[pubcookie-dev] Patch to enable HTTP auth deferal

Eric Dorland eric.dorland at mcgill.ca
Wed Jul 5 11:08:55 PDT 2006 

Bradley Schwoerer wrote:
> We have been working on a flavor_trust that will should also work in this
> situation.  The _trust part is in reference to trusting the web server in
> pre authenticating the user.  This was developed for us being able to
> support certificate based authentications and also as a generalized approach
> to this type of authentication.   I am going to try hard to get a patch for
> this today after I get caught up from the long weekend.

That's very good news! My initial thought was to do it that way, but 
there didn't seem to be provision for doing this, since the index.cgi.c 
seemed to expect a two-phase type authentication, not able easily able 
to skip the first step and go directly to granting cookies.

> On 7/4/06 4:04 PM, "Eric Dorland" <eric.dorland at mcgill.ca> wrote:
> 
>> Hello,
>>
>> My colleague Konstantin Ryabitsev and I have been investigating the
>> feasibility of running pubcookie here at McGill University, since we're
>> very interested at setting up some SSO infrastructure. One of the things
>> we're interested in is using SPNEGO type authentication for a lot of the
>> internal desktop users, while gracefully falling back to a web form for
>> authenticating non Kerberos (or Active Directory) user.
>>
>> So mod_auth_kerb provides the SPNEGO part of the equation, and pubcookie
>> can handle the rest, so how do I combine them? Since mod_auth_kerb (and
>> most mod_auth_* modules in general) just do their thing and passes the
>> REMOTE_USER variable to the CGI, my idea was for the index.cgi.c to
>> check if REMOTE_USER is passed, and if it is, bypass the authentication
>> phase and go straight to granting the cookies, etc.
>>
>> The attached patch is my attempt at getting this right. It's been tested
>> on a limited basis and appears to work. I'll admit to having quite a bit
>> of trouble following the logical flow of the cgi, so I'm worried I'm not
>> handling some scenarios properly. I'd really appreciate it if someone
>> with some experience with the code could take a look and hopefully help
>> me make this more complete (or tell me I'm perfect :P).
>>
>> Of course, we'd love to see this patch (or its improved descendants)
>> make their way into the mainline. Thanks in advance for any help or
>> suggestions.
> 
> 



-- 
Eric Dorland
eric.dorland at mcgill.ca
System Administrator
Web Service Group
514.398.5023 ext. 09562

More information about the pubcookie-dev mailing list