Send modauthtkt-users mailing list submissions to
        modauthtkt-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
        [EMAIL PROTECTED]

You can reach the person managing the list at
        [EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."


Today's Topics:

   1. Re: Dynamic TKTAuthToken (Charles Bueche)
   2. Re: Dynamic TKTAuthToken (Danny Adair)
   3. New mod_auth_tkt developer woes: Same domain      ticket creation?
      (Shawn Holwegner)
   4. Re: New mod_auth_tkt developer woes: Same domain  ticket
      creation? (Danny Adair)


----------------------------------------------------------------------

Message: 1
Date: Tue, 10 Apr 2007 13:02:33 +0200
From: Charles Bueche <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Dynamic TKTAuthToken
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Hi,

coming late to the party, I have a PerlFixupHandler called  
mod_auth_headers doing exactly this. I'm currently in the phase of  
publishing it to berlios.de. Will anounce when done.

Charles

On 9 avr. 07, at 13:37, Gavin Carr wrote:

> On Fri, Apr 06, 2007 at 08:33:50PM +1200, Danny Adair wrote:
>> Thanks Joost,
>>
>> that solved the problem. Cool!
>> In my case there's only one redirection URL for everything so I  
>> don't even
>> mind keeping string literals in two places.
>>
>> I still think this could be solved by modauthtkt.
>
> It certainly could. But at the moment mod_auth_tkt is really an  
> authentication
> handler, rather than an authorisation one. The TKTAuthToken  
> handling was
> basically bolted on as the simplest possible kind of authz model  
> that would
> give some benefits to people that wanted to use it.
>
> Personally I think layering real authz stuff on top, as Joost  
> suggested,
> is the right way to go for those who need it.
>
> Cheers,
> Gavin
>
>
>> On 4/6/07, Joost Cassee <[EMAIL PROTECTED]> wrote:
>>>
>>> On 06/04/2007 10:08, Danny Adair wrote:
>>>
>>>> I don't quite understand.
>>>> Do you mean having an _additional_ handler for /projects, so that
>>>> modauthtkt needs to be satisfied (without tokens), and then _also_
>>>> another handler checks the tokens as well (by simply checking the
>>>> cleartext tokens in the cookie, or I think REMOTE_USER_TOKENS  
>>>> also gets
>>>> set)?
>>>
>>> I don't remember whether mod_authtkt stores tokens in the request
>>> apr_table, but its configuration is in there for certain. Indeed,
>>> REMOTE_USER is set, so you can check against that.
>>>
>>>> Didn't know that you could mix (cascade) BasicAuth/modauthtkt  
>>>> with your
>>>> own handlers.
>>>> I don't want to recreate any modauthtkt functionality but if  
>>>> there can
>>>> be multiple auth handlers that's great news.
>>>
>>> Yes, that is entirely possible. Apache has a whole list of different
>>> handler types. Just make sure the ordering of the handlers is  
>>> correct.
>>> mod_authtkt should run first to set REMOTE_USER.
>>>
>>>> Btw, I already wrote a PythonAuthenHandler which uses the same  
>>>> database
>>>> as from where the modauthtkt cookie gets created from (needed  
>>>> that for
>>>> subversion (DAV) clients which don't use cookies). It already  
>>>> checks for
>>>> appropriate roles (tokens) there.
>>>> So there would be no work at all :-)
>>>
>>> From mod_perl you can access all key/value pairs associated with a
>>> request. I reviewed mod_python a long time ago but it is less  
>>> powerful
>>> than mod_perl. On the other hand, it looks like your  
>>> PythonAuthenHandler
>>> only need to access to REMOTE_USER and the URL.
>>>
>>> The only thing you will miss if you do not let mod_authtkt do the
>>> authentication is its redirection to a login page if the tokens  
>>> don't
>>> match. You could work around that by looking at the configuration in
>>> your own handler.
>>>
>>>
>>> Regards,
>>>
>>> Joost




------------------------------

Message: 2
Date: Tue, 10 Apr 2007 23:18:03 +1200
From: "Danny Adair" <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Dynamic TKTAuthToken
To: "Charles Bueche" <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID:
        <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"

Hello Charles,

Great news. Please announce it on this list.

