Add RequestAttributeAuthenticationFilter #3978

Closed
wants to merge 2 commits into
from

Conversation

Projects
None yet
3 participants
@Majlen
Contributor

Majlen commented Jul 15, 2016

This style is used in many SSO implementations, such as Stanford WebAuth and Shibboleth. Even though in many uses it can be avoided by forcing the HTTP server/proxy to store the principal in header instead of environment variable, this approach is much more secure (you cannot set it without having better access to the server).

@pivotal-issuemaster

This comment has been minimized.

Show comment
Hide comment
@pivotal-issuemaster

pivotal-issuemaster Jul 15, 2016

@Majlen Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@Majlen Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-issuemaster

This comment has been minimized.

Show comment
Hide comment
@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Aug 15, 2016

Member

@Majlen Thanks for the Pull Request.

I haven't seen this approach. How do you setup your container (i.e. Tomcat) to populate the request attribute?

Member

rwinch commented Aug 15, 2016

@Majlen Thanks for the Pull Request.

I haven't seen this approach. How do you setup your container (i.e. Tomcat) to populate the request attribute?

@rwinch rwinch self-assigned this Aug 15, 2016

@rwinch rwinch modified the milestone: 4.2.0 M1 Aug 15, 2016

@Majlen

This comment has been minimized.

Show comment
Hide comment
@Majlen

Majlen Aug 18, 2016

Contributor

This approach is used by SSO implementations which are implemented as modules of Apache HTTPd.

Basically the container is hidden behind reverse proxy by using mod_jk, which can be set up to pass environment variables. These variables can then be accessed by ServletRequest.getAttribute() method.

Contributor

Majlen commented Aug 18, 2016

This approach is used by SSO implementations which are implemented as modules of Apache HTTPd.

Basically the container is hidden behind reverse proxy by using mod_jk, which can be set up to pass environment variables. These variables can then be accessed by ServletRequest.getAttribute() method.

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Aug 30, 2016

Member

@Majlen Thanks for the response. I suppose I should have been more detailed in my ask. Can you provide me a link to a specific SSO implementation that does this? I'd really like some instructions on how to set this up so I can try it.

A few improvements before this gets merged:

  • Add links to the SSO implementations that use this approach along with links to the setup required
  • Add tests
Member

rwinch commented Aug 30, 2016

@Majlen Thanks for the response. I suppose I should have been more detailed in my ask. Can you provide me a link to a specific SSO implementation that does this? I'd really like some instructions on how to set this up so I can try it.

A few improvements before this gets merged:

  • Add links to the SSO implementations that use this approach along with links to the setup required
  • Add tests
@Majlen

This comment has been minimized.

Show comment
Hide comment
@Majlen

Majlen Sep 7, 2016

Contributor

OK, 2 SSOs that I know of are Shibboleth and WebAuth, links are provided below. In case of WebAuth, you would also have to set up a Kerberos environment, since it is used as authentication backend.

I will provide test suite probably tommorow.

Shibboleth:

WebAuth:

Contributor

Majlen commented Sep 7, 2016

OK, 2 SSOs that I know of are Shibboleth and WebAuth, links are provided below. In case of WebAuth, you would also have to set up a Kerberos environment, since it is used as authentication backend.

I will provide test suite probably tommorow.

Shibboleth:

WebAuth:

@rwinch rwinch modified the milestones: 4.2.0 M2, 4.2.0 M1 Sep 21, 2016

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Sep 21, 2016

Member

Moved this back to M2 since there are no tests yet and M1 is getting released today

Member

rwinch commented Sep 21, 2016

Moved this back to M2 since there are no tests yet and M1 is getting released today

Majlen added some commits Jul 15, 2016

Added authentication filter reading environment variables.
This style is used in many SSO implementations, such as Stanford WebAuth
and Shibboleth.
@Majlen

This comment has been minimized.

Show comment
Hide comment
@Majlen

Majlen Sep 22, 2016

Contributor

Aah, I forgot, sorry about that. Tests are now included.

Contributor

Majlen commented Sep 22, 2016

Aah, I forgot, sorry about that. Tests are now included.

rwinch added a commit that referenced this pull request Sep 22, 2016

Rename to RequestAttributeAuthenticationFilter
Rename EnvironmentVariableAuthenticationFilter to
RequestAttributeAuthenticationFilterTests

Polish gh-3978

@rwinch rwinch changed the title from Added authentication filter reading environment variables. to Add RequestAttributeAuthenticationFilter Sep 22, 2016

@rwinch rwinch modified the milestones: 4.2.0 M1, 4.2.0 M2 Sep 22, 2016

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Sep 22, 2016

Member

Thanks for the PR!

This is now merged via a8120e7 I applied some polish via 9ae163e Summary:

  • Rename to RequestAttributeAuthenticationFilter
  • Move the test out of the envvariable package to preauth
  • Formatting changes
Member

rwinch commented Sep 22, 2016

Thanks for the PR!

This is now merged via a8120e7 I applied some polish via 9ae163e Summary:

  • Rename to RequestAttributeAuthenticationFilter
  • Move the test out of the envvariable package to preauth
  • Formatting changes

@rwinch rwinch closed this Sep 22, 2016

rwinch added a commit that referenced this pull request Sep 23, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment