Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Helpful hint for TKTAuthDomain andTKTAuthTimeoutRefresh
(Gavin Carr)
2. Apache PHP User Logging (Nick 'Zaf' Clifford)
3. Current Win32 Binary? (David Weingart)
4. Dynamic TKTAuthToken (Danny Adair)
5. Re: Dynamic TKTAuthToken (Danny Adair)
6. Partial overriding of parameters (Danny Adair)
----------------------------------------------------------------------
Message: 1
Date: Wed, 17 Jan 2007 13:38:03 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Helpful hint for TKTAuthDomain
andTKTAuthTimeoutRefresh
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Tue, Jan 16, 2007 at 06:45:39AM -0500, Katz, Aryeh (akatz) wrote:
> > Thanks for the detailed problem report. This is supposed to
> > work, so I'd like to understand why it isn't:
> >
> Like I said, it does work if you use domain cookies.
Right, but host cookies are supposed to work too.
> It just doesn't
> work if you use hostname cookies in the cgi b/c the MAT apache plugin
> (for all intents and purposes) forces the cookie to the domain.
If so, this is a bug. MAT uses the following to determine the domain
to use (stopping at first match):
- TKTAuthDomain, if set
- HTTP X-Forwarded-Host, if set
- HTTP Host, if set
- Apache ServerName, otherwise
So it should never be the domain unless that's explicitly set in
TKTAuthDomain.
Can you turn on debugging (TKTAuthDebug on) and set your
TKTAuthTimeoutMin to something small and confirm what domain is
being used on the cookie refresh (look for the 'sending cookie'
line).
And then figure why that is being used. ;-)
> # Protected directory example
> <Location /TopLevel/SecuredDirectory/>
> AuthType Basic
> require valid-user
> TKTAuthLoginURL
> https://myhost.mysubdomain.mydomain.com/TopLevel/NextLevel/Page
> TKTAuthRequireSSL on
> TKTAuthCookieSecure on
> TKTAuthTimeoutMin 120
> TKTAuthTimeoutRefresh .5
> TKTAuthIgnoreIP off
> </Location>
So you're seeing mysubdomain.mydomain.com in the cookie when you
want myhost.mysubdomain.mydomain.com? What is your ServerName set
to on this (virtual) host?
Cheers,
Gavin
------------------------------
Message: 2
Date: Tue, 06 Feb 2007 12:51:10 +1300
From: Nick 'Zaf' Clifford <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Apache PHP User Logging
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Heyya all,
After having successfully (finally) got modauthtkt working with PHP
based login page (the contrib php lib does work, but for the record, I
found it the following settings were a good starting point (eg you can
change them, but its a good place to start from:
I may be recommending or suggesting some bad things here (eg insecure),
so if I am, please correct me.
Apache's .conf:
TKTAuthIgnoreIP on
TKTAuthCookieSecure off
auth_ticket.inc.php:
$ENCRYPT_COOKIE=false
$SECRET_KEY_FILE = <path to your apache.conf with the SecretKey>
login.php (this is your login file you create):
//After authenticating the user
$hash = getTKTHash("0.0.0.0",$username,"","",<secret key from
apache.conf>,true);
setcookie("auth_tkt",$hash,time() + (86400 * 30),"/",".example.com");
Now, onto the main subject of the email.
After getting it working, I was rejoiced and happy, until I noticed a
wierd thing:
In the apache access.log, each hit did indeed record their username,
except for hits to php pages (even though they were protected by tkt).
After hunting around on google for awhile (the search terms php
authentication apache log were not too helpful), I found a mention to a
mod_perl based cookie authentication scheme where if the auth module
didn't set an "Authorization" header in the request, a PHP based request
didn't log the username.
Then I noticed on this mailing list that there was a mention about
$PHP_AUTH_USER (Re: mod_auth_tkt disables handlers?).
I applied that patch, and things began to work.
So thats pretty much it, for the record (and I'm addressing this to the
next poor sap who find this problem and goes hunting on this mailing
list looking for a solution), you need to apply the patch that sets the
Authorization header.
Is there any reason why we can't do this by default? Yes I know we are
fixing one programs problem (php) with another, but I'm guessing there
must be other modules with similar problems).
Oh, and I guess you can count this as a success report for the following
circumstances:
mod_auth_tkt v2.0.0rc2
Apache 2.0.55
Ubuntu 6.10
Using PHP for the login script.
Nick
------------------------------
Message: 3
Date: Fri, 2 Mar 2007 14:14:08 -0500
From: "David Weingart" <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Current Win32 Binary?
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Does anyone have a current mod_auth_tkt Win32 binary available for download?
I saw some earlier posts to the list about one, but nothing recent.
I'm working on migrating a number of sites from Apache Win32 to Apache
on Linux, but I'm going to be stuck on Windows for a while longer yet.
:-)
Thanks!
-dave
------------------------------
Message: 4
Date: Fri, 6 Apr 2007 14:30:06 +1200
From: "Danny Adair" <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Dynamic TKTAuthToken
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
This may be an Apache question...
TKTAuthToken seems to be the way of implementing role-based access with
modauthtkt.