Cheers,
Danny

On 4/10/07, Charles Bueche <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> coming late to the party, I have a PerlFixupHandler called
> mod_auth_headers doing exactly this. I'm currently in the phase of
> publishing it to berlios.de. Will anounce when done.
>
> Charles
>
> On 9 avr. 07, at 13:37, Gavin Carr wrote:
>
> > On Fri, Apr 06, 2007 at 08:33:50PM +1200, Danny Adair wrote:
> >> Thanks Joost,
> >>
> >> that solved the problem. Cool!
> >> In my case there's only one redirection URL for everything so I
> >> don't even
> >> mind keeping string literals in two places.
> >>
> >> I still think this could be solved by modauthtkt.
> >
> > It certainly could. But at the moment mod_auth_tkt is really an
> > authentication
> > handler, rather than an authorisation one. The TKTAuthToken
> > handling was
> > basically bolted on as the simplest possible kind of authz model
> > that would
> > give some benefits to people that wanted to use it.
> >
> > Personally I think layering real authz stuff on top, as Joost
> > suggested,
> > is the right way to go for those who need it.
> >
> > Cheers,
> > Gavin
> >
> >
> >> On 4/6/07, Joost Cassee <[EMAIL PROTECTED]> wrote:
> >>>
> >>> On 06/04/2007 10:08, Danny Adair wrote:
> >>>
> >>>> I don't quite understand.
> >>>> Do you mean having an _additional_ handler for /projects, so that
> >>>> modauthtkt needs to be satisfied (without tokens), and then _also_
> >>>> another handler checks the tokens as well (by simply checking the
> >>>> cleartext tokens in the cookie, or I think REMOTE_USER_TOKENS
> >>>> also gets
> >>>> set)?
> >>>
> >>> I don't remember whether mod_authtkt stores tokens in the request
> >>> apr_table, but its configuration is in there for certain. Indeed,
> >>> REMOTE_USER is set, so you can check against that.
> >>>
> >>>> Didn't know that you could mix (cascade) BasicAuth/modauthtkt
> >>>> with your
> >>>> own handlers.
> >>>> I don't want to recreate any modauthtkt functionality but if
> >>>> there can
> >>>> be multiple auth handlers that's great news.
> >>>
> >>> Yes, that is entirely possible. Apache has a whole list of different
> >>> handler types. Just make sure the ordering of the handlers is
> >>> correct.
> >>> mod_authtkt should run first to set REMOTE_USER.
> >>>
> >>>> Btw, I already wrote a PythonAuthenHandler which uses the same
> >>>> database
> >>>> as from where the modauthtkt cookie gets created from (needed
> >>>> that for
> >>>> subversion (DAV) clients which don't use cookies). It already
> >>>> checks for
> >>>> appropriate roles (tokens) there.
> >>>> So there would be no work at all :-)
> >>>
> >>> From mod_perl you can access all key/value pairs associated with a
> >>> request. I reviewed mod_python a long time ago but it is less
> >>> powerful
> >>> than mod_perl. On the other hand, it looks like your
> >>> PythonAuthenHandler
> >>> only need to access to REMOTE_USER and the URL.
> >>>
> >>> The only thing you will miss if you do not let mod_authtkt do the
> >>> authentication is its redirection to a login page if the tokens
> >>> don't
> >>> match. You could work around that by looking at the configuration in
> >>> your own handler.
> >>>
> >>>
> >>> Regards,
> >>>
> >>> Joost
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>



-- 
Danny W. Adair
Director
Unfold Limited
New Zealand

Talk:       +64 9 273 4534
Fax:        +64 9 273 4535
Write:      [EMAIL PROTECTED]
Browse:     www.unfold.co.nz
Visit/Post: 26 Eastland Road, Flat Bush, Auckland 2016, New Zealand

==============================
Caution
The contents of this email and any attachments contain information which is
CONFIDENTIAL to the recipient. If you are not the intended recipient, you
must not read, use, distribute, copy or retain this email or its
attachments. If you have received this email in error, please notify us
immediately by return email or collect telephone call and delete this
email.  Thank you.  We do not accept any responsibility for any changes made
to this email or any attachment after transmission from us.
==============================
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 3
Date: Wed, 09 May 2007 16:29:00 -0600
From: Shawn Holwegner <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] New mod_auth_tkt developer woes: Same
        domain  ticket creation?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1

Hi there,

It's time I moved on from mod_auth_mysql, and Apache 2.2's own dbd is a
bit too restrictive for my needs.

