Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Dynamic TKTAuthToken (Joost Cassee)
2. Re: Dynamic TKTAuthToken (Danny Adair)
3. Re: Dynamic TKTAuthToken (Joost Cassee)
4. Re: Dynamic TKTAuthToken (Danny Adair)
5. Re: Dynamic TKTAuthToken (Gavin Carr)
----------------------------------------------------------------------
Message: 1
Date: Fri, 06 Apr 2007 09:42:47 +0200
From: Joost Cassee <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Dynamic TKTAuthToken
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
On 06/04/2007 05:41, Danny Adair wrote:
> Ok, the macro way seems to have the same fundamental problem: It can't
> be called based on a runtime condition (like an environment variable set
> by a RewriteRule).
>
> From my limited Apache and modauthtkt knowledge, I have to conclude that
> what I'm trying to do is currently not possible.
One way of doing this would be to use mod_perl. You could write a
(almost trivial) authentication handler.
Regards,
Joost
--
Joost Cassee
http://joost.cassee.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 542 bytes
Desc: OpenPGP digital signature
------------------------------
Message: 2
Date: Fri, 6 Apr 2007 20:08:14 +1200
From: "Danny Adair" <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Dynamic TKTAuthToken
To: "Joost Cassee" <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Thanks, Joost,
I don't quite understand.
Do you mean having an _additional_ handler for /projects, so that modauthtkt
needs to be satisfied (without tokens), and then _also_ another handler
checks the tokens as well (by simply checking the cleartext tokens in the
cookie, or I think REMOTE_USER_TOKENS also gets set)?
Didn't know that you could mix (cascade) BasicAuth/modauthtkt with your own
handlers.
I don't want to recreate any modauthtkt functionality but if there can be
multiple auth handlers that's great news.
Btw, I already wrote a PythonAuthenHandler which uses the same database as
from where the modauthtkt cookie gets created from (needed that for
subversion (DAV) clients which don't use cookies). It already checks for
appropriate roles (tokens) there.
So there would be no work at all :-)
Cheers,
Danny
On 4/6/07, Joost Cassee <[EMAIL PROTECTED]> wrote:
>
> On 06/04/2007 05:41, Danny Adair wrote:
>
> > Ok, the macro way seems to have the same fundamental problem: It can't
> > be called based on a runtime condition (like an environment variable set
> > by a RewriteRule).
> >
> > From my limited Apache and modauthtkt knowledge, I have to conclude that
> > what I'm trying to do is currently not possible.
>
> One way of doing this would be to use mod_perl. You could write a
> (almost trivial) authentication handler.
>
>
> Regards,
>
> Joost
>
> --
> Joost Cassee
> http://joost.cassee.net
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 3
Date: Fri, 06 Apr 2007 10:22:08 +0200
From: Joost Cassee <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Dynamic TKTAuthToken
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
On 06/04/2007 10:08, Danny Adair wrote:
> I don't quite understand.
> Do you mean having an _additional_ handler for /projects, so that
> modauthtkt needs to be satisfied (without tokens), and then _also_
> another handler checks the tokens as well (by simply checking the
> cleartext tokens in the cookie, or I think REMOTE_USER_TOKENS also gets
> set)?
I don't remember whether mod_authtkt stores tokens in the request
apr_table, but its configuration is in there for certain. Indeed,
REMOTE_USER is set, so you can check against that.
> Didn't know that you could mix (cascade) BasicAuth/modauthtkt with your
> own handlers.
> I don't want to recreate any modauthtkt functionality but if there can
> be multiple auth handlers that's great news.
Yes, that is entirely possible. Apache has a whole list of different
handler types. Just make sure the ordering of the handlers is correct.
mod_authtkt should run first to set REMOTE_USER.
> Btw, I already wrote a PythonAuthenHandler which uses the same database
> as from where the modauthtkt cookie gets created from (needed that for
> subversion (DAV) clients which don't use cookies). It already checks for
> appropriate roles (tokens) there.
