Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Ruby On Rails with mod_auth_tkt example (Sascha Han?en)
2. Blogging about mod_auth_tkt (Jose Luis Martinez)
3. Re: Blogging about mod_auth_tkt (Gavin Carr)
4. Re: Blogging about mod_auth_tkt (Jose Luis Martinez)
5. Re: Blogging about mod_auth_tkt (Peter Karman)
6. Re: Blogging about mod_auth_tkt (Jose Luis Martinez)
7. Re: Blogging about mod_auth_tkt (Peter Karman)
8. Re: Blogging about mod_auth_tkt (Gavin Carr)
9. Re: Blogging about mod_auth_tkt (Peter Karman)
----------------------------------------------------------------------
Message: 1
Date: Thu, 24 Jan 2008 10:25:14 +0100
From: Sascha Han?en <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Ruby On Rails with mod_auth_tkt example
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=iso-8859-15
Hello!
We started to use mod_auth_tkt and wrote an example of how to generate
the signed cookie with Ruby On Rails.
We integrated the cookie generation transparent into the common
authentication plugins "Acts as Authenticated" and "acl_system2" as
well.
Feel free to use our example, which you can find and download here:
www.meso.net/auth_tkt_rails
--
Viele Gr??e
Sascha Han?en
------------------------------
Message: 2
Date: Fri, 25 Jan 2008 09:36:24 +0100
From: Jose Luis Martinez <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Blogging about mod_auth_tkt
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi,
I've been blogging about mod_auth_tkt these days, so maybe you would
like to visit my blog to have a look.
I would like Gavin to confirm that I'm not leaving anything important
out on the ticket validation part.
The link is: http://pplusdomain.net/cgi-bin/blosxom.cgi
Hope you like it.
------------------------------
Message: 3
Date: Fri, 25 Jan 2008 21:15:53 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Blogging about mod_auth_tkt
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hi Jose,
On Fri, Jan 25, 2008 at 09:36:24AM +0100, Jose Luis Martinez wrote:
> I've been blogging about mod_auth_tkt these days, so maybe you would
> like to visit my blog to have a look.
>
> I would like Gavin to confirm that I'm not leaving anything important
> out on the ticket validation part.
>
> The link is: http://pplusdomain.net/cgi-bin/blosxom.cgi
>
> Hope you like it.
Looks pretty good to me. I especially like the movie metaphor - it's
a good one.
Just so you know, your valid_ticket patch is still in my queue and
looks pretty good. I've got a deadline mid-next week to meet, so
probably won't get to it till after that though.
FWIW, since you ask in your lastest post about other ways of getting
REMOTE_USER to the backend server, you should be able to do this
with some mod_rewrite magic on the frontend. There's a discussion here
by the webauth guys about how to do it:
https://mailman.stanford.edu/pipermail/webauth-info/2006-May/000064.html
which seemed to work for them in the end.
A working example of that for mod_auth_tkt would make a nice post. ;-)
Cheers,
Gavin
------------------------------
Message: 4
Date: Fri, 25 Jan 2008 12:18:47 +0100
From: Jose Luis Martinez <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Blogging about mod_auth_tkt
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Gavin Carr escribi?:
>
> Looks pretty good to me. I especially like the movie metaphor - it's
> a good one.
Thanks.
> Just so you know, your valid_ticket patch is still in my queue and
> looks pretty good. I've got a deadline mid-next week to meet, so
> probably won't get to it till after that though.
Ok, no problem. Hope you meet your deadline. Thanks for the update
> FWIW, since you ask in your lastest post about other ways of getting
> REMOTE_USER to the backend server, you should be able to do this
> with some mod_rewrite magic on the frontend. There's a discussion here
> by the webauth guys about how to do it:
>
> https://mailman.stanford.edu/pipermail/webauth-info/2006-May/000064.html
>
> which seemed to work for them in the end.
