Send exported attributes with REST session server & typos (#2503)
This commit is contained in:
parent
dccb633531
commit
9f77e89f96
|
@ -55,7 +55,7 @@ To integrate a Web application in LL::NG, you have the following
|
|||
possibilities:
|
||||
|
||||
- Protect the application with the Handler, and push user identity
|
||||
trough HTTP headers. This is how main Access Manager products, like
|
||||
through HTTP headers. This is how main Access Manager products, like
|
||||
CA SiteMinder, are working. This also how Apache authentication
|
||||
modules are working, so if your application is compatible with Apache
|
||||
authentication (often called "external authentifcation"), then you
|
||||
|
|
|
@ -11,7 +11,7 @@ Presentation
|
|||
Since 4.0 release, it offers an easy way to configure SSO thanks to
|
||||
authentication subsystems.
|
||||
|
||||
Authentication against LL::NG can be done trough:
|
||||
Authentication against LL::NG can be done through:
|
||||
|
||||
- HTTP headers (LL::NG Handler)
|
||||
- SAML 2 (LL::NG as SAML2 IDP)
|
||||
|
|
|
@ -28,7 +28,7 @@ Little effort is required to translate the encoded string back into the
|
|||
user name and password, and many popular security tools will decode the
|
||||
strings "on the fly".
|
||||
|
||||
So HTTP Basic Authentication is managed trough an HTTP header
|
||||
So HTTP Basic Authentication is managed through an HTTP header
|
||||
(``Authorization``), that can be forged by LL::NG, with this
|
||||
precautions:
|
||||
|
||||
|
|
|
@ -80,7 +80,7 @@ We suppose you configured LemonLDAP::NG as
|
|||
as Service Provider.
|
||||
|
||||
In LL::NG Manager, create an new SP and load simpleSAMLphp metadata
|
||||
trough URL (by default:
|
||||
through URL (by default:
|
||||
http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp):
|
||||
|
||||
|image1|
|
||||
|
|
|
@ -20,7 +20,7 @@ Configuration
|
|||
You can find all suitable information here:
|
||||
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html
|
||||
|
||||
To summarize, to get the user connected trough the ``Auth-User`` HTTP
|
||||
To summarize, to get the user connected through the ``Auth-User`` HTTP
|
||||
Header, use this Sping Security configuration:
|
||||
|
||||
.. code-block:: xml
|
||||
|
|
|
@ -43,7 +43,7 @@ User Roles Settings
|
|||
You can assign WP Roles depending on values sent by CAS.
|
||||
|
||||
The rules syntax is quite special, you can use it or you can just define
|
||||
macros on LL::NG side and send them trough CAS to keep simple rules on
|
||||
macros on LL::NG side and send them through CAS to keep simple rules on
|
||||
WP side.
|
||||
|
||||
For example create a macro ``role_wordpress_admin`` which contains ``1``
|
||||
|
|
|
@ -25,7 +25,7 @@ session under the form:
|
|||
|
||||
``_casPT<serviceID>`` = **Proxy ticket value**
|
||||
|
||||
They can then be forwarded to applications trough
|
||||
They can then be forwarded to applications through
|
||||
:ref:`HTTP headers<headers>`.
|
||||
|
||||
.. tip::
|
||||
|
|
|
@ -17,8 +17,8 @@ Presentation
|
|||
stacks. It is described here: http://openid.net/connect/.
|
||||
|
||||
LL::NG can act as an OpenID Connect Relying Party (RP) towards multiple
|
||||
OpenID Connect Providers (OP). It will get the user identity trough an
|
||||
ID Token, and grab user attributes trough UserInfo endpoint.
|
||||
OpenID Connect Providers (OP). It will get the user identity through an
|
||||
ID Token, and grab user attributes through UserInfo endpoint.
|
||||
|
||||
As an RP, LL::NG supports a lot of OpenID Connect features:
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ https://developers.google.com/identity/protocols/OpenIDConnect
|
|||
|
||||
.. attention::
|
||||
|
||||
Google does not support logout trough OpenID Connect. If
|
||||
Google does not support logout through OpenID Connect. If
|
||||
you close your session on LL::NG side, your Google session will still be
|
||||
open.
|
||||
|
||||
|
|
|
@ -23,7 +23,7 @@ Presentation
|
|||
be rejected).
|
||||
- The portal of the secondary LL::NG structure is configured to
|
||||
delegate authentication to a remote portal. A request to the main
|
||||
session database is done (trough
|
||||
session database is done (through
|
||||
:doc:`SOAP session backend<soapsessionbackend>`) to be sure that the
|
||||
session exists.
|
||||
- If ``exportedAttr`` is set, only those attributes are copied in the
|
||||
|
|
|
@ -19,7 +19,7 @@ modules to access it.
|
|||
:ref:`here<start-configuration-database>`.
|
||||
|
||||
By default, configuration is stored in :doc:`files<fileconfbackend>`, so
|
||||
access trough network is not possible. To allow this, use
|
||||
access through network is not possible. To allow this, use
|
||||
:doc:`SOAP<soapconfbackend>` for configuration access, or use a network
|
||||
service like :doc:`SQL database<sqlconfbackend>` or
|
||||
:doc:`LDAP directory<ldapconfbackend>`.
|
||||
|
@ -46,7 +46,7 @@ For example, to configure the ``File`` configuration backend:
|
|||
Manager
|
||||
-------
|
||||
|
||||
Most of configuration can be done trough LemonLDAP::NG Manager (by
|
||||
Most of configuration can be done through LemonLDAP::NG Manager (by
|
||||
default http://manager.example.com).
|
||||
|
||||
By default, Manager is protected to allow only the demonstration user
|
||||
|
|
|
@ -11,8 +11,8 @@ Presentation
|
|||
stacks. It is described here: http://openid.net/connect/.
|
||||
|
||||
LL::NG can act as an OpenID Connect Provider (OP). It will answer to
|
||||
OpenID Connect requests to give user identity (trough ID Token) and
|
||||
information (trough User Info end point).
|
||||
OpenID Connect requests to give user identity (through ID Token) and
|
||||
information (through User Info end point).
|
||||
|
||||
As an OP, LL::NG supports a lot of OpenID Connect features:
|
||||
|
||||
|
|
|
@ -95,7 +95,7 @@ For each attribute, you can set:
|
|||
- **Mandatory**: if set to "On", then this attribute is required to
|
||||
build the SAML response, an error will displayed if there is no value
|
||||
for it. Optional attribute will be sent only if there is a value
|
||||
associated. Else it just will be sent trough an attribute response,
|
||||
associated. Else it just will be sent through an attribute response,
|
||||
if explicitly requested in an attribute request.
|
||||
- **Format**: optional, SAML attribute format.
|
||||
|
||||
|
|
|
@ -194,7 +194,7 @@ You can close the Kerberos session:
|
|||
|
||||
kdestroy
|
||||
|
||||
Now you can compare the above result with the same request done trough
|
||||
Now you can compare the above result with the same request done through
|
||||
the keytab file:
|
||||
|
||||
::
|
||||
|
|
|
@ -4,7 +4,7 @@ Logout forward
|
|||
Presentation
|
||||
------------
|
||||
|
||||
Even if LL:NG can catch logout URL trough
|
||||
Even if LL:NG can catch logout URL through
|
||||
:ref:`virtual host rules<rules>`, you can have the
|
||||
need to forward a logout to other applications, to close their local
|
||||
sessions.
|
||||
|
|
|
@ -89,7 +89,7 @@ Save the configuration and exit the Manager.
|
|||
|
||||
.. tip::
|
||||
|
||||
The next time you will access Manager, it will be trough
|
||||
The next time you will access Manager, it will be through
|
||||
LL::NG.
