Re: X.509 Certificate Authentication
Hi Nathan, On Tue, Aug 11, 2009 at 19:24, Thilo-Alexander Ginkel wrote: >> I just uploaded my patch to http://reviews.review-board.org/r/938/. > > Thanks! I will try your changes once I have updated my RB installation > to a current version. just a brief update: I tried your patch and it works like a charm. Thanks a lot! Regards, Thilo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "reviewboard" group. To post to this group, send email to reviewboard@googlegroups.com To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -~--~~~~--~~--~--~---
Re: X.509 Certificate Authentication
On Mon, Aug 3, 2009 at 06:44, Nathan Heijermans wrote: >> This basically sound like what I intend to implement. Would you mind sharing >> some patches? > > I just uploaded my patch to http://reviews.review-board.org/r/938/. Thanks! I will try your changes once I have updated my RB installation to a current version. Regards, Thilo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "reviewboard" group. To post to this group, send email to reviewboard@googlegroups.com To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -~--~~~~--~~--~--~---
Re: X.509 Certificate Authentication
Thilo, This basically sound like what I intend to implement. Would you mind sharing > some patches? > I just uploaded my patch to http://reviews.review-board.org/r/938/. > There is a remaining problem that I have yet to resolve, and that is > > authenticating with my certificate from the post-review tool. I'd like > > to use a password-protected, but Python doesn't make that easy at all; I > > end up having to enter my password each time python makes a web request. > > Having post-review is definitely nice, but the web UI doesn't seem as > > opaque any more :). > > I would probably prefer to continue to use user/password authentication > with > post-review as manual setup would be required to get hold of the X.509 > client > key/cert from post-review whereas the certificate comes pre-installed in > the > web browser's secure store for all users. So, I hope your statement about > the > usage of multiple authentication backends being tricky does not apply to > this > scenario. ;-) > After playing around with my setup this weekend, I got things to work more smoothly. I had been stumbling over the "SSLVerifyClient require" configuration directive in my apache conf. After changing the "require" to "optional" made things work like a charm. I'm able to post reviews using post-review, authenticate from browsers that don't have my client certificate imported, and authenticate from browsers with my client certificate (without typing a password). Cheers! Nathan --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "reviewboard" group. To post to this group, send email to reviewboard@googlegroups.com To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -~--~~~~--~~--~--~---
Re: X.509 Certificate Authentication
On Friday 31 July 2009 23:19:01 Nathan Heijermans wrote: > I have an implementation of x.509 authentication working that bypasses > the "Login" screen. I had to add a middleware class to the django site > settings (I copied the MIDDLEWARE_CLASSES from settings.py to my > settings_local.py and added my own middleware class). My middleware > class has a process_request() function that uses the mod_ssl-set > environment variables to figure out the user name, and then directly > calls the login() function in my backend. I also haven't figured out how > to get multiple authentication backends working nicely with Django; it > seemed that when I didn't explicitly call the backend login() > implementation I wanted, I randomly got the login screen anyway without > being able to log in using my password. This basically sound like what I intend to implement. Would you mind sharing some patches? > There is a remaining problem that I have yet to resolve, and that is > authenticating with my certificate from the post-review tool. I'd like > to use a password-protected, but Python doesn't make that easy at all; I > end up having to enter my password each time python makes a web request. > Having post-review is definitely nice, but the web UI doesn't seem as > opaque any more :). I would probably prefer to continue to use user/password authentication with post-review as manual setup would be required to get hold of the X.509 client key/cert from post-review whereas the certificate comes pre-installed in the web browser's secure store for all users. So, I hope your statement about the usage of multiple authentication backends being tricky does not apply to this scenario. ;-) Regards, Thilo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "reviewboard" group. To post to this group, send email to reviewboard@googlegroups.com To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -~--~~~~--~~--~--~---
Re: X.509 Certificate Authentication
Thilo-Alexander Ginkel wrote: > On Fri, Jul 31, 2009 at 13:27, > rupert.thurner wrote: >> just as a side note, edgewall trac supports it by just taking the >> webservers authentication, see: >> * http://trac.edgewall.org/browser/trunk/trac/web/auth.py. >> * >> http://trac-hacks.org/browser/sslauthenticationplugin/0.11/sslauthentication/__init__.py >> * http://trac-hacks.org/wiki/SslAuthenticationPlugin > > Thanks for the pointer. I agree, using the Apache mod_ssl client > authentication feature to do the dirty work definitely makes sense > (and this is already working for me). I am however still somewhat lost > with regards to the authentication backend implementation. While I > could theoretically implement a backend, which just evaluates the > environment variables set by mod_ssl (and ignores the password > supplied to the 'authenticate' method), this would probably still > require the user to click on the "Login" hyperlink in the RB web UI. > What I would prefer is some implementation, which is mostly > transparent and automagically signs in the user when he performs the > first page hit. > > Do you think that's technically feasible with the current > authentication architecture (or would it require a major rewrite)? I have an implementation of x.509 authentication working that bypasses the "Login" screen. I had to add a middleware