This was taken from a string of emails I sent to the rails
mailing
list. I was attempting to enable a single sign on between
Instiki
(running on Mongrel) and Mailman running from Apache.
Esentially, we
needed to authenticate against the cookie written by Ruby.
It turns
out that you can write a cookie for the entire TLD of
*.example.com
from Instiki (Rails). So, I changed the cookie writing code
in the
wiki_controller to the following.
# app/controllers/wiki_controller.rb
cookies['ldap_username_2006'] = {:value =>emailaddress,
:expires =>30.days.from_now,
:domain => '.example.com'
}
cookies['session_id'] = {:value =>session.session_id,
:expires =>30.days.from_now,
:domain => '.example.com'
}
This had the effect of allowing the cookie to be read by all
subdomains which is completely fine. The next step was to
make Apache
recognize the
cookie which was a bit harder than I thought. I amended the
/etc/httpd/conf.d/mailman.example.com.conf config file with
the
following mod_rewrite rules.
# /etc/httpd/conf.d/mailman.example.com
RewriteCond % !^.*ldap_username_2006=.*$
RewriteRule .*$
http://instiki.example.com/wiki/aut
h?mailman_from=http://mailman.example.com%
So, there was a little bit of more hacking in the
"auth" view to force
a redirect back to mailman if that's where the request
originated.
This
required that the auth view needed to handle the
"mailman_from"
request variable being sent by the rewrite rule.
# app/views/wiki/auth.rhtml
<%= form_tag(:controller => 'wiki' , :action =>
'ldap_authenticate',
:redirect_mailman=> params['mailman_from']) %>
Finally, ldap_authenticate has to redirect back to mailman
if the
request was initiated there, and the cookie did not exist.
The entire
URL is preserved. So, if you came in from a particular list
request,
you are redirected back to that particular list.
# app/controllers/wiki_controller.rb
#
if params['redirect_mailman'].nil?
redirect_home
else
redirect_to params['redirect_mailman'].to_s
end
Clearly, this method of checking the ldap_username_2006 is a
bare
minimum of security. If a user could guess that cookie
name, and
write it, then they could get access. The right way would
be to check
the session_id against the database, but it didn't seem
like
RewriteCond could do such a thing. I actually have another
check in
my RewriteCond (not listed in this email) to insure the
value of the
cookie complies with the regex. Even so, I'd be fairly
wary of
implementing this outside of our Intranet.
The other option I considered is forking mailman to check
the
session_id from the instiki database. This is probably a
slightly
more sane, however this would require us to merge future
mailman
patches manually.
If anyone has any thoughts on how to check a session_id
against a
database with mod_rewrite (or any other Apache module), let
me know.
Regards,
Tony
http://involution.com
_______________________________________________
Instiki-users mailing list
Instiki-usersrubyforge.org
h
ttp://rubyforge.org/mailman/listinfo/instiki-users
|