We have resources that need to be protected on a per-project basis, so I
thought of having "project-x" and "project-y" user roles (tokens) which
enable access to all related services. This sounded quite simple until I
tried to express it in the Apache config...
I would like to require token "project-x" for access to "/projects/x" and
token "y" for "/projects/y".
I don't want to make Apache config changes whenever a project is added or
removed.
Is this possible?
My first thought was, in the RewriteRule which covers ^/projects/, use $1 to
call a macro (using mod_macro) which creates a
<Location /projects/$1>
TKTAuthToken $1
</Location>
to basically create the token requirement on-the-fly depending on the
request.
Still have to check if that works.
Is there an easier way?
Thanks for your help,
Danny
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 5
Date: Fri, 6 Apr 2007 15:41:53 +1200
From: "Danny Adair" <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Dynamic TKTAuthToken
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Ok, the macro way seems to have the same fundamental problem: It can't be
called based on a runtime condition (like an environment variable set by a
RewriteRule).
>From my limited Apache and modauthtkt knowledge, I have to conclude that
what I'm trying to do is currently not possible.
My suggestion:
Extend modauthtkt to allow TKTAuthToken (and possibly other parameters?) to
be set via Apache environment variables in addition to the direct,
hard-coded parameter. So if the environment variable is present, it
overrides. Mmmh, no, probably the other way around is better... so if
TKTAuthToken is undefined it's looked up as an environment variable (and
_then_ defaults back to NULL).
This would allow a RewriteRule (,SetEnvIf, etc.) to provide a dynamic token
requirement.
Hopefully others need the same (or have a different solution).
Cheers,
Danny
On 4/6/07, Danny Adair <[EMAIL PROTECTED]> wrote:
>
> This may be an Apache question...
>
> TKTAuthToken seems to be the way of implementing role-based access with
> modauthtkt.
>
> We have resources that need to be protected on a per-project basis, so I
> thought of having "project-x" and "project-y" user roles (tokens) which
> enable access to all related services. This sounded quite simple until I
> tried to express it in the Apache config...
>
> I would like to require token "project-x" for access to "/projects/x" and
> token "y" for "/projects/y".
> I don't want to make Apache config changes whenever a project is added or
> removed.
>
> Is this possible?
>
> My first thought was, in the RewriteRule which covers ^/projects/, use $1
> to call a macro (using mod_macro) which creates a
> <Location /projects/$1>
> TKTAuthToken $1
> </Location>
> to basically create the token requirement on-the-fly depending on the
> request.
> Still have to check if that works.
>
> Is there an easier way?
>
> Thanks for your help,
> Danny
>
--
Danny W. Adair
Director
Unfold Limited
New Zealand
Talk: +64 9 273 4534
Fax: +64 9 273 4535
Write: [EMAIL PROTECTED]
Browse: www.unfold.co.nz
Visit/Post: 26 Eastland Road, Flat Bush, Auckland 2016, New Zealand
==============================
Caution
The contents of this email and any attachments contain information which is
CONFIDENTIAL to the recipient. If you are not the intended recipient, you
must not read, use, distribute, copy or retain this email or its
attachments. If you have received this email in error, please notify us
immediately by return email or collect telephone call and delete this
email. Thank you. We do not accept any responsibility for any changes made
to this email or any attachment after transmission from us.
==============================
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 6
Date: Fri, 6 Apr 2007 16:27:33 +1200
From: "Danny Adair" <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Partial overriding of parameters
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
I stumbled upon this when trying to work around my problem with a dynamic
TKTAuthToken (see other email).
I have something like this:
<Location />
AuthType Basic
AuthName "Software Development"
Require valid-user
TKTAuthCookieName Authentication
TktAuthBackCookieName AfterAuthBackTo
TKTAuthLoginURL https://www.domain.com/login
TKTAuthTimeoutURL
https://www.domain.com/login?reason=timeout
TKTAuthTimeoutMin 120
TKTAuthUnauthURL
https://www.domain.com/login?reason=unauthorized
TKTAuthDomain .domain.com
TKTAuthToken NULL
TKTAuthIgnoreIP off
TKTAuthGuestLogin off
</Location>
If this is followed by:
<Location /projects/myproject>
TKTAuthToken test
</Location>
and I visit /projects/myproject (without having the "test" token) it does
not fully work as I expected: I get redirected to TKTAuthLoginURL rather
than TKTAuthUnauthURL.
According to the Apache documentation (
http://httpd.apache.org/docs/2.0/sections.html#mergin ), the first Location
directive is applied first (it matches the request), and then the second
Location directive is applied (it also matches the request). So basically
all setting from <Location /> should have been inherited, TKTAuthToken
overridden, and I should have been redirected to TKTAuthUnauthURL.
Copying the TKTAuthUnauthURL setting from / to /projects/myprojects doesn't
make a difference.
If I copy the entire TKTAuth configuration to /projects/myproject, and
adjust the TKTAuthToken to be "test", I get correctly redirected to
TKTUnauthURL.
(Btw, I haven't removed settings step-by-step yet to see which is "to
blame")
Can anyone confirm this behaviour? Is this a bug in modauthtkt, Apache, or
my observations?
Cheers,
Danny
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 8, Issue 1
**********************************************
