cosign wiki:CosignFilter
From cosign wiki
m (→Query String - (protocol "front side")) |
m |
||
| (3 intermediate revisions not shown.) | |||
| Line 1: | Line 1: | ||
= Cosign Filter = | = Cosign Filter = | ||
| - | The filter resides on an application server and is not part of the centralized Cosign infrastructure. The filter is responsible for determining which areas of a web site are protected by cosign and which are not. If a user attempts to access a protected area, the filter | + | The filter resides on an application server and is not part of the centralized Cosign infrastructure. The filter is responsible for determining which areas of a web site are protected by cosign and which are not. If a user attempts to access a protected area, the filter ensures the user is authenticated and obtains their username, authentication realm, IP address, and optionally, a Kerberos ticket, and passes that information along to all protected applications. This information can then be used by other authorization mechanisms to make further access decisions. |
The most commonly used implementation of the filter is an Apache module that is called in the “check access” and “user authentication” phases of the request/response loop; filters for the Microsoft IIS and Java servlet environments are also available and are integrated similarly. | The most commonly used implementation of the filter is an Apache module that is called in the “check access” and “user authentication” phases of the request/response loop; filters for the Microsoft IIS and Java servlet environments are also available and are integrated similarly. | ||
| - | For an extremely in depth description of the filter architecture, see [http://weblogin.org/filter.html Cosign Authentication Filter]. | + | For an extremely in-depth description of the filter architecture, see [http://weblogin.org/filter.html Cosign Authentication Filter]. |
== Query String - (protocol "front side") == | == Query String - (protocol "front side") == | ||
| Line 11: | Line 11: | ||
'''Filter''' | '''Filter''' | ||
| - | The information sent to the CGI on the query string consists of: | + | |
| - | - the registration URL, as specified by the filter's configuration | + | The information sent to the CGI on the query string consists of:<br/> |
| - | - a question mark denoting the start of the query string data | + | - the registration URL, as specified by the filter's configuration<br/> |
| - | - the list of required factors (if any are configured) | + | - a question mark denoting the start of the query string data<br/> |
| - | - the user's service cookie | + | - the list of required factors (if any are configured)<br/> |
| - | - | + | - the user's service cookie, and<br/> |
| + | - the URL to redirect the browser back to once a <tt>REGISTER</tt> (see [[Cosign_Wiki:CosignDaemons#REGISTER|Cosign Daemon Protocol: REGISTER]]) has been successfully completed. | ||
| + | |||
| + | This information takes the following format:<br/> | ||
<tt>''register-url?''[['''factors='''''factor1''[,''factor2'']...'''&''']''service''=''cookie''[;]&''referring-url''</tt> | <tt>''register-url?''[['''factors='''''factor1''[,''factor2'']...'''&''']''service''=''cookie''[;]&''referring-url''</tt> | ||
| Line 25: | Line 28: | ||
'''CGI''' | '''CGI''' | ||
| - | The CGI can pass to itself an additional argument on the query string beyond what it receives from the filter. The keyword | + | |
| + | The CGI can pass to itself an additional argument on the query string beyond what it receives from the filter. The keyword <tt>basic</tt> can optionally be passed from the CGI to itself to ensure that cookies are enabled in the browser. Additionally, <tt>basic</tt> means that the CGI is operating in a BasicAuth-compatible mode, and that the <tt>REMOTE_USER</tt> environment variable is set. | ||
This information takes the following format:<br/> | This information takes the following format:<br/> | ||
| Line 32: | Line 36: | ||
For example:<br/> | For example:<br/> | ||
<tt>http://weblogin.example.edu/cosign-bin/cosign.cgi?basic&factors=EXAMPLE.EDU&cosign-example=sdfl54kjylk45jy..ert&https://cosign.example.edu/start.html</tt> | <tt>http://weblogin.example.edu/cosign-bin/cosign.cgi?basic&factors=EXAMPLE.EDU&cosign-example=sdfl54kjylk45jy..ert&https://cosign.example.edu/start.html</tt> | ||
| + | |||
| + | == More information: == | ||
| + | |||
| + | [[Cosign_Wiki:SSO_Scheme|SSO Overview]] | ||
| + | |||
| + | [[Cosign_Wiki:CosignCookies|Cookies]] | ||
| + | |||
| + | [[Cosign_Wiki:CosignCGIs|CGIs]] | ||
| + | |||
| + | [[Cosign_Wiki:CosignDaemons|Daemons]] | ||
--[[User:Jd@bnl.gov|John]] 16:28, 14 November 2006 (EST) | --[[User:Jd@bnl.gov|John]] 16:28, 14 November 2006 (EST) | ||
Current revision
[edit] Cosign Filter
The filter resides on an application server and is not part of the centralized Cosign infrastructure. The filter is responsible for determining which areas of a web site are protected by cosign and which are not. If a user attempts to access a protected area, the filter ensures the user is authenticated and obtains their username, authentication realm, IP address, and optionally, a Kerberos ticket, and passes that information along to all protected applications. This information can then be used by other authorization mechanisms to make further access decisions.
The most commonly used implementation of the filter is an Apache module that is called in the “check access” and “user authentication” phases of the request/response loop; filters for the Microsoft IIS and Java servlet environments are also available and are integrated similarly.
For an extremely in-depth description of the filter architecture, see Cosign Authentication Filter.
[edit] Query String - (protocol "front side")
The query string is used to pass information between the filter and the CGI, and by the CGI to pass information to itself. The following describes the query string of the user's browser as it is redirected, and not a separate server-to-server query.
Filter
The information sent to the CGI on the query string consists of:
- the registration URL, as specified by the filter's configuration
- a question mark denoting the start of the query string data
- the list of required factors (if any are configured)
- the user's service cookie, and
- the URL to redirect the browser back to once a REGISTER (see Cosign Daemon Protocol: REGISTER) has been successfully completed.
This information takes the following format:
register-url?[[factors=factor1[,factor2]...&]service=cookie[;]&referring-url
The service cookie is followed by an optional, and deprecated, semi-colon.
CGI
The CGI can pass to itself an additional argument on the query string beyond what it receives from the filter. The keyword basic can optionally be passed from the CGI to itself to ensure that cookies are enabled in the browser. Additionally, basic means that the CGI is operating in a BasicAuth-compatible mode, and that the REMOTE_USER environment variable is set.
This information takes the following format:
register-url?[basic&][factors=factor1[,factor2]...&]service=cookie[;]&referring-url
[edit] More information:
--John 16:28, 14 November 2006 (EST)