|
||||
|
||||
Enable protection on Manager, by editing ``lemonldap-ng.ini``:
|
||||
|
|
|
@ -10,7 +10,7 @@ This Handler is able to check an OAuth2 access token to retrieve the
|
|||
user real session and protect a virtual host like a standard Handler
|
||||
(access control and HTTP headers transmission).
|
||||
|
||||
This requires to get an OAuth2 access token trough LL::NG Portal (OpenID
|
||||
This requires to get an OAuth2 access token through LL::NG Portal (OpenID
|
||||
Connect server). This access token can then be used in the
|
||||
``Authorization`` header to authenticate to the Web Service / API
|
||||
protected by the OAuth2 Handler.
|
||||
|
|
|
@ -64,7 +64,7 @@ Dynamic Registration
|
|||
|
||||
If dynamic registration is enabled, you can configure the following
|
||||
options to define attributes and extra claims when a new relying party
|
||||
is registered trough the ``/oauth2/register`` endpoint:
|
||||
is registered through the ``/oauth2/register`` endpoint:
|
||||
|
||||
- Exported vars for dynamic registration
|
||||
- Extra claims for dynamic registration
|
||||
|
|
|
@ -274,7 +274,7 @@ log4perlConfFile Log4Perl logger configur
|
|||
logLevel Log level, must be set in .ini ✔ ✔ ✔ ✔
|
||||
logger technical logger ✔ ✔ ✔ ✔
|
||||
loginHistoryEnabled Enable login history ✔
|
||||
logoutServices Send logout trough GET request to these services ✔
|
||||
logoutServices Send logout through GET request to these services ✔
|
||||
lwpOpts Options given to LWP::UserAgent ✔
|
||||
lwpSslOpts SSL options given to LWP::UserAgent ✔
|
||||
macros Macros ✔
|
||||
|
|
|
@ -20,13 +20,13 @@ LemonLDAP::NG portal menu has 4 modules:
|
|||
- **OIDC Consents**: display user's OpenId Connect consents
|
||||
- **Logout**: logout button
|
||||
|
||||
Each module can be activated trough a rule, using user session
|
||||
information. These rules can be set trough Manager:
|
||||
Each module can be activated through a rule, using user session
|
||||
information. These rules can be set through Manager:
|
||||
``General Parameters`` > ``Portal`` > ``Menu`` > ``Modules activation``.
|
||||
|
||||
You can use ``0`` or ``1`` to disable/enable the module, or use a more
|
||||
complex rule. For example, to display the password change form only for
|
||||
user authenticated trough LDAP or DBI:
|
||||
user authenticated through LDAP or DBI:
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ Configuration
|
|||
-------------
|
||||
|
||||
- **SOAP/REST exported attributes**: list session attributes shared
|
||||
trough SOAP/REST
|
||||
through SOAP/REST
|
||||
|
||||
- Use ``+`` to append to the default list of technical attributes,
|
||||
example: ``+ uid mail``
|
||||
|
|
|
@ -2,7 +2,7 @@ InWebo Second Factor
|
|||
====================
|
||||
|
||||
`InWebo <https://www.inwebo.com/>`_ is a proprietary MFA solution.
|
||||
You can use is as second factor trough :doc:`Radius 2FA module<radius2f>`.
|
||||
You can use is as second factor through :doc:`Radius 2FA module<radius2f>`.
|
||||
|
||||
Configuration
|
||||
~~~~~~~~~~~~~
|
||||
|
|
|
@ -39,7 +39,7 @@ Handler use the default Apache error code for the following cases:
|
|||
- An error occurs on server side: SERVER_ERROR (500)
|
||||
- The application is in maintenance: HTTP_SERVICE_UNAVAILABLE (503)
|
||||
|
||||
These errors can be catch trough Apache ``ErrorDocument`` directive or
|
||||
These errors can be catch through Apache ``ErrorDocument`` directive or
|
||||
Nginx ``error_page`` directive, to redirect user on a specific page:
|
||||
|
||||
.. code-block:: apache
|
||||
|
|
|
@ -33,7 +33,7 @@ protected with a firewall that only accepts HTTP flows.
|
|||
Most of the time, REST session backend is used by Handlers installed on
|
||||
external servers.
|
||||
|
||||
To configure it, REST session backend will be set trough Manager in
|
||||
To configure it, REST session backend will be set through Manager in
|
||||
global configuration (used by all Handlers), and the real session
|
||||
backend will be configured for local components in lemonldap-ng.ini.
