Commit a6409f23 authored by Xavier Guimard's avatar Xavier Guimard

* Cross Domain Authentication works now.

* An example is now given for using Lemonldap::NG as a slave of another Web-SSO.


git-svn-id: svn://svn.forge.objectweb.org/svnroot/lemonldap/trunk@38 1dbb9719-a921-0410-b57f-c3a383c2c641
parent 46ddf90c
package Lemonldap::NG::Handler::SharedConf::DBI;
package Lemonldap::NG::Handler::CDA;
use strict;
......@@ -15,28 +15,30 @@ sub run ($$) {
my $class;
( $class, $apacheRequest ) = @_;
my $args = $apacheRequest->args;
if ($args =~ s/\?($cookieName=\w+)$//o) {
if ( $args =~ s/\??($cookieName=\w+)$//oi ) {
my $str = $1;
$class->lmLog(
"Found a CDA id. Redirecting "
. $apacheRequest->connection->remote_ip
. " to myself with new cookie",
'debug'
);
$apacheRequest->args ( $args );
$apacheRequest->headers_out->set(
'Location' => "http"
. ($https ? 's' : '')
. "://" . $apacheRequest->get_server_name() . "/"
. $apacheRequest->uri
. ( $apacheRequest->args ? "?" . $apacheRequest->args : "" )
);
# TODO: cookie secured ?
$apacheRequest->headers_out->set( 'Set-Cookie' => "$str" );
. $apacheRequest->connection->remote_ip
. " to myself with new cookie",
'debug'
);
$apacheRequest->args($args);
my $host = $apacheRequest->get_server_name();
lmSetErrHeaderOut( $apacheRequest,
'Location' => "http"
. ( $https ? 's' : '' )
. "://$host"
. $apacheRequest->uri
. ( $apacheRequest->args ? "?" . $apacheRequest->args : "" ) );
$host =~ s/^[^\.]+\.(.*\..*$)/$1/;
lmSetErrHeaderOut( $apacheRequest,
'Set-Cookie' => "$str; domain=$host; path=/"
. ( $cookieSecured ? "; secure" : "" ) );
return REDIRECT;
}
else {
return $class->SUPER::run( $apacheRequest );
return $class->SUPER::run($apacheRequest);
}
}
......
......@@ -176,7 +176,7 @@ sub lmSetErrHeaderOut {
return $r->err_headers_out->set( $h => $v );
}
else {
return $r->header_out( $h => $v );
return $r->err_header_out( $h => $v );
}
}
......@@ -324,7 +324,7 @@ sub defaultValuesInit {
my ( $class, $args ) = @_;
# Other values
$cookieName = $args->{cookieName} || 'lemon';
$cookieName = $args->{cookieName} || 'lemonldap';
$cookieSecured = $args->{cookieSecured} || 0;
$whatToTrace = $args->{whatToTrace} || '$uid';
$whatToTrace =~ s/\$//g;
......
#!/usr/bin/perl
=pod
=head1 NON AUTHENTICATING PORTAL TO USE WITH OTHER WEB-SSO
If Lemonldap::NG has to operate with another Web-SSO without any interworking
system, Lemonldap::NG can be used as slave.
Install :
=over
=item * Install and adapt this file in an area protected by the master SSO
=item * Use L<Lemonldap::NG::Handler::CDA> to protect Lemonldap::NG area if
this area is not in the same DNS domain than the portal
=back
Authentication scheme :
=over
=item * a user that wants to access to a protected url, Lemonldap::NG::Handler
redirect it to the portal
=item * the portal creates the Lemonldap::NG session with the parameters given
by the master SSO
=item * the user is redirected to the wanted application. If it is not in the
same domain, the handler detects the session id with the Lemonldap::NG
cross-domain-authentication mechanism and generates the cookie
=back
=cut
use Lemonldap::NG::Portal::CDA;
my $portal = Lemonldap::NG::Portal::CDA->new ( {
