Re: [Zope3-Users] Re: Remote authentication
Hi Maciej. I'm putting up a project today. If there is anyone else that has been following this thread that would like to contribute to a CAS solution for z3 please let me know. Just a side note that the PHP client for CAS uses sessions. I'm going to contact Martijn on the ldappas work and see if he has any advice to offer on this in the interim. Chris Withers had also put a solution together a few years back for z2 under mit license so will also likely see if there is some interest in advising or helping considering his experience. Regards, David Maciej Wisniowski wrote: Hi Maciej. Thank you for your reply and outlining the authentication process. This does make things clearer. There are a variety of backends, I read that something as simple as reading fom a file is possible. ldappas and dl.ldapauth provide some good hints for plugins and user management from infrae's documentlibrary. I became aware of these packages working on documentlibrary recently. I don't know documentlibrary but with cas you'll get only the user name and with this it is necessary to get user roles/permissions from specific backend. I want to be clear that https enters into the picture as soon as authentication is required or someone were to click on a login link. I am seeing links such as this in the docs I have been reading: https://secure.its.yale.edu/cas/login?service=http://my/url Reading the plone code, I noticed a replacement for login portlet (to replace it with a link to CAS server) so I am assuming at this point folks would be coming to portal unauthenticated and no https until you were to login or attempt to gain access to an area where you need authorization (then you are redirected - and now https on CAS server) Have I got this right? CAS authentication will work with http, but single sing on will not. I mean if you have CAS server like: https://secure.its.yale.edu/cas and applications: http://my/url http://my/url2 then you'll have to login while trying to acces http://my/url2 even thought you already are logged in to http://my/url. With https you'll be automatically logged into url2 via SSO. There were discussions about turning off https on CAS users list but I don't know if it is possible in recent CAS versions. Also you may send 'service url' as https one. This way users accesses http site but after successfull login at CAS user is redirected to https one. I thought sessions should be used but maybe there are some other opinions. I realize there were some issues with sessions some years back with z2. I have not heard anything negative about sessions in z3. Hm... I'm not sure about session implementation in zope3 but I had some issues with sessions with zope 2 (conflicts). I think that accessing session with every request is not too good as this causes session buckets to be moved in oobtree because of expiration, starts garbage collections etc. But I'm not sure how this exactly goes. I was also thinking to some extent about the url redirection etc for this CAS activity and it made me wonder whether some of this should not be occurring as part of a WSGI middleware (but this is just a random thought at the moment). I have no experience with that but like to get to know more :) I am interested in setting up a project for this shortly. I'll likely get this going in the next day or so and will be grateful for your help since you have experience with this. I'll provide details for the project as soon as I have them but will likely put it in zif collective on sourceforge in svn. OK, but possibly I will have no internet access for few days so I may answer with delays. BTW, I recently noticed that the authentication server need not be java so long as it complies with the CAS protocol. In fact I was reading code for rubyCAS server earlier today. It makes me wonder why the authentication server itself could not be written in python and served using zope or twisted. Gives me something to think about for later if things work. Many thanks, Would be great to have this server in python :) ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: Remote authentication
Hi Maciej. Thank you for your reply and outlining the authentication process. This does make things clearer. There are a variety of backends, I read that something as simple as reading fom a file is possible. ldappas and dl.ldapauth provide some good hints for plugins and user management from infrae's documentlibrary. I became aware of these packages working on documentlibrary recently. I don't know documentlibrary but with cas you'll get only the user name and with this it is necessary to get user roles/permissions from specific backend. I want to be clear that https enters into the picture as soon as authentication is required or someone were to click on a login link. I am seeing links such as this in the docs I have been reading: https://secure.its.yale.edu/cas/login?service=http://my/url Reading the plone code, I noticed a replacement for login portlet (to replace it with a link to CAS server) so I am assuming at this point folks would be coming to portal unauthenticated and no https until you were to login or attempt to gain access to an area where you need authorization (then you are redirected - and now https