[Trac-tickets] Re: [The Trac Project] #1855: [PATCH] Refactored
authentication mechanism
The Trac Project
noreply at edgewall.com
Thu Sep 1 11:41:44 CDT 2005
#1855: [PATCH] Refactored authentication mechanism
---------------------------------------+------------------------------------
Reporter: Rede <redetin at luukku.com> | Owner: cmlenz
Type: enhancement | Status: reopened
Priority: low | Milestone: 0.9
Component: general | Version: devel
Severity: normal | Resolution:
Keywords: |
---------------------------------------+------------------------------------
Changes (by Bruce Christensen <trac at brucec.net>):
* status: closed => reopened
* resolution: fixed =>
Comment:
I've reviewed the changes in [2078], and they're almost sufficient.
However, I need a way to pre-process requests before the actual request
handler is called to (possibly) do transparent authentication for each
request, due to the way that CAS works.
If you don't want to read the book I wrote below, just take a look at the
patch I've attached. It sums up things nicely.
CAS is a central web-based login system that runs on its own server.
Individual applications redirect the user agent to the CAS server, but
pass along a "callback URL" that CAS uses to send the user back when it's
done. The CAS server uses a cookie set on its domain to remember when a
user has been authenticated to provide "single sign on". When CAS
redirects the user to the "callback URL", it also passes along a a random
authentication ticket (just a random string). The application's server
(not the user's browser) then connects to the CAS server to make sure that
the ticket is valid. If it is, the app sets a cookie on its site so that
it also remembers that the user is authenticated.
Here's where the need for request preprocessing appears:
1. The user accesses an application (other than Trac) that requires CAS
authentication. That app redirects the user to CAS, which authenticates
the user, sets a "user is authenticated" cookie, and redirects the user
back to the original application, which now grants the user extra
privileges.
2. Some time later, the user accesses Trac, but not at the login URL. She
has already logged in to CAS, but Trac doesn't know that, so it thinks
she's not logged in. If she logs in to Trac, Trac will send her to CAS,
which will see the "user is authenticated cookie" and send her right back,
at which point she'll be logged in to Trac.
Rather than have the user have to manually log in to Trac after she's
already logged in to CAS, I'd like to have Trac do this automatically if
it hasn't already tried. Here's what would happen instead:
1. The user accesses an application (other than Trac) that requires CAS
authentication. That app redirects the user to CAS, which authenticates
the user, sets a "user is authenticated" cookie, and redirects the user
back to the original application, which now grants the user extra
privileges.
2. Some time later, the user accesses Trac, but not at the login URL. The
authentication module's request preprocessing handler is called. It checks
a cookie to see if passthrough authentication has been attempted already,
and sees that it hasn't. Since it hasn't been tried, it redirects the user
to the CAS server for authentication. CAS sees that the user has already
been authenticated and redirects her browser back to Trac with an
authentication ticket. Trac sees the ticket, verifies it, and logs her in.
This all happens automatically.
If the user wasn't already logged in to CAS, the transparent
authentication attempt would still happen, but CAS would send the user's
browser back to Trac with a message that says "she's not authenticated".
Trac would set a cookie to remember that it tried transparent
authentication and redirect the user back to the page she originally
requested.
--
Ticket URL: <http://projects.edgewall.com/trac/ticket/1855>
The Trac Project <http://trac.edgewall.com/>
More information about the Trac-Tickets
mailing list