Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
modauthtkt-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
modauthtkt-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: ANNOUNCE: mod_auth_tkt 2.0.0rc4 (Gavin Carr)
2. Re: ANNOUNCE: mod_auth_tkt 2.0.0rc4 (Nikolaus Rath)
3. mod_auth_tkt 2.0.0rc4: tested and minor inconsistency found
(Christian Folini)
4. ANNOUNCE: mod_auth_tkt 2.0.1 (Gavin Carr)
5. ANNOUNCE: mod_auth_tkt 2.0.2 (Gavin Carr)
6. ANNOUNCE: mod_auth_tkt 2.0.99b2 (BETA) (Gavin Carr)
7. Easy way to tie into Django permissions? (Adam Stein)
8. Re: Easy way to tie into Django permissions? (Michael Peters)
----------------------------------------------------------------------
Message: 1
Date: Sun, 15 Feb 2009 15:45:34 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] ANNOUNCE: mod_auth_tkt 2.0.0rc4
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20090215044534.gc6...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
On Fri, Feb 13, 2009 at 05:28:53PM -0500, Nikolaus Rath wrote:
> Gavin Carr <ga...@openfusion.com.au> writes:
> > Second, Christian Folini of netnea.com and an unnamed Swiss bank are
> > sponsoring incorporating SHA1 hashing into mod_auth_tkt, as an
> > alternative to the existing MD5 hashing, and supporting a backup
> > TKTAuthSecret, to allow for smooth/seamless secret rotation. These
> > enhancements will be released as a new version 2.1.
>
> Is it also planned to introduce support for the Apache 2.2
> authentication scheme, i.e. the AuthBasicProvider directive?
Does that buy us any more functionality, or is it just updating
the 2.2 api? I'm happy to look at it if it's straightforward and
we can do it in a way that maintains backward compatibility
though.
Cheers,
Gavin
------------------------------
Message: 2
Date: Sun, 15 Feb 2009 17:00:02 -0500
From: Nikolaus Rath <nikol...@rath.org>
Subject: Re: [modauthtkt-users] ANNOUNCE: mod_auth_tkt 2.0.0rc4
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <873aefgy3h....@nokile.rath.org>
Content-Type: text/plain; charset=utf-8
Gavin Carr <ga...@openfusion.com.au> writes:
> On Fri, Feb 13, 2009 at 05:28:53PM -0500, Nikolaus Rath wrote:
>> Gavin Carr <ga...@openfusion.com.au> writes:
>> > Second, Christian Folini of netnea.com and an unnamed Swiss bank are
>> > sponsoring incorporating SHA1 hashing into mod_auth_tkt, as an
>> > alternative to the existing MD5 hashing, and supporting a backup
>> > TKTAuthSecret, to allow for smooth/seamless secret rotation. These
>> > enhancements will be released as a new version 2.1.
>>
>> Is it also planned to introduce support for the Apache 2.2
>> authentication scheme, i.e. the AuthBasicProvider directive?
>
> Does that buy us any more functionality, or is it just updating
> the 2.2 api? I'm happy to look at it if it's straightforward and
> we can do it in a way that maintains backward compatibility
> though.
In my opinion the 2.2 API makes much clearer both the interplay
between the different stages of authorization (retrieval of
credentials, authentication, authorization) and the different modules
that can be used for each step. Therefore the configuration becomes
easier, especially for more complicated setups. I think the difference
between http://httpd.apache.org/docs/2.2/howto/auth.html and
http://httpd.apache.org/docs/2.0/howto/auth.html illustrates this
nicely.
It might also allow some more functionality (like falling back on HTTP
Auth when auth_tkt fails or similar more obscure configurations), but
I think the main advantage that it is much easier to understand
(especially when Apache 2.2 is used with the current version of
auth_tkt it is, at least for me, really difficult to figure out what's
actually going on).
As far as I can judge (I haven't looked at the Apache source for quite
some time) the 2.2 API should be quite easy to implement. Backwards
compatibility will probably require a compile-time switch, because I
expect the new API to use different handlers.
Best,
-Nikolaus
--
?Time flies like an arrow, fruit flies like a Banana.?
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C
------------------------------
Message: 3
Date: Sat, 28 Feb 2009 11:41:54 +0100
From: Christian Folini <christian.fol...@netnea.com>
Subject: [modauthtkt-users] mod_auth_tkt 2.0.0rc4: tested and minor
inconsistency found
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <20090228104154.ga17...@localhost.localdomain>
Content-Type: text/plain; charset=utf-8
Hi there,
mod_auth_tkt 2.0.0rc4 compiled just fine on Ubuntu 08.10 against an apache 2.2.8
worker. Operation is fine too as far as I can see.
However, I encountered two small inconsistency with the
documentation/error messages and the test routine.
I try to configure mod_auth_tkt to send neither a back-URL nor a
back-Cookie when no ticket is being found.