> So there would be no work at all :-)
>From mod_perl you can access all key/value pairs associated with a
request. I reviewed mod_python a long time ago but it is less powerful
than mod_perl. On the other hand, it looks like your PythonAuthenHandler
only need to access to REMOTE_USER and the URL.
The only thing you will miss if you do not let mod_authtkt do the
authentication is its redirection to a login page if the tokens don't
match. You could work around that by looking at the configuration in
your own handler.
Regards,
Joost
--
Joost Cassee
http://joost.cassee.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 542 bytes
Desc: OpenPGP digital signature
------------------------------
Message: 4
Date: Fri, 6 Apr 2007 20:33:50 +1200
From: "Danny Adair" <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Dynamic TKTAuthToken
To: "Joost Cassee" <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Thanks Joost,
that solved the problem. Cool!
In my case there's only one redirection URL for everything so I don't even
mind keeping string literals in two places.
I still think this could be solved by modauthtkt.
Thanks again,
Danny
On 4/6/07, Joost Cassee <[EMAIL PROTECTED]> wrote:
>
> On 06/04/2007 10:08, Danny Adair wrote:
>
> > I don't quite understand.
> > Do you mean having an _additional_ handler for /projects, so that
> > modauthtkt needs to be satisfied (without tokens), and then _also_
> > another handler checks the tokens as well (by simply checking the
> > cleartext tokens in the cookie, or I think REMOTE_USER_TOKENS also gets
> > set)?
>
> I don't remember whether mod_authtkt stores tokens in the request
> apr_table, but its configuration is in there for certain. Indeed,
> REMOTE_USER is set, so you can check against that.
>
> > Didn't know that you could mix (cascade) BasicAuth/modauthtkt with your
> > own handlers.
> > I don't want to recreate any modauthtkt functionality but if there can
> > be multiple auth handlers that's great news.
>
> Yes, that is entirely possible. Apache has a whole list of different
> handler types. Just make sure the ordering of the handlers is correct.
> mod_authtkt should run first to set REMOTE_USER.
>
> > Btw, I already wrote a PythonAuthenHandler which uses the same database
> > as from where the modauthtkt cookie gets created from (needed that for
> > subversion (DAV) clients which don't use cookies). It already checks for
> > appropriate roles (tokens) there.
> > So there would be no work at all :-)
>
> From mod_perl you can access all key/value pairs associated with a
> request. I reviewed mod_python a long time ago but it is less powerful
> than mod_perl. On the other hand, it looks like your PythonAuthenHandler
> only need to access to REMOTE_USER and the URL.
>
> The only thing you will miss if you do not let mod_authtkt do the
> authentication is its redirection to a login page if the tokens don't
> match. You could work around that by looking at the configuration in
> your own handler.
>
>
> Regards,
>
> Joost
>
> --
> Joost Cassee
> http://joost.cassee.net
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>
>
>
--
Danny W. Adair
Director
Unfold Limited
New Zealand
Talk: +64 9 273 4534
Fax: +64 9 273 4535
Write: [EMAIL PROTECTED]
Browse: www.unfold.co.nz
Visit/Post: 26 Eastland Road, Flat Bush, Auckland 2016, New Zealand
==============================
Caution
The contents of this email and any attachments contain information which is
CONFIDENTIAL to the recipient. If you are not the intended recipient, you
must not read, use, distribute, copy or retain this email or its
attachments. If you have received this email in error, please notify us
immediately by return email or collect telephone call and delete this
email. Thank you. We do not accept any responsibility for any changes made
to this email or any attachment after transmission from us.
==============================
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 5
Date: Mon, 9 Apr 2007 21:37:44 +1000
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Dynamic TKTAuthToken
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Fri, Apr 06, 2007 at 08:33:50PM +1200, Danny Adair wrote:
> Thanks Joost,
>
> that solved the problem. Cool!