on CAS server) Have I got this right? CAS authentication will work with http, but single sing on will not. I mean if you have CAS server like: https://secure.its.yale.edu/cas and applications: http://my/url http://my/url2 then you'll have to login while trying to acces http://my/url2 even thought you already are logged in to http://my/url. With https you'll be automatically logged into url2 via SSO. There were discussions about turning off https on CAS users list but I don't know if it is possible in recent CAS versions. Also you may send 'service url' as https one. This way users accesses http site but after successfull login at CAS user is redirected to https one. I thought sessions should be used but maybe there are some other opinions. I realize there were some issues with sessions some years back with z2. I have not heard anything negative about sessions in z3. Hm... I'm not sure about session implementation in zope3 but I had some issues with sessions with zope 2 (conflicts). I think that accessing session with every request is not too good as this causes session buckets to be moved in oobtree because of expiration, starts garbage collections etc. But I'm not sure how this exactly goes. I was also thinking to some extent about the url redirection etc for this CAS activity and it made me wonder whether some of this should not be occurring as part of a WSGI middleware (but this is just a random thought at the moment). I have no experience with that but like to get to know more :) I am interested in setting up a project for this shortly. I'll likely get this going in the next day or so and will be grateful for your help since you have experience with this. I'll provide details for the project as soon as I have them but will likely put it in zif collective on sourceforge in svn. OK, but possibly I will have no internet access for few days so I may answer with delays. BTW, I recently noticed that the authentication server need not be java so long as it complies with the CAS protocol. In fact I was reading code for rubyCAS server earlier today. It makes me wonder why the authentication server itself could not be written in python and served using zope or twisted. Gives me something to think about for later if things work. Many thanks, Would be great to have this server in python :) -- Maciej Wisniowski ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: Remote authentication
Hi Maciej. I have been reading quite a bit about CAS today. It looks like a good way to go. Couple of questions with how you having it working in z2. Are you using LDAP as a user store with CAS. I have downloaded a few of the z2 products to study the code in the interim since a plugin for z3 would be a good thing. I've got to look at how this works with users and groups code particular with additional info you need for an app. Anybody out there interested in helping with something like this? I'm likely to start a project for this for z3 package but with zpl or mit licensing since something this generic should have few barriers to anyone using Yale's system. Many thanks. Regards, David Maciej Wisniowski wrote: Hi! For single sign on there is also CAS (Central Authentication Service). We're sucessfully using this in our Zope2 apps. It has plugin for PAS in Zope2 (CAS4PAS). CAS also works with other systems - plugins for java, php and other exists. Important thing here is to distinguish between authentication and authorization. For example SSO like CAS can only tell you if your user is authenticated. It won't tell you if he has some permissions and/or roles to do something. But with PAS you can write another plugin that will set proper roles for user etc. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: Remote authentication
Hi Maciej. I have been reading quite a bit about CAS today. It looks like a good way to go. Couple of questions with how you having it working in z2. Are you using LDAP as a user store with CAS. We're not using LDAP. We have propertiary system to manage user accounts in our applications (user data and permissions in specific applications). This system uses RDBMS to store its data so for CAS it is just external database with user names and passwords. Our CAS server authenticates users against this database with just one simple select statement I think. I have downloaded a few of the z2 products to study the code in the interim since a plugin for z3 would be a good thing. I've got to look at how this works with users and groups code particular with additional info you need for an app. In fact i think that default plugin for CAS can't do more than just authentication. So first step should be to rewrite CAS4PAS to zope3 PAU which should be rather easy. Only thing I'm not sure obout is if this should use session or maybe cookies? Sessions are nasty in Zope... Another thing is a second plugin for user management. But this depends on where your user database is. This plugin may enumerate users, set roles for users etc. Depending on specific solution this plugin may connect to LDAP or RDBMS to get user data, roles and permissions from and map them to Zope ones. In our system we have a special permission in database that is mapped into user role in Zope. In fact our plugin has parameter that says what is the name for this role so it is easy to customize that via ZMI. Not sure if you already realised how CAS works (I had some problems to realise that at the begining) so a quick description is at the bottom of my post. Important thing to note is that all addresses have to be https ones. Anybody out there interested in helping with something like this? I'm likely to start a project for this for z3 package but with zpl or mit licensing since something this generic should have few barriers to anyone using Yale's system. Many thanks. I'm interested in helping you with that. Order of actions in CAS authentication 1. User tries to enter into Zope application via url like https://xyz/myapp 2. CAS4PAS checks if there is a special object in session that says user is already authenticated 3. If there is no object in session CAS4PAS checks if there is a 'ticket' parameter in request 4. If there is neither special object in session nor 'ticket' in request CAS4PAS redirects user to CAS login page with 'service' parameter in redirect URL which is address of zope application itself (CAS4PAS has to know address of CAS login page) https://casserver/login?service=https://xyz/myapp 5. User authenticates at CAS login page 6. CAS checks credenitals in RDBMS (LDAP etc) 7. If everything is OK CAS sets secure cookie in browser that indicates user is authenticated 8. CAS redirects user to 'service' URL with additional 'ticket' parameter https://xyz/myapp?ticket=PT-838288428348284 9. Zope (which is under 'service' URL) checks again if there is a special object in session, and if not, checks if there is a 'ticket' parameter in request. 10. CAS4PAS in Zope gets data form the 'ticket' in request and goes to 'service url' (with 'ticket' and 'service' parameters) at CAS server to confirm authentication (CAS4PAS has to know 'service url'): https://casserver/serviceValidate?ticket=PT-8838828388...service=https://xyz/myapp 11. CAS confirms user authentication and responds with name of authenticated user. 12. CAS4PAS sets special object in session to indicate user authentication. Now another application (in short) 13. User tries to enter to another application that is protected by CAS. 14. Application redirects to CAS login page. 15. CAS finds that there already is secure cookie set so this user is authenticated! 16. CAS redirects user back to application with 'ticket' parameter in URL... etc. -- Maciej Wisniowski ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: Remote authentication
Hi Maciej. Thank you for your reply and outlining the authentication process. This does make things clearer. There are a variety of backends, I read that something as simple as reading fom a file is possible. ldappas and dl.ldapauth provide some good hints for plugins and user management from infrae's documentlibrary. I became aware of these packages working on documentlibrary recently. I want to be clear that https enters into the picture as soon as authentication is required or someone were to click on a login link. I am seeing links such as this in the docs I have been reading: https://secure.its.yale.edu/cas/login?service=http://my/url Reading the plone code, I noticed a replacement for login portlet (to replace it with a link to CAS server) so I am assuming at this point folks would be coming to portal unauthenticated and no https until you were to login or attempt to gain access to an area where you need authorization (then you are redirected - and now https on CAS server) Have I got this right? I thought sessions should be used but maybe there are some other opinions. I realize there were some issues with sessions some years back with z2. I have not heard anything negative about sessions in z3. I was also thinking to some extent about the url redirection etc for this CAS activity and it made me wonder whether some of this should not be occurring as part of a WSGI middleware (but this is just a random thought at the moment). I am interested in setting up a project for this shortly. I'll likely get this going in the next day or so and will be grateful for your help since you have experience with this. I'll provide details for the project as soon as I have them but will likely put it in zif collective on sourceforge in svn. BTW, I recently noticed that the authentication server need not be java so long as it complies with the CAS protocol. In fact I was reading code for rubyCAS server earlier today. It makes me wonder why the authentication server itself could not be written in python and served using zope or twisted. Gives me something to think about for later if things work. Many thanks, Regards, David Maciej Wisniowski wrote: Hi Maciej. I have been reading quite a bit about CAS today. It looks like a good way to go. Couple of questions with how you having it working in z2. Are you using LDAP as a user store with CAS. We're not using LDAP. We have propertiary system to manage user accounts in our applications (user data and permissions in specific applications). This system uses RDBMS to store its data so for CAS it is just external database with user names and passwords. Our CAS server authenticates users against this database with just one simple select statement I think. I have downloaded a few of the z2 products to study the code in the interim since a plugin for z3 would be a good thing. I've got to look at how this works with users and groups code particular with additional info you need for an app. In fact i think that default plugin for CAS can't do more than just authentication. So first step should be to rewrite CAS4PAS to zope3 PAU which should be rather easy. Only thing I'm not sure obout is if this should use session or maybe cookies? Sessions are nasty in Zope... Another thing is a second plugin for user management. But this depends on where your user database is. This plugin may enumerate users, set roles for users etc. Depending on specific solution this plugin may connect to LDAP or RDBMS to get user data, roles and permissions from and map them to Zope ones. In our system we have a special permission in database that is mapped into user role in Zope. In fact our plugin has parameter that says what is the name for this role so it is easy to customize that via ZMI. Not sure if you already realised how CAS works (I had some problems to realise that at the begining) so a quick description is at the bottom of my post. Important thing to note is that all addresses have to be https ones. Anybody out there interested in helping with something like this? I'm likely to start a project for this for z3 package but with zpl or mit licensing since something this generic should have few barriers to anyone using Yale's system. Many thanks. I'm interested in helping you with that. Order of actions in CAS authentication 1. User tries to enter into Zope application via url like https://xyz/myapp 2. CAS4PAS checks if there is a special object in session that says user is already authenticated 3. If there is no object in session CAS4PAS checks if there is a 'ticket' parameter in request 4. If there is neither special object in session nor 'ticket' in request CAS4PAS redirects user to CAS login page with 'service' parameter in redirect URL which is address of zope application itself (CAS4PAS has to know address of CAS login page) https://casserver/login?service=https://xyz/myapp 5. User authenticates at CAS login page 6. CAS checks
Re: [Zope3-Users] Re: Remote authentication
Hi thanks Raphael, thanks for this. I also managed to find an OpenId server in python also so this part is looking quite doable. There is also an example implementation for django. The unanswered question for me on the OpenId concept is how one manages user public and private context. For example, if I am an employee in a an org would I have an OpenId here as well as one for myself privately - need to do some more reading and perhaps subscribe to their list. I have to read a bit more on what this means as far as security, trust or whether there is any loss of autonomy for closely managing users as a result. Many thanks. Regards, David Raphael Ritz wrote: David Pratt wrote: Hi Hermann. Thanks for your reply. Haven't quite decided on this but I've got things to try that might be more efficient than xmlrpc. I'm likely to attempt an authentication server with web service style SSO at this point though OpenId is attractive. I don't know if anyone has made a plugin yet for z3 for OpenId but I might try this. Wiggy has written a PAS plugin for OpneId support in Plone http://svn.plone.org/svn/plone/plone.openid/trunk/ which may serve as a starting point if you are interested. Raphael I am not sure how OpenId handles different contexts for users at this point (for example being a user at a worksite, and then a public user) though but I will be experimenting with it regardless. Many thanks. Regards, David ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: Remote authentication
Hi! For single sign on there is also CAS (Central Authentication Service). We're sucessfully using this in our Zope2 apps. It has plugin for PAS in Zope2 (CAS4PAS). CAS also works with other systems - plugins for java, php and other exists. Important thing here is to distinguish between authentication and authorization. For example SSO like CAS can only tell you if your user is authenticated. It won't tell you if he has some permissions and/or roles to do something. But with PAS you can write another plugin that will set proper roles for user etc. -- Maciej Wisniowski ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: Remote authentication
Hi Maciej. I'll definitely check this out and look for docs on the plugin. It sounds very promising since it is a working solution for Z2 :-) On top of it, there ought to be good hints in Z2's PAS for doing something in Z3. Hopefully it can be worked in to some functionality for users/groups for z3. Many thanks. Regards, David Maciej Wisniowski wrote: Hi! For single sign on there is also CAS (Central Authentication Service). We're sucessfully using this in our Zope2 apps. It has plugin for PAS in Zope2 (CAS4PAS). CAS also works with other systems - plugins for java, php and other exists. Important thing here is to distinguish between authentication and authorization. For example SSO like CAS can only tell you if your user is authenticated. It won't tell you if he has some permissions and/or roles to do something. But with PAS you can write another plugin that will set proper roles for user etc. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users