The documentation does not state how to do this as far as I can see.
The behaviour seems to be as follows: Per default, mod_auth_tkt
appends a query string argument named "back" to the Redirect URL
defined in TKTAuthLoginURL.
You can tweak the name of this query string argument with
TKTAuthBackArgName. "" is not accepted as value and NULL is taken as
a literal query string argument named NULL.
Now if you define TKTAuthCookieName, then no query string argument
is sent anymore, but a cookie instead. This is not entirely clear
when you read the manpage in my eyes.
If you define TKTAuthCookieName to "", then apache fails to start
and prints the following error:
TKTAuthBackCookieName takes one argument, name to use for back cookie (NULL for
none)
This implies NULL could be used to omitt any form of back-Cookie.
However, NULL is taken as a literal cookie name as well.
Proposal:
TKTAuthBackArgName should accept NULL as value. When the argument name is
defined to be NULL, then no back query string parameter is added to the
response.
TKTAuthBackCookieName should accept NULL as value. When the cookie name is
defined to be NULL, then no back-cookie is added to the response.
Subsequent rewording of the man page:
TKTAuthBackArgName <name>
The name used for the back GET parameter. By default mod_auth_tkt will add
a GET parameter to all redirect URLs con?
taining a URI-escaped version of the current requested page e.g. if the
requested page is http://www.exam?
ple.com/index.html and TKTAuthBackArgName is set to ?back?, mod_auth_tkt
will add a parameter like:
back=http%3A%2F%2Fwww.example.com%2Findex.html
to the TKTAuthLoginURL it redirects to, allowing your login script to
redirect back to the requested page upon successful
login.
When a back cookie name is configured (see TKTAuthBackCookieName), then no
GET parameter will be added to
redirect URLs.
If TKTAuthBackArgName is set to NULL, then no GET parameter will be added
to redirect URLs.
Default: ?back?.
TKTAuthBackCookieName <name>
The cookie name to use for the back cookie. If this is set, mod_auth_tkt
will set a back cookie containing a URI-escaped
version of current requested page when redirecting. In that case, no GET
parameter will be added to the redirect URL
(see TKTAuthBackArgName above).
If TKTAuthBackCookieName is set to NULL, then no back cookie will be set.
Default: none.
As mentioned above, there is a second issue as well:
When running the test sequence, I got the following error:
$> make test
/data/custom-apaches/apache-2.2.8-worker/bin/apxs -S
LIBEXECDIR=/data/custom-apache-sources/mod_auth_tkt-2.0.0rc4/t/modules -i
../src/mod_auth_tkt.la
/data/custom-apaches/apache-2.2.8-worker/build/instdso.sh
SH_LIBTOOL='/usr/share/apr-1.0/build/libtool' ../src/mod_auth_tkt.la
/data/custom-apache-sources/mod_auth_tkt-2.0.0rc4/t/modules
/usr/share/apr-1.0/build/libtool --mode=install cp ../src/mod_auth_tkt.la
/data/custom-apache-sources/mod_auth_tkt-2.0.0rc4/t/modules/
cp ../src/.libs/mod_auth_tkt.so
/data/custom-apache-sources/mod_auth_tkt-2.0.0rc4/t/modules/mod_auth_tkt.so
cp ../src/.libs/mod_auth_tkt.lai
/data/custom-apache-sources/mod_auth_tkt-2.0.0rc4/t/modules/mod_auth_tkt.la
cp ../src/.libs/mod_auth_tkt.a
/data/custom-apache-sources/mod_auth_tkt-2.0.0rc4/t/modules/mod_auth_tkt.a
ranlib
/data/custom-apache-sources/mod_auth_tkt-2.0.0rc4/t/modules/mod_auth_tkt.a
chmod 644
/data/custom-apache-sources/mod_auth_tkt-2.0.0rc4/t/modules/mod_auth_tkt.a
libtool: install: warning: remember to run `libtool --finish
/data/custom-apaches/apache-2.2.8-worker/modules'
chmod 755
/data/custom-apache-sources/mod_auth_tkt-2.0.0rc4/t/modules/mod_auth_tkt.so
./TEST -clean
Base class package "Apache::TestRun" is empty.
(Perhaps you need to 'use' the module which defines that package first.)
at ./TEST line 4
BEGIN failed--compilation aborted at ./TEST line 4.
make[1]: *** [test] Error 2
make[1]: Leaving directory `/data/custom-apache-sources/mod_auth_tkt-2.0.0rc4/t'
make: *** [test] Error 2
Best regards,
Christian Folini
--
The intersection of all majorities is the empty set - The
union of even the smallest minorities is the universal set.
