Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auto Registration with Lazy Authentication #10

Open
mcbulba opened this issue Dec 21, 2011 · 4 comments
Open

Auto Registration with Lazy Authentication #10

mcbulba opened this issue Dec 21, 2011 · 4 comments

Comments

@mcbulba
Copy link

mcbulba commented Dec 21, 2011

Hi

First of all: thanks for this plugin.

But I have an issue with lazy authentication and auto registration. I want the redmine site be available without bothering "external" people (that can not authenticate via HTTP-auth). On the other hand, people who can do HTTP authentication should be asked for their credentials using mod_auth_basic when visiting /httpauth-login.

So i setup two location directives in apache2:

<Location />
  # No auth needed
</Location>
<Location /httpauth-*>
  # Basic authentication needed
</Location>

By doing so I can activate lazy authentication and after being redirected from /httpauth-login to /login people are still logged into redmine.

However, if someone does not have a redmine account yet, he will not be logged in but sent to /httpauth-selfregister which is still OK due to the wildcard in my Location directive. REMOTE_USER is still set at this point. But after clicking on "Submit" he will find himself on / with an error saying "Username is not provided".

Did I do something too complicated and is there another way to achieve the wanted behavior with apache and mod_auth_basic? Otherwise I would suggest to not redirect to / until the session really started and lazy authentication can be applied. Either by starting the session right after creating the new account and then redirecting to home_url like it is done now, or by inserting a redirect to httpauth-login after creating the account.

The latter way would as far as I understood things retry to login using HTTP authentication (REMOTE_USER is still set) and succeed because now the account exists.
@AdamLantos
Copy link
Owner

Hi,

yes, the registration form would submit the user back to the main page, where the remote_user is lost. You somehow need to trick apache to provide REMOTE_USER when the browser provides the username/password, but do not explicity require them when browsing outside /httpauth-. If I remember well from my good old apache days, you can use the combination of Satisfy statements to achieve this behavior:

<Location />
  Order allow, deny
  Allow from all
  AuthType basic
  ...
  Satisfy Any
</Location>
<Location /httpauth-*>
  Satisfy All
</Location>

@mcbulba
Copy link
Author

mcbulba commented Dec 22, 2011

Hi,

thanks for your reply. You are right, basically apache can be tricked to provide REMOTE_USER at the right moment.
Like this:

Order allow,deny
Allow from all

    AuthType basic
    AuthName "MyRealm"
    AuthUserFile /tmp/foo
    Require valid-user

    Satisfy any
</Location>
<Location /httpauth-*>
    Satisfy all
</Location>

Then it works. But in my case I want to use another module to lookup and authenticate users, like pam. That means, as there is no users file that I also must use AuthBasicAuthoritative:

<Location />
    Order allow,deny
    Allow from all

    AuthType basic
    AuthName "MyRealm"
    AuthBasicAuthoritative off

    AuthPAM_Enabled on
    AuthPAM_FallThrough off
    Require valid-user

    Satisfy any
</Location>
<Location /httpauth-*>
    Satisfy all
</Location>

And that again seems to break things. As we are now in the world of apache modules I will have a look into this a bit more. Maybe there is another way to use PAM.

But apart from that I tried to redirect users after self-registering to httpauth-login replacing redirect_to home_url in app/controllers/registration_controller.rb:18 to redirect_to '/httpauth-login' and also to 'https://foobar.org/httpauth-login'. But i has no effect. That surely is because I am absolutely not familiar with ruby on rails. Would it be possible to give that strategy a try, or am I totally wrong with this idea?

@AdamLantos
Copy link
Owner

Hi,

this is getting really complex now. Also the current httpauth module
logs out the user if the REMOTE_USER disappears from the environment.
The reasoning behind that is that many single sign-on solutions use
the REMOTE_USER to communicate the logged on user, and albeit it's not
easy to "log out" from standard http authentication, it's relatively
common to implement logout behavior in corporate sso environments.

Regarding the registration_controller change, it seems fine, but
restarting apache might be necessary, based on the current rails
environment you're using. But still I would strongly discourage to
modify core redmine classes.

I can't comment on the PAM scenario, because I'm not that familiar
with the inner workings of apache.

Adam

@giner
Copy link

giner commented Apr 5, 2012

Hello mcbulba,

Could you help please? Could you describe your environment what you use? I'd like to know bacause lazy authentication doesn't work for me with following configuration:

<Location />
    AuthType basic
    AuthName "MyRealm"
    AuthUserFile /tmp/foo
    Require valid-user
    Satisfy any
</Location>
<Location /httpauth-*>
    Satisfy all
</Location>

Regards,
Stanislav

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AdamLantos @giner @mcbulba