My problem is that this is a legacy system that was based on closed
code, and of course, the developer who created it is no longer with the
company.

It would use a rather bold hash of a user/ip/password combo redirect for
wildcard subdomains.. but, let's not cringe too much.

My problem is that due to the design of this system, I really need to be
able to get mod_auth_tkt to run on the same domain that it is creating a
ticket for.

Observe:

    <Directory "/home/www/site.com">
       AllowOverride AuthConfig
       <IfModule mod_auth_tkt.c>
         AuthType Basic
         require valid-user
         TKTAuthLoginURL http://site.com/login.php
         TKTAuthTimeoutURL http://site.com/login.php?timeout
         TKTAuthPostTimeoutURL  http://site.com/login.php?timeout
         TKTAuthPostTimeoutURL  http://site.com/login.php?unauth
         ..
       </IfModule>
     </Directory>

I've read through the manual page, but I just can't seem to find any
means for allowing access to login.php without having Guest access on,
which would not work, as I need to protect subdirectories.

Am I just missing something incredibly simple?

Thanks,
Shawn



------------------------------

Message: 4
Date: Thu, 10 May 2007 10:42:53 +1200
From: "Danny Adair" <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] New mod_auth_tkt developer woes: Same
        domain  ticket creation?
To: "Shawn Holwegner" <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID:
        <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"

Hello Shawn,

Just tell Apache to disable access control for that page, for example:

<Location /login.php>
  Satisfy Any
  Allow from all
</Location>

Or with your existing <Directory> config maybe better:

<File /home/www/site.com/login.php>
  Satisfy Any
  Allow from all
</File>

You will probably want to do the same for the script that the login form
posts to.

Cheers,
Danny

On 5/10/07, Shawn Holwegner <[EMAIL PROTECTED]> wrote:
>
> Hi there,
>
> It's time I moved on from mod_auth_mysql, and Apache 2.2's own dbd is a
> bit too restrictive for my needs.
>
> My problem is that this is a legacy system that was based on closed
> code, and of course, the developer who created it is no longer with the
> company.
>
> It would use a rather bold hash of a user/ip/password combo redirect for
> wildcard subdomains.. but, let's not cringe too much.
>
> My problem is that due to the design of this system, I really need to be
> able to get mod_auth_tkt to run on the same domain that it is creating a
> ticket for.
>
> Observe:
>
>     <Directory "/home/www/site.com">
>        AllowOverride AuthConfig
>        <IfModule mod_auth_tkt.c>
>          AuthType Basic
>          require valid-user
>          TKTAuthLoginURL http://site.com/login.php
>          TKTAuthTimeoutURL http://site.com/login.php?timeout
>          TKTAuthPostTimeoutURL  http://site.com/login.php?timeout
>          TKTAuthPostTimeoutURL  http://site.com/login.php?unauth
>          ..
>        </IfModule>
>      </Directory>
>
> I've read through the manual page, but I just can't seem to find any
> means for allowing access to login.php without having Guest access on,
> which would not work, as I need to protect subdirectories.
>
> Am I just missing something incredibly simple?
>
> Thanks,
> Shawn
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
>



-- 
Danny W. Adair
Director
Unfold Limited
New Zealand

Talk:       +64 9 273 4534
Fax:        +64 9 273 4535
Write:      [EMAIL PROTECTED]
Browse:     www.unfold.co.nz
Visit/Post: 26 Eastland Road, Flat Bush, Auckland 2016, New Zealand

==============================
Caution
The contents of this email and any attachments contain information which is
CONFIDENTIAL to the recipient. If you are not the intended recipient, you
must not read, use, distribute, copy or retain this email or its
attachments. If you have received this email in error, please notify us
immediately by return email or collect telephone call and delete this
email.  Thank you.  We do not accept any responsibility for any changes made
to this email or any attachment after transmission from us.
==============================
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

------------------------------

_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users


End of modauthtkt-users Digest, Vol 9, Issue 1
**********************************************

Reply via email to