* Cross Domain Authentication works now.
* An example is now given for using Lemonldap::NG as a slave of another Web-SSO.
This commit is contained in:
Xavier Guimard
parent
e7c036efe3
commit
0f1d5ce5cc
|
|
@ -1,4 +1,4 @@
|
|||
package Lemonldap::NG::Handler::SharedConf::DBI;
|
||||
package Lemonldap::NG::Handler::CDA;
|
||||
|
||||
use strict;
|
||||
|
||||
|
|
@ -15,28 +15,30 @@ sub run ($$) {
|
|||
my $class;
|
||||
( $class, $apacheRequest ) = @_;
|
||||
my $args = $apacheRequest->args;
|
||||
if ($args =~ s/\?($cookieName=\w+)$//o) {
|
||||
if ( $args =~ s/\??($cookieName=\w+)$//oi ) {
|
||||
my $str = $1;
|
||||
$class->lmLog(
|
||||
"Found a CDA id. Redirecting "
|
||||
. $apacheRequest->connection->remote_ip
|
||||
. " to myself with new cookie",
|
||||
'debug'
|
||||
);
|
||||
$apacheRequest->args ( $args );
|
||||
$apacheRequest->headers_out->set(
|
||||
'Location' => "http"
|
||||
. ($https ? 's' : '')
|
||||
. "://" . $apacheRequest->get_server_name() . "/"
|
||||
. $apacheRequest->uri
|
||||
. ( $apacheRequest->args ? "?" . $apacheRequest->args : "" )
|
||||
);
|
||||
# TODO: cookie secured ?
|
||||
$apacheRequest->headers_out->set( 'Set-Cookie' => "$str" );
|
||||
. $apacheRequest->connection->remote_ip
|
||||
. " to myself with new cookie",
|
||||
'debug'
|
||||
);
|
||||
$apacheRequest->args($args);
|
||||
my $host = $apacheRequest->get_server_name();
|
||||
lmSetErrHeaderOut( $apacheRequest,
|
||||
'Location' => "http"
|
||||
. ( $https ? 's' : '' )
|
||||
. "://$host"
|
||||
. $apacheRequest->uri
|
||||
. ( $apacheRequest->args ? "?" . $apacheRequest->args : "" ) );
|
||||
$host =~ s/^[^\.]+\.(.*\..*$)/$1/;
|
||||
lmSetErrHeaderOut( $apacheRequest,
|
||||
'Set-Cookie' => "$str; domain=$host; path=/"
|
||||
. ( $cookieSecured ? "; secure" : "" ) );
|
||||
return REDIRECT;
|
||||
}
|
||||
else {
|
||||
return $class->SUPER::run( $apacheRequest );
|
||||
return $class->SUPER::run($apacheRequest);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -176,7 +176,7 @@ sub lmSetErrHeaderOut {
|
|||
return $r->err_headers_out->set( $h => $v );
|
||||
}
|
||||
else {
|
||||
return $r->header_out( $h => $v );
|
||||
return $r->err_header_out( $h => $v );
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -324,7 +324,7 @@ sub defaultValuesInit {
|
|||
my ( $class, $args ) = @_;
|
||||
|
||||
# Other values
|
||||
$cookieName = $args->{cookieName} || 'lemon';
|
||||
$cookieName = $args->{cookieName} || 'lemonldap';
|
||||
$cookieSecured = $args->{cookieSecured} || 0;
|
||||
$whatToTrace = $args->{whatToTrace} || '$uid';
|
||||
$whatToTrace =~ s/\$//g;
|
||||
|
|
|
|||
|
|
@ -0,0 +1,114 @@
|
|||
#!/usr/bin/perl
|
||||
|
||||
=pod
|
||||
|
||||
=head1 NON AUTHENTICATING PORTAL TO USE WITH OTHER WEB-SSO
|
||||
|
||||
If Lemonldap::NG has to operate with another Web-SSO without any interworking
|
||||
system, Lemonldap::NG can be used as slave.
|
||||
|
||||
Install :
|
||||
|
||||
=over
|
||||
|
||||
=item * Install and adapt this file in an area protected by the master SSO
|
||||
|
||||
=item * Use L<Lemonldap::NG::Handler::CDA> to protect Lemonldap::NG area if
|
||||
this area is not in the same DNS domain than the portal
|
||||
|
||||
=back
|
||||
|
||||
Authentication scheme :
|
||||
|
||||
=over
|
||||
|
||||
=item * a user that wants to access to a protected url, Lemonldap::NG::Handler
|
||||
redirect it to the portal
|
||||
|
||||
=item * the portal creates the Lemonldap::NG session with the parameters given
|
||||
by the master SSO
|
||||
|
||||
=item * the user is redirected to the wanted application. If it is not in the
|
||||
same domain, the handler detects the session id with the Lemonldap::NG
|
||||
cross-domain-authentication mechanism and generates the cookie
|
||||
|
||||
=back
|
||||
|
||||
=cut
|
||||
|
||||
use Lemonldap::NG::Portal::CDA;
|
||||
|
||||
my $portal = Lemonldap::NG::Portal::CDA->new ( {
|
||||
# configStorage ADAPT IT as usual
|
||||
configStorage => {
|
||||
type => 'File',
|
||||
dirName => '/usr/share/doc/lemonldap-ng/examples/conf/',
|
||||
},
|
||||
# SUBROUTINES OVERLOAD
|
||||
# 2 cases :
|
||||
# 1 - If LDAP search is not needed (the master SSO gives all
|
||||
# that we need)
|
||||
extractFormInfo => sub { PE_OK },
|
||||
connectLDAP => sub { PE_OK },
|
||||
bind => sub { PE_OK },
|
||||
search => sub { PE_OK },
|
||||
setSessionInfo => sub {
|
||||
my $self = shift;