--- Linus Thorvalds
------------------------------
Message: 4
Date: Tue, 3 Mar 2009 11:56:27 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: [modauthtkt-users] ANNOUNCE: mod_auth_tkt 2.0.1
To: mod_auth_tkt-users <modauthtkt-users@lists.sourceforge.net>
Message-ID: <20090303005627.gc19...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
I'm happy to announce the release of mod_auth_tkt 2.0.1, the first
full release of mod_auth_tkt in a couple of years. It is the
successor to version 2.0.0rc4 - the only updates are to documentation
and a minor bugfix in the CGI scripts (found in the unreleased
2.0.0 version).
Available as a tarball and various RPMs as usual from here:
http://www.openfusion.com.au/labs/mod_auth_tkt/
Cheers,
Gavin
------------------------------
Message: 5
Date: Sat, 28 Mar 2009 10:22:05 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: [modauthtkt-users] ANNOUNCE: mod_auth_tkt 2.0.2
To: mod_auth_tkt-users <modauthtkt-users@lists.sourceforge.net>
Message-ID: <20090327232204.ga32...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
A new stable release of mod_auth_tkt - mod_auth_tkt 2.0.2 - is now
available from the home page:
http://www.openfusion.com.au/labs/mod_auth_tkt/
http://www.openfusion.com.au/labs/dist/mod_auth_tkt/mod_auth_tkt-2.0.2.tar.gz
This release fixes a partial match bug in the cookie name matching
code where a cookie name like 'tkt' could incorrectly match a longer
cookie names like 'auth_tkt', causing the wrong ticket to be used,
and authentication to fail.
AFAICT there are no security implications, just the possiblity for
denial of service.
Cheers,
Gavin
--
Gavin Carr
- http://www.openfusion.com.au - Linux, Perl, and Web Consulting
- http://www.openfusion.net - Hackery, the Blog
* Fashion is a variable, but style is a constant - Programming Perl
------------------------------
Message: 6
Date: Sat, 28 Mar 2009 10:49:16 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: [modauthtkt-users] ANNOUNCE: mod_auth_tkt 2.0.99b2 (BETA)
To: mod_auth_tkt-users <modauthtkt-users@lists.sourceforge.net>
Message-ID: <20090327234916.gb32...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
For your testing pleasure the first public beta of what will become
mod_auth_tkt 2.1 is now available:
http://www.openfusion.com.au/labs/dist/mod_auth_tkt/mod_auth_tkt-2.0.99b2.tar.gz
This version includes support for hashing using SHA-256 and SHA-512
digests instead of the default MD5 using a new TKTDigestType directive.
It also includes support for smoother secret replacement with the
inclusion of a TKTAuthSecretOld directive, based on a patch by Michael
Peters.
If you're using the mod_auth_tkt CGI scripts and want to try out the
newer digest types you'll need to upgrade to Apache::AuthTkt >= 2.1,
available on CPAN.
As previously mentioned, these features have been sponsored by
Christian Folini of netnea.com and a Swiss bank.
Cheers,
Gavin
--
Gavin Carr
- http://www.openfusion.com.au - Linux, Perl, and Web Consulting
- http://www.openfusion.net - Hackery, the Blog
* Fashion is a variable, but style is a constant - Programming Perl
------------------------------
Message: 7
Date: Mon, 08 Jun 2009 17:28:51 +0000
From: Adam Stein <a...@eng.mc.xerox.com>
Subject: [modauthtkt-users] Easy way to tie into Django permissions?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <1244482131.11749.37.ca...@chroma>
Content-Type: text/plain
Started using mod_auth_tkt (v2.0.2) today as it seems to be what I
needed (using Django authentication for web pages currently NOT under
Django control).
While I got the basics to work, I'm now looking into how I can get
specific Django permissions working. Within Django, I can decorate a
function with the permission_required() function, so not only does the
person have to login, but they must have the specific permission that is
being looked for.
Short of writing my own login function, any easier way to accomplish
this? I didn't see anything in the mailing list archives.
--
Adam Stein @ Xerox Corporation Email: a...@eng.mc.xerox.com
Disclaimer: Any/All views expressed
here have been proven to be my own. [http://www.csh.rit.edu/~adam/]
------------------------------
Message: 8
Date: Mon, 08 Jun 2009 13:57:50 -0400
From: Michael Peters <mpet...@plusthree.com>
Subject: Re: [modauthtkt-users] Easy way to tie into Django
permissions?
To: Adam Stein <a...@eng.mc.xerox.com>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <4a2d511e.4030...@plusthree.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Adam Stein wrote:
> While I got the basics to work, I'm now looking into how I can get
> specific Django permissions working. Within Django, I can decorate a
> function with the permission_required() function, so not only does the
> person have to login, but they must have the specific permission that is
> being looked for.
You can put tokens into your mod_auth_tkt ticket that can be parsed out. These
tokens are part of the overall ticket and can trusted. We use them to put
application specific auth roles into our user's login cookies.
--
Michael Peters
Plus Three, LP
------------------------------
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 24, Issue 1
***********************************************
