Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
modauthtkt-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
modauthtkt-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: Don't set REMOTE_USER for guests (Braden Ehrat)
2. mod_auth_tkt & mod_proxy...reverse proxy removes query
string? (Brian Macauley)
3. Re: mat 2.1.0: Bug and Patch for TKTAuthBackCookieName
(Gavin Carr)
4. Re: mod_auth_tkt & mod_proxy...reverse proxy removes query
string? (Gavin Carr)
----------------------------------------------------------------------
Message: 1
Date: Sun, 2 Oct 2011 19:02:44 -0500
From: Braden Ehrat <beh...@gmail.com>
Subject: Re: [modauthtkt-users] Don't set REMOTE_USER for guests
To: Braden Ehrat <beh...@gmail.com>,
modauthtkt-users@lists.sourceforge.net
Message-ID:
<CAABXP5XhQT=CBa_GB6Y_1zm6stLVENvDg-quWazwtBtWp=p...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Yep, after a bit more reading, I see that this is an apache problem, and
that your module can't do anything if it's never run. I even found a feature
request from March to have this changed in apache:
https://issues.apache.org/bugzilla/show_bug.cgi?id=41685.
As far as my installation goes, I figured out that trac already treats
'anonymous' as a special unauthenticated user. And in the mediawiki
extension I'm using, it was a simple one line change to ignore the user
'guest'.
So, thank you for you're help. My site's working great with mod_auth_tkt
now.
-Braden
On Sat, Oct 1, 2011 at 7:36 PM, Gavin Carr <ga...@openfusion.com.au> wrote:
> Hi Braden,
>
> I can't think of a way around this I'm afraid. The core problem is that
> apache authentication doesn't really support 'optional' authentication,
> which is what you want here, and what we kind of hack around with our
> GuestUser. Apache only has 'Require valid-user' and variants - we really
> want here an 'Allow valid-user' type thing, which doesn't exist afaik.
>
> If you omit the 'Require valid-user' directive the authentication modules
> just don't get called.
>
> If you're using this in an intranet setting you might be able to hack
> around it with 'Satisfy any', since that allows either ip-based
> authorization or user/password authentication e.g.
>
> TKTAuthLoginURL
> https://servername/auth/login.**cgi<https://servername/auth/login.cgi>
> Require valid-user
> Order allow,deny
> Allow from 172.16.0
> Satisfy any
>
> Otherwise I think you're stuck with guest. You could patch your end systems
> (media-wiki etc.) to treat REMOTE_USER guest specially for logout buttons
> etc., but that's about all.
>
> Cheers,
> Gavin
>
>
>
>
> On Sat, Oct 01, 2011 at 11:02:41AM -0500, Braden Ehrat wrote:
>
>> Are you saying you want TKTAuthGuestLogin but don't actually want
>>> REMOTE_USER set?
>>>
>>
>> Exactly. I want REMOTE_USER set for only authenticated users, and not
>> guest users. I have the TKTAuthGuestLogin directive "on".
>>
>> I tried setting TKTAuthGuestUser to empty string, but then apache
>> complains, saying "TKTAuthGuestUser takes one argument, username to use for
>> guest logins"
>>
>> Here are my apache settings:
>> <Location /wiki >
>> AuthType None
>> require valid-user
>> TKTAuthLoginURL
>> https://servername/auth/login.**cgi<https://servername/auth/login.cgi>
>>
>> # If an internet server, you probably want the following on (at least
>> initially)
>> #TKTAuthIgnoreIP on
>>
>> # If you just want *optional* authentication, so that casual users and
>> robots
>> # can still access some content, uncomment the following
>> TKTAuthGuestLogin on
>> TKTAuthGuestUser guest
>>
>> # I have tried both of these below, but apache complains that there must
>> be one argument
>> #TKTAuthGuestUser ""
>> #TKTAuthGuestUser
>>
>> </Location>
>>
>> I also experimented with a couple different things, such as setting
>> "Satisfy Any", but I don't know enough about apache to really know what I'm
>> doing at that point.
>>
>> Thanks for your quick response,
>> Braden
>>
>>
>>
>>
>> On Oct 1, 2011, at 10:31 AM, Michael Peters wrote:
>>
>> On 10/01/2011 04:14 AM, Braden Ehrat wrote:
>>>
>>
> So, it there any way to have mod_auth_tkt simply not set REMOTE_USER when
>>>> a guest is browsing? Or, alternatively, is a different or better way to go
>>>> about this?