class to the django site settings (I copied the MIDDLEWARE_CLASSES from settings.py to my settings_local.py and added my own middleware class). My middleware class has a process_request() function that uses the mod_ssl-set environment variables to figure out the user name, and then directly calls the login() function in my backend. I also haven't figured out how to get multiple authentication backends working nicely with Django; it seemed that when I didn't explicitly call the backend login() implementation I wanted, I randomly got the login screen anyway without being able to log in using my password. There is a remaining problem that I have yet to resolve, and that is authenticating with my certificate from the post-review tool. I'd like to use a password-protected, but Python doesn't make that easy at all; I end up having to enter my password each time python makes a web request. Having post-review is definitely nice, but the web UI doesn't seem as opaque any more :). Nathan --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "reviewboard" group. To post to this group, send email to reviewboard@googlegroups.com To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -~--~~~~--~~--~--~---
Re: X.509 Certificate Authentication
On Fri, Jul 31, 2009 at 13:27, rupert.thurner wrote: > just as a side note, edgewall trac supports it by just taking the > webservers authentication, see: > * http://trac.edgewall.org/browser/trunk/trac/web/auth.py. > * > http://trac-hacks.org/browser/sslauthenticationplugin/0.11/sslauthentication/__init__.py > * http://trac-hacks.org/wiki/SslAuthenticationPlugin Thanks for the pointer. I agree, using the Apache mod_ssl client authentication feature to do the dirty work definitely makes sense (and this is already working for me). I am however still somewhat lost with regards to the authentication backend implementation. While I could theoretically implement a backend, which just evaluates the environment variables set by mod_ssl (and ignores the password supplied to the 'authenticate' method), this would probably still require the user to click on the "Login" hyperlink in the RB web UI. What I would prefer is some implementation, which is mostly transparent and automagically signs in the user when he performs the first page hit. Do you think that's technically feasible with the current authentication architecture (or would it require a major rewrite)? Regards, Thilo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "reviewboard" group. To post to this group, send email to reviewboard@googlegroups.com To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -~--~~~~--~~--~--~---
Re: X.509 Certificate Authentication
just as a side note, edgewall trac supports it by just taking the webservers authentication, see: * http://trac.edgewall.org/browser/trunk/trac/web/auth.py. * http://trac-hacks.org/browser/sslauthenticationplugin/0.11/sslauthentication/__init__.py * http://trac-hacks.org/wiki/SslAuthenticationPlugin On Jul 30, 9:57 pm, Christian Hammond wrote: > Hi Thlio, > > We don't support this today, but would gladly take a patch for it. It should > be a matter of creating a new authentication backend (see > reviewboard/accounts/backends.py) and adding it to the siteconfig and forms > code in reviewboard/admin/. > > I don't know what all is involved with X.509 certificate authentication, but > from a quick google search, implementing this looks pretty doable. > > Christian > > -- > Christian Hammond - chip...@chipx86.com > Review Board -http://www.review-board.org > VMware, Inc. -http://www.vmware.com > > On Thu, Jul 30, 2009 at 9:16 AM, Thilo-Alexander Ginkel < > > thilo.gin...@gmail.com> wrote: > > > Hello everybody, > > > I was wondering whether anybody has set up his Review Board > > installation to make use of SSL/TLS X.509 client certificate-based > > authentication instead of using passwords. > > > A quick search did not bring up any related documents on the web site, > > so maybe it is just not supported, but I thought I'd better ask before > > giving up or attempting to extend RB to support it. ;-) > > > Thanks, > > Thilo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "reviewboard" group. To post to this group, send email to reviewboard@googlegroups.com To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -~--~~~~--~~--~--~---
Re: X.509 Certificate Authentication
Hi Thlio, We don't support this today, but would gladly take a patch for it. It should be a matter of creating a new authentication backend (see reviewboard/accounts/backends.py) and adding it to the siteconfig and forms code in reviewboard/admin/. I don't know what all is involved with X.509 certificate authentication, but from a quick google search, implementing this looks pretty doable. Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.review-board.org VMware, Inc. - http://www.vmware.com On Thu, Jul 30, 2009 at 9:16 AM, Thilo-Alexander Ginkel < thilo.gin...@gmail.com> wrote: > > Hello everybody, > > I was wondering whether anybody has set up his Review Board > installation to make use of SSL/TLS X.509 client certificate-based > authentication instead of using passwords. > > A quick search did not bring up any related documents on the web site, > so maybe it is just not supported, but I thought I'd better ask before > giving up or attempting to extend RB to support it. ;-) > > Thanks, > Thilo > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "reviewboard" group. To post to this group, send email to reviewboard@googlegroups.com To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -~--~~~~--~~--~--~---
X.509 Certificate Authentication
Hello everybody, I was wondering whether anybody has set up his Review Board installation to make use of SSL/TLS X.509 client certificate-based authentication instead of using passwords. A quick search did not bring up any related documents on the web site, so maybe it is just not supported, but I thought I'd better ask before giving up or attempting to extend RB to support it. ;-) Thanks, Thilo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "reviewboard" group. To post to this group, send email to reviewboard@googlegroups.com To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -~--~~~~--~~--~--~---