[pubcookie-dev] Patch to enable HTTP auth deferal

[Bradley Schwoerer]

We have been working on a flavor_trust that will should also work in this
situation.  The _trust part is in reference to trusting the web server in
pre authenticating the user.  This was developed for us being able to
support certificate based authentications and also as a generalized approach
to this type of authentication.   I am going to try hard to get a patch for
this today after I get caught up from the long weekend.

-Bradley



On 7/4/06 4:04 PM, "Eric Dorland" <eric.dorland at mcgill.ca> wrote:

> Hello,
> 
> My colleague Konstantin Ryabitsev and I have been investigating the
> feasibility of running pubcookie here at McGill University, since we're
> very interested at setting up some SSO infrastructure. One of the things
> we're interested in is using SPNEGO type authentication for a lot of the
> internal desktop users, while gracefully falling back to a web form for
> authenticating non Kerberos (or Active Directory) user.
> 
> So mod_auth_kerb provides the SPNEGO part of the equation, and pubcookie
> can handle the rest, so how do I combine them? Since mod_auth_kerb (and
> most mod_auth_* modules in general) just do their thing and passes the
> REMOTE_USER variable to the CGI, my idea was for the index.cgi.c to
> check if REMOTE_USER is passed, and if it is, bypass the authentication
> phase and go straight to granting the cookies, etc.
> 
> The attached patch is my attempt at getting this right. It's been tested
> on a limited basis and appears to work. I'll admit to having quite a bit
> of trouble following the logical flow of the cgi, so I'm worried I'm not
> handling some scenarios properly. I'd really appreciate it if someone
> with some experience with the code could take a look and hopefully help
> me make this more complete (or tell me I'm perfect :P).
> 
> Of course, we'd love to see this patch (or its improved descendants)
> make their way into the mainline. Thanks in advance for any help or
> suggestions.