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ protected with a firewall that only accepts HTTP flows.
|
|||
Most of the time, SOAP session backend is used by Handlers installed on
|
||||
external servers.
|
||||
|
||||
To configure it, SOAP session backend will be set trough Manager in
|
||||
To configure it, SOAP session backend will be set through Manager in
|
||||
global configuration (used by all Hanlders), and the real session
|
||||
backend will be configured for local components in lemonldap-ng.ini.
|
||||
|
||||
|
|
|
@ -141,7 +141,7 @@ OpenID
|
|||
================ =============================================
|
||||
Key Description
|
||||
================ =============================================
|
||||
\_openid\_\ *id* Consent to share attribute *id* trough OpenID
|
||||
\_openid\_\ *id* Consent to share attribute *id* through OpenID
|
||||
================ =============================================
|
||||
|
||||
OpenID Connect
|
||||
|
|
|
@ -64,7 +64,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
|||
PE_PASSWORD_OK
|
||||
);
|
||||
|
||||
our $VERSION = '2.0.10';
|
||||
our $VERSION = '2.0.12';
|
||||
|
||||
extends qw(
|
||||
Lemonldap::NG::Portal::Main::Plugin
|
||||
|
@ -85,7 +85,7 @@ has exportedAttr => (
|
|||
default => sub {
|
||||
my $conf = $_[0]->{conf};
|
||||
if ( $conf->{exportedAttr} and $conf->{exportedAttr} !~ /^\s*\+/ ) {
|
||||
return [ split /\s+/, $conf->{exportedAttr} ];
|
||||
return '[' . join( ',', split /\s+/, $conf->{exportedAttr} ) . ']';
|
||||
}
|
||||
else {
|
||||
my @attributes = (
|
||||
|
@ -247,6 +247,7 @@ sub init {
|
|||
);
|
||||
extends @parents if ($add);
|
||||
$self->setTypes( $self->conf ) if ( $self->conf->{restSessionServer} );
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -326,9 +327,8 @@ sub newAuthSession {
|
|||
$self->logger->debug(
|
||||
"REST authentication result for $req->{user}: code $req->{error}");
|
||||
|
||||
if ( $req->error > 0 ) {
|
||||
return $self->p->sendError( $req, 'Bad credentials', 401 );
|
||||
}
|
||||
return $self->p->sendError( $req, 'Bad credentials', 401 )
|
||||
if ( $req->error > 0 );
|
||||
return $self->session( $req, $id );
|
||||
}
|
||||
|
||||
|
@ -368,11 +368,13 @@ sub delSession {
|
|||
$self->logger->debug("REST request to delete session $id");
|
||||
my $res = $self->p->_deleteSession( $req, $session );
|
||||
$self->logger->debug(" Result is $res");
|
||||
|
||||
return $self->p->sendJSONresponse( $req, { result => $res } );
|
||||
}
|
||||
|
||||
sub delMySession {
|
||||
my ( $self, $req, $id ) = @_;
|
||||
|
||||
return $self->delSession( $req, $req->userData->{_session_id} );
|
||||
}
|
||||
|
||||
|
@ -380,10 +382,9 @@ sub mysession {
|
|||
my ( $self, $req ) = @_;
|
||||
|
||||
# 1. whoami
|
||||
if ( defined $req->param('whoami') ) {
|
||||
return $self->p->sendJSONresponse( $req,
|
||||
{ result => $req->userData->{ $self->conf->{whatToTrace} } } );
|
||||
}
|
||||
return $self->p->sendJSONresponse( $req,
|
||||
{ result => $req->userData->{ $self->conf->{whatToTrace} } } )
|
||||
if defined $req->param('whoami');
|
||||
|
||||
if ( defined $req->param('gettoken') ) {
|
||||
return $self->p->sendJSONresponse( $req,
|
||||
|
@ -416,6 +417,7 @@ sub mysession {
|
|||
$self->logger->debug(" Result is $res");
|
||||
return $self->p->sendJSONresponse( $req, { result => $res } );
|
||||
}
|
||||
|
||||
return $self->p->sendError( $req,
|
||||
'whoami or authorizationfor is required', 400 );
|
||||
}
|
||||
|
@ -423,7 +425,18 @@ sub mysession {
|
|||
sub getMyKey {
|
||||
my ( $self, $req, $key ) = @_;
|
||||
$key ||= '';
|
||||
$self->logger->debug("Request to get personal session info -> Key : $key");
|
||||
if ($key) {
|
||||
$self->logger->debug(
|
||||
"Request to get personal session info -> Key: $key");
|
||||
}
|
||||
else {
|
||||
my $keys = $self->exportedAttr;
|
||||
$keys =~ s/(?:\[|\])//g;
|
||||
$keys =~ s/,/, /g;
|
||||
$self->logger->debug(
|
||||
"Request to get exported attributes -> Keys: $keys");
|
||||
}
|
||||
|
||||
return $self->session(
|
||||
$req,
|
||||
$req->userData->{_session_id},
|
||||
|
@ -435,6 +448,7 @@ sub updateMySession {
|
|||
my ( $self, $req ) = @_;
|
||||
my $res = 0;
|
||||
my $mKeys = [];
|
||||
|
||||
if ( my $token = $req->param('token') ) {
|
||||
if ( $self->ott->getToken($token) ) {
|
||||
if ( $req->param('sessionType') eq 'persistent' ) {
|
||||
|
@ -469,9 +483,8 @@ sub updateMySession {
|
|||
else {
|
||||
$self->logger->error('Update session request without token');
|
||||
}
|
||||
unless ($res) {
|
||||
return $self->p->sendError( $req, 'Modification refused', 403 );
|
||||
}
|
||||
|
||||
return $self->p->sendError( $req, 'Modification refused', 403 ) unless $res;
|
||||
return $self->p->sendJSONresponse( $req,
|
||||
{ result => 1, count => $res, modifiedKeys => $mKeys } );
|
||||
}
|
||||
|
@ -482,6 +495,7 @@ sub delKeyInMySession {
|
|||
my $mKeys = [];
|
||||
my $dkey = $req->param('key');
|
||||
my $sub = $req->param('sub');
|
||||
|
||||
if ( my $token = $req->param('token') ) {
|
||||
if ( $self->ott->getToken($token) ) {
|
||||
if ( $req->param('sessionType') eq 'persistent' ) {
|
||||
|
@ -554,9 +568,8 @@ sub delKeyInMySession {
|
|||
else {
|
||||
$self->logger->error('Update session request without token');
|
||||
}
|
||||
unless ($res) {
|
||||
return $self->p->sendError( $req, 'Modification refused', 403 );
|
||||
}
|
||||
|
||||
return $self->p->sendError( $req, 'Modification refused', 403 ) unless $res;
|
||||
return $self->p->sendJSONresponse( $req,
|
||||
{ result => 1, count => $res, modifiedKeys => $dkey } );
|
||||
}
|
||||
|
@ -765,8 +778,8 @@ sub _checkSecret {
|
|||
$self->logger->error('Bad key, force denied');
|
||||
}
|
||||
}
|
||||
return $isValid;
|
||||
|
||||
return $isValid;
|
||||
}
|
||||
|
||||
1;
|
||||
|
|
Loading…
Reference in New Issue
Block a user