized. This approach has the advantage that it should not
> break any existing configuration.
>
> 2. Continue to use the standard "require user" and require "valid-user"
> directives, but implement the authorization in the "auth_tkt_check"
> function (once again by essentially copying the section from the
> check_user_access" function in mod_auth.c ) I am not sure of the
> feasibility of this for several reasons, but I will defer to those more
> knowledgeable. The first potential problem is that I suspect this
> function gets called for all check_user_id calls, thus it would probably
> break the fail through to basic authentication for those who wanted to
> use both techniques in different directories. I also am not sure if
> the function call "ap_get_module_config(r->per_dir_config,
> &auth_tkt_module)" will return the "require user" directives which are
> probably registered by the mod_auth module.
Of these, I'd prefer the second, if it's doable. It's much cleaner to
use the existing well-understood directives than implement our own. But
as you say, John, it's potentially tricky.
> I am willing to give a stab at putting together a patch for this if
> anyone has any suggestions about the correct way to implement this or if
> anyone has any other insights.
Sounds great. Another place you might want to look is the
Apache::AuthCookie perl module (perhaps depending how your perl is) -
they do something similar in perl that handles both the authen and authz
sides of things, so they must have wrestled with these issues too.
Cheers,
Gavin
------------------------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 4, Issue 6
**********************************************