>>>>
>>>
> By default mod_auth_tkt shouldn't be letting people in as a "guest". It
>>> only does that if you have the TKTAuthGuestLogin directive "on". Are you
>>> saying you want TKTAuthGuestLogin but don't actually want REMOTE_USER set?
>>>
>>
> Have you tried maybe setting TKTAuthGuestUser to an empty string?
>>>
>>
> --
>>> Michael Peters
>>> Plus Three, LP
>>>
>>
>>
>> ------------------------------**------------------------------**
>> ------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-**d2dcopy2<http://p.sf.net/sfu/splunk-d2dcopy2>
>> ______________________________**_________________
>> modauthtkt-users mailing list
>> modauthtkt-users@lists.**sourceforge.net<modauthtkt-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/**lists/listinfo/modauthtkt-**users<https://lists.sourceforge.net/lists/listinfo/modauthtkt-users>
>>
>
> --
> Gavin Carr
> - http://www.openfusion.com.au - Linux Support and Web Consulting
> - http://www.openfusion.net - Hackery, the Blog
> - http://www.planetaux.com - Announcements from Australian Companies
> * Everything beautiful is but a bit of love frozen. - George MacDonald
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 2
Date: Tue, 4 Oct 2011 11:57:13 +0100
From: Brian Macauley <brian.macau...@gmail.com>
Subject: [modauthtkt-users] mod_auth_tkt & mod_proxy...reverse proxy
removes query string?
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<CAEbrghDvCdFwkekjOf-eKC5OvxyS2XAJ=b3x+vsywh1yekq...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
I have an issue with mod_auth_tkt when used with mod_proxy in a
reverse proxy setup.
I used this previous mod_auth_tkt thread as reference...
http://sourceforge.net/mailarchive/forum.php?thread_name=07A4A9EC53C2B841A7015A2E2FAFD19506C8CA58%40flybe06.flybe.local&forum_name=modauthtkt-users
Any URL with a query string has the query string removed when it is
proxy'ed to the backend application.
eg
https://config.mycompany.com/app1/csdmain.vmgw ...works
http://app1.mycompany.com:8080/csdmain.vmgw sent
https://config.mycompany.com/app1/csdsrch.vmgw ...works
http://app1.mycompany.com:8080/csdsrch.vmgw sent
https://config.mycompany.com/app1/csdshow.vmgw?mode=text&fname=HIGHPT&ftype=AB1234
..doesn't work
http://app1.mycompany.com:8080/csdshow.vmgw is sent to the backend application
I am using...
CentOS 5.6
Apache 2.2
mod_auth_tkt 2.1
My config is as follows...
ServerName config.mycompany.com
ServerAlias config.mycompany.com
TKTAuthSecret "secret"
# all requests for /back/* must be authenticated
#AuthType Basic
Require valid?user
TKTAuthLoginURL https://www.salesforce.com/secur/login.jsp
TKTAuthCookieName GBTicket
TKTAuthCookieSecure on
TKTAuthDomain .mycompany.com
#TKTAuthBackArgName
TKTAuthBackCookieName back
TKTAuthTimeout 2h
TKTAuthCookieExpires 2h
TKTAuthDebug 0
ProxyRequests off
ProxyPass /app1/ ?http://app1.mycompany.com:8080/
# RewriteEngine on
# RewriteRule ^/app1/?$ http://app1.mycompany.com:8080/ [P,L]
# RewriteRule ^/app1/(.+)$ http://app1.mycompany.com:8080/$1 [P,L]
ProxyPassReverse /app1/ http://app1.mycompany.com:8080/
WSGIScriptAlias /login
/var/www/public_html/config.mycompany.com/login/adapter.wsgi
The application receives a federated login from a salesforce app, and
a Python wsgi app creates the GBTicket secure cookie.
I have tried both mod_proxy and mod_rewrite for the reverse proxy,
with the same result. I have also tried to add the query string back
in to the request using mod_rewrite, but it still gets removed.
When I disable mod_auth_tkt, the reverse proxy works as normal, and
the query string is passed through to the backend application.
Do you have any idea why this is happening?
Thanks,
Brian M
------------------------------
Message: 3
Date: Mon, 17 Oct 2011 15:06:25 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] mat 2.1.0: Bug and Patch for
TKTAuthBackCookieName
To: Christian Folini <fol...@netnea.com>
Cc: dune73 <dun...@localhost.netnea.com>,
modauthtkt-users@lists.sourceforge.net
Message-ID: <20111017040624.ga8...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii; format=flowed
Hi Christian,
Thanks for the patch, finally got to it today.
I think TKTAuthBackCookieName is okay here (apart from the error message) -
if it's not set you don't get a back cookie at all.
TKTAuthBackArgName should be able to be turned off though, and can't be
in 2.1.0 - I think that's the core bug here.
I've pushed an update to https://github.com/gavincarr/mod_auth_tkt that
should fix this - you can now set 'TKTAuthBackArgName None' to turn off
the back argument altogether. Can you check if that does what you need?
Cheers,
Gavin
On Wed, Sep 28, 2011 at 10:07:46AM +0200, Christian Folini wrote:
>Hi there,
>
>There is a bug in mod_auth_tkt 2.1.0 with regards to TKTAuthBackCookieName
>being set to "NULL". There is a note in an error message indicating that you
>can set this parameter to NULL to avoid setting a back-cookie (and also
>no query string parameter).
>
>However, this does not work.
>
>Here is a patch to get the correct behaviour and add a bit of documentation
>to explain it properly.
>
>diff -ur mod_auth_tkt-2.1.0/src/mod_auth_tkt.c
>mod_auth_tkt-2.1.0-backcookiepatch/src/mod_auth_tkt.c
>--- mod_auth_tkt-2.1.0/src/mod_auth_tkt.c 2009-07-10 09:46:51.000000000
>+0200
>+++ mod_auth_tkt-2.1.0-backcookiepatch/src/mod_auth_tkt.c 2011-09-28
>09:31:44.000662648 +0200
>@@ -1242,15 +1242,17 @@
> back = ap_escape_path_segment(r->pool, back);
> back = escape_extras(r->pool, back);
>
>- /* Set back cookie if name is not null */
>+ /* Set back cookie if name is not NULL */
> if (back_cookie_name) {
>- cookie = domain ?
>- apr_psprintf(r->pool, "%s=%s; path=/; domain=%s",
>- back_cookie_name, back, domain) :
>- apr_psprintf(r->pool, "%s=%s; path=/",
>- back_cookie_name, back);
>+ if (strncmp(back_cookie_name, "NULL", 4) != 0) {
>+ cookie = domain ?
>+ apr_psprintf(r->pool, "%s=%s; path=/; domain=%s",
>+ back_cookie_name, back, domain) :
>+ apr_psprintf(r->pool, "%s=%s; path=/",
>+ back_cookie_name, back);
>
>- apr_table_setn(r->err_headers_out, "Set-Cookie", cookie);
>+ apr_table_setn(r->err_headers_out, "Set-Cookie", cookie);
>+ }
> url = location;
> }
>
>diff -ur mod_auth_tkt-2.1.0/doc/mod_auth_tkt.pod
>mod_auth_tkt-2.1.0-backcookiepatch/doc/mod_auth_tkt.pod
>--- mod_auth_tkt-2.1.0/doc/mod_auth_tkt.pod 2009-03-03 21:24:46.000000000
>+0100
>+++ mod_auth_tkt-2.1.0-backcookiepatch/doc/mod_auth_tkt.pod 2011-09-28
>10:01:17.074626375 +0200
>@@ -252,7 +252,11 @@
> The cookie name to use for the back cookie. If this is set,
> mod_auth_tkt will set a back cookie containing a URI-escaped version
> of current requested page when redirecting (see TKTAuthBackArgName
>-above). Default: none.
>+above).
>+If you do not want a GET parameter and also no back cookie, then omit
>+the parameter TKTAuthBackArgName and set TKTAuthBackCookieName to
>+'NULL'.
>+Default: none.
>
> =item TKTAuthToken <token>
>
>
>Hope this helps,
>
>Christian Folini
>
>--
>Any sufficiently advanced technology is indistinguishable from magic.
>--- Arthur C. Clarke
>
>------------------------------------------------------------------------------
>All the data continuously generated in your IT infrastructure contains a
>definitive record of customers, application performance, security
>threats, fraudulent activity and more. Splunk takes this data and makes
>sense of it. Business sense. IT sense. Common sense.
>http://p.sf.net/sfu/splunk-d2dcopy1
>_______________________________________________
>modauthtkt-users mailing list
>modauthtkt-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
------------------------------
Message: 4
Date: Tue, 18 Oct 2011 15:20:49 +1100
From: Gavin Carr <ga...@openfusion.com.au>
Subject: Re: [modauthtkt-users] mod_auth_tkt & mod_proxy...reverse
proxy removes query string?
To: Brian Macauley <brian.macau...@gmail.com>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <20111018042049.gc7...@openfusion.com.au>
Content-Type: text/plain; charset=us-ascii; format=flowed
Hi Brian,
Sorry for the slow reply.
This is a pretty weird problem. I can't reproduce it on my laptop,
which is pretty similar to your setup - CentOS 6, Apache 2.2,
mod_auth_tkt 2.1.
I used the following config (pretty much cut-and-pasted from yours):
<Location /sledge>
AuthType None
Require valid-user
TKTAuthLoginURL http://nox/auth/login.cgi
TKTAuthBackCookieName back
TKTAuthTimeout 2h
TKTAuthCookieExpires 2h
TKTAuthDebug 0
</Location>
ProxyRequests on
ProxyPass /sledge/ http://localhost:3005/
ProxyPassReverse /sledge/ http://localhost:3005/
I'm seeing query strings go straight through to the backend app just
fine, as expected.
Have you got any further debugging this since you posted?
Cheers,
Gavin
On Tue, Oct 04, 2011 at 11:57:13AM +0100, Brian Macauley wrote:
>I have an issue with mod_auth_tkt when used with mod_proxy in a
>reverse proxy setup.
>
>I used this previous mod_auth_tkt thread as reference...
>http://sourceforge.net/mailarchive/forum.php?thread_name=07A4A9EC53C2B841A7015A2E2FAFD19506C8CA58%40flybe06.flybe.local&forum_name=modauthtkt-users
>
>Any URL with a query string has the query string removed when it is
>proxy'ed to the backend application.
>
>eg
>
>https://config.mycompany.com/app1/csdmain.vmgw ...works
>http://app1.mycompany.com:8080/csdmain.vmgw sent
>
>https://config.mycompany.com/app1/csdsrch.vmgw ...works
>http://app1.mycompany.com:8080/csdsrch.vmgw sent
>
>https://config.mycompany.com/app1/csdshow.vmgw?mode=text&fname=HIGHPT&ftype=AB1234
>..doesn't work
>http://app1.mycompany.com:8080/csdshow.vmgw is sent to the backend application
>
>I am using...
>
>CentOS 5.6
>Apache 2.2
>mod_auth_tkt 2.1
>
>My config is as follows...
>
>ServerName config.mycompany.com
>ServerAlias config.mycompany.com
>
>TKTAuthSecret "secret"
>
># all requests for /back/* must be authenticated
>
>#AuthType Basic
>Require valid???user
>TKTAuthLoginURL https://www.salesforce.com/secur/login.jsp
>TKTAuthCookieName GBTicket
>TKTAuthCookieSecure on
>TKTAuthDomain .mycompany.com
>#TKTAuthBackArgName
>TKTAuthBackCookieName back
>TKTAuthTimeout 2h
>TKTAuthCookieExpires 2h
>TKTAuthDebug 0
>
>
>ProxyRequests off
>ProxyPass /app1/ ??http://app1.mycompany.com:8080/
># RewriteEngine on
># RewriteRule ^/app1/?$ http://app1.mycompany.com:8080/ [P,L]
># RewriteRule ^/app1/(.+)$ http://app1.mycompany.com:8080/$1 [P,L]
>ProxyPassReverse /app1/ http://app1.mycompany.com:8080/
>
>WSGIScriptAlias /login
>/var/www/public_html/config.mycompany.com/login/adapter.wsgi
>The application receives a federated login from a salesforce app, and
>a Python wsgi app creates the GBTicket secure cookie.
>
>I have tried both mod_proxy and mod_rewrite for the reverse proxy,
>with the same result. I have also tried to add the query string back
>in to the request using mod_rewrite, but it still gets removed.
>
>When I disable mod_auth_tkt, the reverse proxy works as normal, and
>the query string is passed through to the backend application.
>
>Do you have any idea why this is happening?
>
>Thanks,
>Brian M
>
>------------------------------------------------------------------------------
>All the data continuously generated in your IT infrastructure contains a
>definitive record of customers, application performance, security
>threats, fraudulent activity and more. Splunk takes this data and makes
>sense of it. Business sense. IT sense. Common sense.
>http://p.sf.net/sfu/splunk-d2dcopy1
>_______________________________________________
>modauthtkt-users mailing list
>modauthtkt-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
------------------------------
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 27, Issue 2
***********************************************