I was suspecting that mod_rewrite would do the trick, but I'm not a big
mod_rewrite fan. I'll try to get a working example of that for another
post (It's still an interesting option for many people ;)
------------------------------
Message: 5
Date: Fri, 25 Jan 2008 09:10:01 -0600
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Blogging about mod_auth_tkt
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
On 01/25/2008 02:36 AM, Jose Luis Martinez wrote:
> Hi,
>
> I've been blogging about mod_auth_tkt these days, so maybe you would
> like to visit my blog to have a look.
>
> I would like Gavin to confirm that I'm not leaving anything important
> out on the ticket validation part.
>
> The link is: http://pplusdomain.net/cgi-bin/blosxom.cgi
>
Nice work. And nice to see another blosxom user out there. (blosxom has powered
peknet.com
for years, though I have a rewrite in the works using Catalyst.)
re: getting the credentials like REMOTE_USER in the backend server. That's what
I wrote
the parse_ticket() method for. I had the familiar
front-end-proxy/back-end-mod_perl setup,
and I wanted to be able to unpack the ticket on the back-end for precisely the
reasons you
describe. I didn't worry about ticket tampering, because the front-end was
still using
mod_auth_tkt in Apache to do the actual authentication/validation. So I could
trust that
any requests passed through to the back-end were already valid. If you aren't
using
mod_auth_tkt on the front-end, then the issue of ticket tampering is real.
That said, I like your valid_ticket() patch since it offers the back-end the
chance to
basically do everything mod_auth_tkt does in a Perl context.
cheers,
pek
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 6
Date: Fri, 25 Jan 2008 19:32:59 +0100
From: Jose Luis Martinez <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Blogging about mod_auth_tkt
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Nice work. And nice to see another blosxom user out there. (blosxom has
> powered peknet.com
> for years, though I have a rewrite in the works using Catalyst.)
>
Like blosxom! nice, simple and perl ;)
> re: getting the credentials like REMOTE_USER in the backend server. That's
> what I wrote
> the parse_ticket() method for. I had the familiar
> front-end-proxy/back-end-mod_perl setup,
> and I wanted to be able to unpack the ticket on the back-end for precisely
> the reasons you
> describe. I didn't worry about ticket tampering, because the front-end was
> still using
> mod_auth_tkt in Apache to do the actual authentication/validation. So I could
> trust that
> any requests passed through to the back-end were already valid. If you aren't
> using
> mod_auth_tkt on the front-end, then the issue of ticket tampering is real.
>
I saw your patch a couple of days before meeting Ton, to try to
integrate auth_tkt into Opsview. They use the Frontend Apache -> Backend
Catalyst App server approach too, and we just thought that we would have
less hassle dropping the Apache module dependency, and only depending
upon the AuthTkt module. And when testing, we saw once we changed the
secret, the app was still accepting the ticket. Of course, under your
cirumstances you where covered on that one :)
> That said, I like your valid_ticket() patch since it offers the back-end the
> chance to
> basically do everything mod_auth_tkt does in a Perl context.
Thanks. That was the intention ;)
> cheers,
> pek
>
------------------------------
Message: 7
Date: Fri, 25 Jan 2008 13:55:27 -0600
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Blogging about mod_auth_tkt
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
On 01/25/2008 12:32 PM, Jose Luis Martinez wrote:
> I saw your patch a couple of days before meeting Ton, to try to
> integrate auth_tkt into Opsview. They use the Frontend Apache -> Backend
> Catalyst App server approach too, and we just thought that we would have
> less hassle dropping the Apache module dependency, and only depending
> upon the AuthTkt module. And when testing, we saw once we changed the
> secret, the app was still accepting the ticket. Of course, under your
> cirumstances you where covered on that one :)
>
fwiw, my experience using mod_auth_tkt on the front end is that it helps improve
performance, since it is faster than the equivalent checks in the backend Perl
side and
because it prevents idle (spider, visitor, etc) requests from chewing up backend
resources. again, ymmv depending on your setup etc.