> In my case there's only one redirection URL for everything so I don't even
> mind keeping string literals in two places.
>
> I still think this could be solved by modauthtkt.
It certainly could. But at the moment mod_auth_tkt is really an authentication
handler, rather than an authorisation one. The TKTAuthToken handling was
basically bolted on as the simplest possible kind of authz model that would
give some benefits to people that wanted to use it.
Personally I think layering real authz stuff on top, as Joost suggested,
is the right way to go for those who need it.
Cheers,
Gavin
> On 4/6/07, Joost Cassee <[EMAIL PROTECTED]> wrote:
> >
> >On 06/04/2007 10:08, Danny Adair wrote:
> >
> >> I don't quite understand.
> >> Do you mean having an _additional_ handler for /projects, so that
> >> modauthtkt needs to be satisfied (without tokens), and then _also_
> >> another handler checks the tokens as well (by simply checking the
> >> cleartext tokens in the cookie, or I think REMOTE_USER_TOKENS also gets
> >> set)?
> >
> >I don't remember whether mod_authtkt stores tokens in the request
> >apr_table, but its configuration is in there for certain. Indeed,
> >REMOTE_USER is set, so you can check against that.
> >
> >> Didn't know that you could mix (cascade) BasicAuth/modauthtkt with your
> >> own handlers.
> >> I don't want to recreate any modauthtkt functionality but if there can
> >> be multiple auth handlers that's great news.
> >
> >Yes, that is entirely possible. Apache has a whole list of different
> >handler types. Just make sure the ordering of the handlers is correct.
> >mod_authtkt should run first to set REMOTE_USER.
> >
> >> Btw, I already wrote a PythonAuthenHandler which uses the same database
> >> as from where the modauthtkt cookie gets created from (needed that for
> >> subversion (DAV) clients which don't use cookies). It already checks for
> >> appropriate roles (tokens) there.
> >> So there would be no work at all :-)
> >
> >From mod_perl you can access all key/value pairs associated with a
> >request. I reviewed mod_python a long time ago but it is less powerful
> >than mod_perl. On the other hand, it looks like your PythonAuthenHandler
> >only need to access to REMOTE_USER and the URL.
> >
> >The only thing you will miss if you do not let mod_authtkt do the
> >authentication is its redirection to a login page if the tokens don't
> >match. You could work around that by looking at the configuration in
> >your own handler.
> >
> >
> >Regards,
> >
> >Joost
> >
> >--
> >Joost Cassee
> >http://joost.cassee.net
> >
> >
> >-------------------------------------------------------------------------
> >Take Surveys. Earn Cash. Influence the Future of IT
> >Join SourceForge.net's Techsay panel and you'll get the chance to share
> >your
> >opinions on IT & business topics through brief surveys-and earn cash
> >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> >_______________________________________________
> >modauthtkt-users mailing list
> >modauthtkt-users@lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
> >
> >
> >
>
>
> --
> Danny W. Adair
> Director
> Unfold Limited
> New Zealand
>
> Talk: +64 9 273 4534
> Fax: +64 9 273 4535
> Write: [EMAIL PROTECTED]
> Browse: www.unfold.co.nz
> Visit/Post: 26 Eastland Road, Flat Bush, Auckland 2016, New Zealand
>
> ==============================
> Caution
> The contents of this email and any attachments contain information which is
> CONFIDENTIAL to the recipient. If you are not the intended recipient, you
> must not read, use, distribute, copy or retain this email or its
> attachments. If you have received this email in error, please notify us
> immediately by return email or collect telephone call and delete this
> email. Thank you. We do not accept any responsibility for any changes made
> to this email or any attachment after transmission from us.
> ==============================
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
--
Gavin Carr
- http://www.openfusion.com.au - Linux, Perl, and Web Consulting
- http://www.xool.com.au - Xool, Australian property search engine
* Fashion is a variable, but style is a constant - Programming Perl
------------------------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 8, Issue 2
**********************************************