|
||||
# TODO: You have to set $self->{sessionInfo}
|
||||
# hash table with user attributes
|
||||
# Example:
|
||||
# $self->{sessionInfo}->{uid} = $ENV{REMOTE_USER};
|
||||
PE_OK,
|
||||
},
|
||||
unbind => sub { PE_OK },
|
||||
# 2 - Else, LDAP will do its job, but we have to set UID or
|
||||
# what is needed by C<formateFilter> subroutine.
|
||||
extractFormInfo => sub {
|
||||
my $self = shift;
|
||||
# EXAMPLE with $ENV{REMOTE_USER}
|
||||
$self->{user} = $ENV{REMOTE_USER};
|
||||
PE_OK;
|
||||
},
|
||||
|
||||
# In the 2 cases, authentication phase has to be avoided
|
||||
authenticate => sub { PE_OK },
|
||||
|
||||
# If no Lemonldap::NG protected application is in the same domaine than
|
||||
# the portal, it is recommended to not set a lemonldap cookie in the
|
||||
# other domain :
|
||||
# Lemonldap::NG::Handler protect its cookie from remote application
|
||||
# (to avoid developers to spoof an identity), but the master SSO
|
||||
# will probably keep it.
|
||||
buildCookie => sub {
|
||||
my $self = shift;
|
||||
$self->{cookie} = $self->cookie(
|
||||
-name => $self->{cookieName},
|
||||
# null value instead of de $self->{id}
|
||||
-value => '',
|
||||
-domain => $self->{domain},
|
||||
-path => "/",
|
||||
-secure => $self->{securedCookie},
|
||||
@_,
|
||||
);
|
||||
PE_OK;
|
||||
},
|
||||
});
|
||||
|
||||
# Else, we process as usual, but without prompting users with a form
|
||||
|
||||
if($portal->process()) {
|
||||
print $portal->header;
|
||||
print $portal->start_html;
|
||||
print "<h1>Your well authenticated !</h1>";
|
||||
print $portal->end_html;
|
||||
}
|
||||
else {
|
||||
print $portal->header;
|
||||
print $portal->start_html;
|
||||
print qq#<h2>Authentication failed</h2>
|
||||
Portal is not able to recognize you
|
||||
<br>
|
||||
Contact your administrator (Error: #.$portal->error.')';
|
||||
print $portal->end_html;
|
||||
}
|
||||
1;
|
||||
|
|
@ -4,7 +4,7 @@ use strict;
|
|||
use Lemonldap::NG::Portal::SharedConf qw(:all);
|
||||
|
||||
our $VERSION = '0.01';
|
||||
our @ISA = ('Lemonldap::NG::Portal::SharedConf');
|
||||
our @ISA = ('Lemonldap::NG::Portal::SharedConf');
|
||||
|
||||
*EXPORT_OK = *Lemonldap::NG::Portal::SharedConf::EXPORT_OK;
|
||||
*EXPORT_TAGS = *Lemonldap::NG::Portal::SharedConf::EXPORT_TAGS;
|
||||
|
|
@ -17,7 +17,7 @@ our @ISA = ('Lemonldap::NG::Portal::SharedConf');
|
|||
# 2. Existing sessions are validated so users coming from an other domain
|
||||
# are not re-prompted
|
||||
sub existingSession {
|
||||
my ($self, $id, $datas) = @_;
|
||||
my ( $self, $id, $datas ) = @_;
|
||||
PE_DONE;
|
||||
}
|
||||
|
||||
|
|
@ -26,8 +26,9 @@ sub existingSession {
|
|||
# ID in URL
|
||||
sub autoRedirect {
|
||||
my $self = shift;
|
||||
my $tmp = $self->{domain};
|
||||
$self->{urldc} .= "?".$self->{cookieName}."=".$self->{id} if($self->{urldc} !~ /$tmp$/oi);
|
||||
my $tmp = $self->{domain};
|
||||
$self->{urldc} .= "?" . $self->{cookieName} . "=" . $self->{id}
|
||||
if ( $self->{urldc} !~ /$tmp$/oi );
|
||||
return $self->SUPER::autoredirect(@_);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ sub new {
|
|||
$self->{ldapServer} ||= 'localhost';
|
||||
$self->{ldapPort} ||= 389;
|
||||
$self->{securedCookie} ||= 0;
|
||||
$self->{cookieName} ||= "lemon";
|
||||
$self->{cookieName} ||= "lemonldap";
|
||||
|
||||
if ( $self->{authentication} eq "SSL" ) {
|
||||
require Lemonldap::NG::Portal::AuthSSL;
|
||||
|
|
|
|||
Loading…
Reference in New Issue