Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
modauthtkt-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
modauthtkt-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Easy way to tie into Django permissions? (Joost Cassee)
2. Re: Easy way to tie into Django permissions? (Adam Stein)
3. ANNOUNCE: mod_auth_tkt 2.1.0 (Gavin Carr)
4. modauthtkt for windows version (Balaji.L)
5. invalid ticket (jason)
6. minor bug in login.cgi (jason)
7. x_forwarded_host & redirects (Charles Colbourn)
8. Re: x_forwarded_host & redirects (Peter Karman)
9. Re: x_forwarded_host & redirects (Charles Colbourn)
----------------------------------------------------------------------
Message: 1
Date: Mon, 08 Jun 2009 20:43:27 +0200
From: Joost Cassee <jo...@cassee.net>
Subject: Re: [modauthtkt-users] Easy way to tie into Django
permissions?
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <4a2d5bcf.4020...@cassee.net>
Content-Type: text/plain; charset="iso-8859-1"
On 2009-06-08 19:57, Michael Peters wrote:
> Adam Stein wrote:
>
>> While I got the basics to work, I'm now looking into how I can get
>> specific Django permissions working. Within Django, I can decorate a
>> function with the permission_required() function, so not only does the
>> person have to login, but they must have the specific permission that is
>> being looked for.
>
> You can put tokens into your mod_auth_tkt ticket that can be parsed out.
> These
> tokens are part of the overall ticket and can trusted. We use them to put
> application specific auth roles into our user's login cookies.
Also, newer Django versions can use the REMOTE_USER variable set by
modauthtkt with the RemoteUserBackend authentication backend:
http://docs.djangoproject.com/en/dev/ref/authbackends/#ref-authentication-backends
Regards,
Joost
--
Joost Cassee
http://joost.cassee.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: OpenPGP digital signature
------------------------------
Message: 2
Date: Tue, 09 Jun 2009 13:25:27 +0000
From: Adam Stein <a...@eng.mc.xerox.com>
Subject: Re: [modauthtkt-users] Easy way to tie into Django
permissions?
To: Michael Peters <mpet...@plusthree.com>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <1244553927.11749.84.ca...@chroma>
Content-Type: text/plain
Do you have any examples I can see? I have a feeling, I'm not really
doing this correctly.
Right now, I get a URL loop that never ends. Given a URL that looks
like:
/cgi-bin/runthis.cgi
I first encounter my Apache setup:
<LocationMatch ^/cgi-bin/>
AuthType None
require valid-user
TKTAuthLoginURL http://mymachine:8001/legacy/
TKTAuthUnauthURL http://www.google.com/
TKTAuthBackArgName next
TKTAuthDebug 0
</LocationMatch>
For now, I have mod_auth_tkt calling the Django development server
('./manage.py runserver' as opposed to the production server).
'/legacy' is mapped to a function that calls the appropriate python
function (appropriate in the sense that the function is decorated for
the desired permission) and looks like this:
def legacy(request):
url = "http://production_server"; + \
request.REQUEST.get(REDIRECT_FIELD_NAME)
if url.find("runthis.cgi") > -1:
response = legacy_runthis(request)
else:
raise Exception("URL '" + url + "' not currently handled")
secret = "<TKTAuthSecret from apache config file>"
token = AuthTicket(secret, "username",
request.META["REMOTE_ADDR"],
tokens=["SERVER.permission"])
response.set_cookie("auth_tkt", value=token.cookie_value())
# If the response HTML does NOT have a location redirection, then
# we add our own to go the desired URL. If a location is present,
# then that is Django redirecting to the login or failed
# authorization page.
if str(response).find("Location:") == -1:
response.write("""
<script type="text/javascript">
<!--
window.location = "%s"
//-->
</script>
""" % url)
return response
@is_authorized("SERVER.permission")
def legacy_rollups(request):
return http.HttpResponse()
"username" and the token are hardcoded for now just to get this working
(eventually, I'll figure out how to pass in the correct username and
token). This does a JavaScript redirect (as per the comments in the
auth_ticket.py file) for the originally intented URL.
After the redirect, the Apache LocationMatch picks up the URL and sends
it back again, which in turn does the JavaScript redirect again, and so
on.
On Mon, 2009-06-08 at 13:57 -0400, Michael Peters wrote:
> Adam Stein wrote:
>
> > While I got the basics to work, I'm now looking into how I can get
> > specific Django permissions working. Within Django, I can decorate a
> > function with the permission_required() function, so not only does the
> > person have to login, but they must have the specific permission that is
> > being looked for.
>
> You can put tokens into your mod_auth_tkt ticket that can be parsed out.
> These
> tokens are part of the overall ticket and can trusted. We use them to put
> application specific auth roles into our user's login cookies.
>
--
Adam Stein @ Xerox Corporation Email: a...@eng.mc.xerox.com
Disclaimer: Any/All views expressed
here have been proven to be my own. [http://www.csh.rit.edu/~adam/]
------------------------------
Message: 3
Date: Sat, 11 Jul 2009 15:14:43 +1000
From: Gavin Carr <ga...@openfusion.com.au>
Subject: [modauthtkt-users] ANNOUNCE: mod_auth_tkt 2.1.0
To: mod_auth_tkt-users <modauthtkt-users@lists.sourceforge.net>
Message-ID: <20090711051443.ga16...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii
mod_auth_tkt 2.1.0 is now available from:
http://www.openfusion.com.au/labs/mod_auth_tkt/
http://www.openfusion.com.au/labs/dist/mod_auth_tkt/mod_auth_tkt-2.1.0.tar.gz
RPMs are also available.
This is the the new stable release with support for SHA-256 and SHA-512
digests, and seamless secret refreshing via a new TKTAuthSecretOld
directive. There have been no changes from the last beta, 2.0.99b2.
Thanks to all contributors.
Cheers,
Gavin
------------------------------
Message: 4
Date: Wed, 15 Jul 2009 12:49:44 +0530
From: "Balaji.L" <balaji.lax...@gmail.com>
Subject: [modauthtkt-users] modauthtkt for windows version
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<fca294630907150019h17f140d9kd922d5f71cabb...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
I`m planning to work with modauthtkt on windows system. But i`m not able to
figure how to create dll file from the source file(mod_auth_tkt.c). Or is
there anyother way to compile the module and make it work with windows
setup. Can someone help me on this?
--
With Regards,
---------------------------------------
L.Balaji.
balaji.lax...@gmail.com
---------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 5
Date: Sun, 07 Mar 2010 16:02:27 -0800
From: jason <ja...@bioteam.net>
Subject: [modauthtkt-users] invalid ticket
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <4b943e93.6020...@bioteam.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi, all
I am using apache 2.2 on Fedora 10.
I had the same issue as it is listed here:
https://sourceforge.net/mailarchive/message.php?msg_id=20080411040956.GB23495%40openfusion.com.au.
I had error message :TKT valid_ticket: ticket hash (current secret) is
invalid, and no old secret set - digest
'93acc06eaaeabe9e52585aabdb96a855', ticket
'2407fd465195c11536f65c4da41f02724b942de6wikitest!users!' in the apache
error log.
I searched all my confuguration and make sure I only has one
TKTAuthSecret directive.
By accident, I found that everything works fine if I use a separate
configuration file instead of /etc/httpd/conf.d/auth_tkt_cgi.conf.
Basically, I had 02_auth_tkt.conf and auth_tkt_cgi.conf under
/etc/httpd/conf.d.
I had a separate configuration file /etc/httpd/conf/tkt_cgi_conf which
is like this
TKTAuthSecret "----------"
TKTAuthDigestType MD5
TKTAuthLoginURL http://f10i386.localdomain:9090/auth/login.cgi
TKTAuthTimeout 1w
TKTAuthBackCookieName from
My login.cgi will use this file as conf file.
Just think this may be useful to others.
-jason
------------------------------
Message: 6
Date: Tue, 09 Mar 2010 17:11:27 -0800
From: jason <ja...@bioteam.net>
Subject: [modauthtkt-users] minor bug in login.cgi
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <4b96f1bf.3040...@bioteam.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
$back =~ m/^https?%3A%2F%2F/;
Should be changed to $back =~ m/^https?%3A%2F%2F/i;
-jason
------------------------------
Message: 7
Date: Wed, 24 Mar 2010 16:29:52 +0000
From: Charles Colbourn <charles.colbo...@googlemail.com>
Subject: [modauthtkt-users] x_forwarded_host & redirects
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<3e3448551003240929h67bc48f6xaa778b3eee1d7...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi,
we've been having problems with invalid URL's in redirects coming back
from mod_authtkt. On delving around in the code it appears that
mod_authtkt treats X_FORWARDED_HOST as the webservers hostname for
building the redirect URL ('appears' - I'm not too handy with C so
apologies if I'm missing some processing here). Trouble is, our
requests have been through a proxy and contain a comma separated list
of hostnames.
I'm trying to get mod_rewrite to remove the X_FORWARDED_HOST header as
a temporary workaround, forcing mod_authtkt to use X_HOST, but without
success so far. Has anyone else had this problem and solved it?
thanks
Charles
------------------------------
Message: 8
Date: Wed, 24 Mar 2010 23:29:50 -0500
From: Peter Karman <pe...@peknet.com>
Subject: Re: [modauthtkt-users] x_forwarded_host & redirects
To: Charles Colbourn <charles.colbo...@googlemail.com>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <4baae6be.40...@peknet.com>
Content-Type: text/plain; charset=ISO-8859-1
Charles Colbourn wrote on 3/24/10 11:29 AM:
> I'm trying to get mod_rewrite to remove the X_FORWARDED_HOST header as
> a temporary workaround, forcing mod_authtkt to use X_HOST, but without
> success so far. Has anyone else had this problem and solved it?
>
maybe http://httpd.apache.org/docs/2.2/mod/mod_headers.html
will help?
seems like mod_auth_tkt.c does need a fix though, to account for multiple values
in the header.
--
Peter Karman . http://peknet.com/ . pe...@peknet.com
------------------------------
Message: 9
Date: Thu, 25 Mar 2010 10:01:41 +0000
From: Charles Colbourn <charles.colbo...@googlemail.com>
Subject: Re: [modauthtkt-users] x_forwarded_host & redirects
To: Peter Karman <pe...@peknet.com>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID:
<3e3448551003250301g49aa7799gb9b86d592b287...@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
We're using Apache 1.3, partly because we've previously been unable to
get mod_authtkt working on Apache2 (apparently - before my time), and
mod_headers in Apache 1.x doesn't seem to support the 'RequestHeader'.
I hoped to get mod_rewrite to do it, but so far I've had no success
finding a syntax to unset request headers.
On 25 March 2010 04:29, Peter Karman <pe...@peknet.com> wrote:
> Charles Colbourn wrote on 3/24/10 11:29 AM:
>
>> I'm trying to get mod_rewrite to remove the X_FORWARDED_HOST header as
>> a temporary workaround, forcing mod_authtkt to use X_HOST, but without
>> success so far. Has anyone else had this problem and solved it?
>>
>
> maybe http://httpd.apache.org/docs/2.2/mod/mod_headers.html
> will help?
>
> seems like mod_auth_tkt.c does need a fix though, to account for multiple
> values
> in the header.
>
> --
> Peter Karman ?. ?http://peknet.com/ ?. ?pe...@peknet.com
>
------------------------------
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 25, Issue 1
***********************************************
