cosign wiki:CosignFilter

From cosign wiki

Revision as of 09:27, 16 November 2006 by Jd@bnl.gov (Talk | contribs)
Jump to: navigation, search

Cosign Filter

The filter resides on an application server and is not part of the centralized Cosign infrastructure. The filter is responsible for determining which areas of a web site are protected by cosign and which are not. If a user attempts to access a protected area, the filter assures the user is authenticated and obtains their username, authentication realm, IP address, and optionally, a Kerberos ticket, and passes that information along to all protected applications. This information can then be used by other authorization mechanisms to make further access decisions.

The most commonly used implementation of the filter is an Apache module that is called in the “check access” and “user authentication” phases of the request/response loop; filters for the Microsoft IIS and Java servlet environments are also available and are integrated similarly.

For an extremely in-depth description of the filter architecture, see Cosign Authentication Filter.

Query String - (protocol "front side")

The query string is used to pass information between the filter and the CGI, and by the CGI to pass information to itself. The following describes the query string of the user's browser as it is redirected, and not a separate server-to-server query.

Filter

The information sent to the CGI on the query string consists of:
- the registration URL, as specified by the filter's configuration
- a question mark denoting the start of the query string data
- the list of required factors (if any are configured)
- the user's service cookie, and
- the URL to redirect the browser back to once a REGISTER (see Cosign Daemon Protocol: REGISTER) has been successfully completed.

This information takes the following format:
register-url?[[factors=factor1[,factor2]...&]service=cookie[;]&referring-url

For example:
http://register.example.edu/cosign-bin/cosign.cgi?factors=ldap&cosign-example=sdfl54kjylk45jy..ert&https://cosign.example.edu/start.html

The service cookie is followed by an optional, and deprecated, semi-colon.

CGI

The CGI can pass to itself an additional argument on the query string beyond what it receives from the filter. The keyword basic can optionally be passed from the CGI to itself to ensure that cookies are enabled in the browser. Additionally, basic means that the CGI is operating in a BasicAuth-compatible mode, and that the REMOTE_USER environment variable is set.

This information takes the following format:
register-url?[basic&][factors=factor1[,factor2]...&]service=cookie[;]&referring-url

For example:
http://weblogin.example.edu/cosign-bin/cosign.cgi?basic&factors=EXAMPLE.EDU&cosign-example=sdfl54kjylk45jy..ert&https://cosign.example.edu/start.html

More information:

SSO Overview

Cookies

CGIs

Daemons


--John 16:28, 14 November 2006 (EST)

Personal tools