# configStorage ADAPT IT as usual
configStorage => {
type => 'File',
dirName => '/usr/share/doc/lemonldap-ng/examples/conf/',
},
# SUBROUTINES OVERLOAD
# 2 cases :
# 1 - If LDAP search is not needed (the master SSO gives all
# that we need)
extractFormInfo => sub { PE_OK },
connectLDAP => sub { PE_OK },
bind => sub { PE_OK },
search => sub { PE_OK },
setSessionInfo => sub {
my $self = shift;
# TODO: You have to set $self->{sessionInfo}
# hash table with user attributes
# Example:
# $self->{sessionInfo}->{uid} = $ENV{REMOTE_USER};
PE_OK,
},
unbind => sub { PE_OK },
# 2 - Else, LDAP will do its job, but we have to set UID or
# what is needed by C<formateFilter> subroutine.
extractFormInfo => sub {
my $self = shift;
# EXAMPLE with $ENV{REMOTE_USER}
$self->{user} = $ENV{REMOTE_USER};
PE_OK;
},
# In the 2 cases, authentication phase has to be avoided
authenticate => sub { PE_OK },
# If no Lemonldap::NG protected application is in the same domaine than
# the portal, it is recommended to not set a lemonldap cookie in the
# other domain :
# Lemonldap::NG::Handler protect its cookie from remote application
# (to avoid developers to spoof an identity), but the master SSO
# will probably keep it.
buildCookie => sub {
my $self = shift;
$self->{cookie} = $self->cookie(
-name => $self->{cookieName},
# null value instead of de $self->{id}
-value => '',
-domain => $self->{domain},
-path => "/",
-secure => $self->{securedCookie},
@_,
);
PE_OK;
},
});
# Else, we process as usual, but without prompting users with a form
if($portal->process()) {
print $portal->header;
print $portal->start_html;
print "<h1>Your well authenticated !</h1>";
print $portal->end_html;
}
else {
print $portal->header;
print $portal->start_html;
print qq#<h2>Authentication failed</h2>
Portal is not able to recognize you
<br>
Contact your administrator (Error: #.$portal->error.')';
print $portal->end_html;
}
1;
......@@ -4,7 +4,7 @@ use strict;
use Lemonldap::NG::Portal::SharedConf qw(:all);
our $VERSION = '0.01';
our @ISA = ('Lemonldap::NG::Portal::SharedConf');
our @ISA = ('Lemonldap::NG::Portal::SharedConf');
*EXPORT_OK = *Lemonldap::NG::Portal::SharedConf::EXPORT_OK;
*EXPORT_TAGS = *Lemonldap::NG::Portal::SharedConf::EXPORT_TAGS;
......@@ -17,7 +17,7 @@ our @ISA = ('Lemonldap::NG::Portal::SharedConf');
# 2. Existing sessions are validated so users coming from an other domain
# are not re-prompted
sub existingSession {
my ($self, $id, $datas) = @_;
my ( $self, $id, $datas ) = @_;
PE_DONE;
}
......@@ -26,8 +26,9 @@ sub existingSession {
# ID in URL
sub autoRedirect {
my $self = shift;
my $tmp = $self->{domain};
$self->{urldc} .= "?".$self->{cookieName}."=".$self->{id} if($self->{urldc} !~ /$tmp$/oi);
my $tmp = $self->{domain};
$self->{urldc} .= "?" . $self->{cookieName} . "=" . $self->{id}
if ( $self->{urldc} !~ /$tmp$/oi );
return $self->SUPER::autoredirect(@_);
}
......
......@@ -61,7 +61,7 @@ sub new {
$self->{ldapServer} ||= 'localhost';
$self->{ldapPort} ||= 389;
$self->{securedCookie} ||= 0;
$self->{cookieName} ||= "lemon";
$self->{cookieName} ||= "lemonldap";
if ( $self->{authentication} eq "SSL" ) {
require Lemonldap::NG::Portal::AuthSSL;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment