Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Bricolage: devel

New Authentication Module

  

 
Bricolage devel RSS feed   Index | Next | Previous | View Threaded


rolfm at denison

Oct 14, 2008, 10:45 AM

Post #1 of 9 (2640 views)
Permalink
New Authentication Module
At Denison we use the Central Authentication Service (or CAS) to
provide SSO functionality for a number of apps.

http://www.ja-sig.org/products/cas/

We're looking to extend this to Bricolage. I'm planning on taking
David's advice from 2004

http://www.justatheory.com/bricolage/design/ways_to_extend.html

And combine it with this perl module

http://search.cpan.org/~osalaun/AuthCAS-1.3.1/lib/AuthCAS.pm

to add the functionality into Bricolage.

Honestly, it looks pretty straight forward to me.

David, any advice on things to watch out for? Is the process of
adding this similar to adding a mover? Questions? Comments?

-Matt


marshall at exclupen

Oct 14, 2008, 10:56 AM

Post #2 of 9 (2574 views)
Permalink
Re: New Authentication Module [In reply to]
Could you write a module for Bricolage that works with any Apache auth
mechanism? Then you could use mod_auth_cas through Bricolage's httpd.

That'd add support for lots and lots of other SSO systems like
mod_ntlm (Active Directory), mod_auth_kerb (Kerberos, Apple Open
Directory, Novell eDirectory, etc.), mod_auth_ldap (could pull LDAP
out of Bricolage itself), mod_pubcookie, etc.

Marshall

On Oct 14, 2008, at 1:45 PM, Matt Rolf wrote:

> At Denison we use the Central Authentication Service (or CAS) to
> provide SSO functionality for a number of apps.
>
> http://www.ja-sig.org/products/cas/
>
> We're looking to extend this to Bricolage. I'm planning on taking
> David's advice from 2004
>
> http://www.justatheory.com/bricolage/design/ways_to_extend.html
>
> And combine it with this perl module
>
> http://search.cpan.org/~osalaun/AuthCAS-1.3.1/lib/AuthCAS.pm
>
> to add the functionality into Bricolage.
>
> Honestly, it looks pretty straight forward to me.
>
> David, any advice on things to watch out for? Is the process of
> adding this similar to adding a mover? Questions? Comments?
>
> -Matt


D-Beaudet at NGA

Oct 14, 2008, 11:14 AM

Post #3 of 9 (2565 views)
Permalink
RE: New Authentication Module [In reply to]
Marshall / Matt +10

Looking for transparent SSO myself with Kerb from Active Directory and was just going to start modifying my Bric for it, so I'd be willing to help with this as necessary.


D-Beaudet at NGA

Oct 14, 2008, 11:14 AM

Post #4 of 9 (2578 views)
Permalink
RE: New Authentication Module [In reply to]
Marshall / Matt +10

Looking for transparent SSO myself with Kerb from Active Directory and was just going to start modifying my Bric for it, so I'd be willing to help with this as necessary.


rolfm at denison

Oct 14, 2008, 11:43 AM

Post #5 of 9 (2565 views)
Permalink
Re: New Authentication Module [In reply to]
On Oct 14, 2008, at 1:56 PM, Marshall Roch wrote:

> Could you write a module for Bricolage that works with any Apache
> auth mechanism? Then you could use mod_auth_cas through Bricolage's
> httpd.
>
> That'd add support for lots and lots of other SSO systems like
> mod_ntlm (Active Directory), mod_auth_kerb (Kerberos, Apple Open
> Directory, Novell eDirectory, etc.), mod_auth_ldap (could pull LDAP
> out of Bricolage itself), mod_pubcookie, etc.

That's an interesting idea. I'd be interested at looking into that.

David, I'd be happy to collaborate on this as much as you are willing.

-Matt


david at kineticode

Oct 14, 2008, 3:37 PM

Post #6 of 9 (2570 views)
Permalink
Re: New Authentication Module [In reply to]
On Oct 14, 2008, at 10:45, Matt Rolf wrote:

> David, any advice on things to watch out for? Is the process of
> adding this similar to adding a mover? Questions? Comments?

No. Just, please, write tests. See t/Bric/Util/AuthEngines/Test.pm.
You'd just add a new test for CAS or Apache or whatever. See how I did
it for LDAP in that file by creating a mock class. You'd probably have
to do something like that, too.

HTH,

David


rolfm at denison

Oct 15, 2008, 8:22 AM

Post #7 of 9 (2562 views)
Permalink
Re: New Authentication Module [In reply to]
On Oct 14, 2008, at 1:56 PM, Marshall Roch wrote:

> Could you write a module for Bricolage that works with any Apache
> auth mechanism? Then you could use mod_auth_cas through Bricolage's
> httpd.

I've been doing some more thinking on this. Marshall, how would you
suggest approaching it? Is there a perl module out there that you
would recommend as a starting point? Most of the ones I'm finding
seem to be for specific auth mechanisms.

-Matt


marshall at exclupen

Oct 15, 2008, 8:51 AM

Post #8 of 9 (2550 views)
Permalink
Re: New Authentication Module [In reply to]
On Oct 15, 2008, at 11:22 AM, Matt Rolf wrote:

>
> On Oct 14, 2008, at 1:56 PM, Marshall Roch wrote:
>
>> Could you write a module for Bricolage that works with any Apache
>> auth mechanism? Then you could use mod_auth_cas through Bricolage's
>> httpd.
>
> I've been doing some more thinking on this. Marshall, how would
> you suggest approaching it? Is there a perl module out there that
> you would recommend as a starting point? Most of the ones I'm
> finding seem to be for specific auth mechanisms.

I haven't actually done it with Perl or mod_auth_cas, but I have with
Rails and mod_pubcookie.

Basically, mod_pubcookie intercepts the request at the Apache level
(before mod_perl or Bricolage or anything else) and handles the SSO,
sending you off to a login server if you're not logged in. Then you're
returned to the page with a cookie that mod_pubcookie uses to
authenticate you. So when the request gets to mod_perl, the
REMOTE_USER environment variable contains the authenticated user's
username. You can always trust REMOTE_USER. I'm not sure how
mod_auth_cas works, but I'm guessing it's somehow similar in that you
wouldn't ever need to use the Bricolage login page.

So if REMOTE_USER is set by Apache, then you can just call set_user()
and create the session. Looks like you'd probably want to add it
directly to Bric::App::Auth::auth() rather than a separate auth plugin.

--
Marshall


david at kineticode

Oct 15, 2008, 9:35 AM

Post #9 of 9 (2549 views)
Permalink
Re: New Authentication Module [In reply to]
On Oct 15, 2008, at 08:51, Marshall Roch wrote:

> Basically, mod_pubcookie intercepts the request at the Apache level
> (before mod_perl or Bricolage or anything else) and handles the SSO,
> sending you off to a login server if you're not logged in. Then
> you're returned to the page with a cookie that mod_pubcookie uses to
> authenticate you. So when the request gets to mod_perl, the
> REMOTE_USER environment variable contains the authenticated user's
> username. You can always trust REMOTE_USER. I'm not sure how
> mod_auth_cas works, but I'm guessing it's somehow similar in that
> you wouldn't ever need to use the Bricolage login page.

Have a look at RT. It has a configuration setting to trust Apache's
authentication stuff. I'm not sure if it just trusts REMOTE_USER or
what.

> So if REMOTE_USER is set by Apache, then you can just call
> set_user() and create the session. Looks like you'd probably want to
> add it directly to Bric::App::Auth::auth() rather than a separate
> auth plugin.

Sounds pretty simple.

Best,

David

Bricolage devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.