and since you mentioned Catalyst, you might look at the plugin I uploaded to
CPAN for
AuthTkt. It doesn't do much except give you the built-in $c->user features that
the
C::P::Authentication architecture provides, but OTOH, that does mean less code
you have to
write yourself. :)
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
Message: 8
Date: Sat, 26 Jan 2008 08:18:11 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Blogging about mod_auth_tkt
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Fri, Jan 25, 2008 at 01:55:27PM -0600, Peter Karman wrote:
> On 01/25/2008 12:32 PM, Jose Luis Martinez wrote:
>
> > I saw your patch a couple of days before meeting Ton, to try to
> > integrate auth_tkt into Opsview. They use the Frontend Apache -> Backend
> > Catalyst App server approach too, and we just thought that we would have
> > less hassle dropping the Apache module dependency, and only depending
> > upon the AuthTkt module. And when testing, we saw once we changed the
> > secret, the app was still accepting the ticket. Of course, under your
> > cirumstances you where covered on that one :)
> >
>
> fwiw, my experience using mod_auth_tkt on the front end is that it helps
> improve
> performance, since it is faster than the equivalent checks in the backend
> Perl side and
> because it prevents idle (spider, visitor, etc) requests from chewing up
> backend
> resources. again, ymmv depending on your setup etc.
>
> and since you mentioned Catalyst, you might look at the plugin I uploaded to
> CPAN for
> AuthTkt. It doesn't do much except give you the built-in $c->user features
> that the
> C::P::Authentication architecture provides, but OTOH, that does mean less
> code you have to
> write yourself. :)
Peter, could you expand on that a bit for the archives (and give a link)?
Could you also announce new versions/updates here, since others might be
interested?
Cheers,
Gavin
------------------------------
Message: 9
Date: Fri, 25 Jan 2008 15:49:03 -0600
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Blogging about mod_auth_tkt
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
On 01/25/2008 03:18 PM, Gavin Carr wrote:
> On Fri, Jan 25, 2008 at 01:55:27PM -0600, Peter Karman wrote:
>> and since you mentioned Catalyst, you might look at the plugin I uploaded to
>> CPAN for
>> AuthTkt. It doesn't do much except give you the built-in $c->user features
>> that the
>> C::P::Authentication architecture provides, but OTOH, that does mean less
>> code you have to
>> write yourself. :)
>
> Peter, could you expand on that a bit for the archives (and give a link)?
>
> Could you also announce new versions/updates here, since others might be
> interested?
you betcha. C::P::A::AT implements the Catalyst::Plugin::Authentication API for
mod_auth_tkt using Apache::AuthTkt.
http://search.cpan.org/dist/Catalyst-Plugin-Authentication-AuthTkt/
Looks like the POD links are broken somehow on search.cpan at the moment. I'll
have to see
if that's my fault or not. Works ok locally with perldoc. Here's the SYNOPSIS:
use Catalyst qw(
Authentication
);
# Configure an authentication realm in your app config:
authentication:
default_realm: ?external?
realms:
external:
credential:
class: ?AuthTkt?
store:
class: ?AuthTkt?
cookie_name: auth_tkt
conf: path/to/httpd.conf
# and then in your Root controller ?auto?:
sub auto : Private {
my ( $self, $c ) = @_;
$c?>authenticate;
if ($c?>user_exists) {
return 1;
}
else {
# No REMOTE_USER found ? redirect? Allow as guest? etc.
}
}
# and then later on
if ($c?>user_exists) {
$c?>log?>debug("Logged in as user " . $c?>user?>id);
...
}
The assumption right now is the same as I outlined earlier in this thread: that
mod_auth_tkt still performs the ticket validation before Catalyst ever touches
it.
However, once the verify_ticket() patch is released to cpan, I'll update
C::P::A::AT to
use that instead of parse_ticket(). (I probably also should remain the module
to remove
the ::Plugin part since that naming convention is now deprecated.)
cheers,
pek
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 15, Issue 3
***********************************************
