Hi, Chris,
Yes, you are correct: a client (such as a web browser or a command-line
Subversion client) has to implement redirection in order to be used with
cosign.
But, redirection alone is not enough. The client also has to be able to
handle cookies. And keep in mind that unless you took the cookies from
a running web browser where the user already authenticated via cosign,
the client will be redirected to the central weblogin server which will
provide a login page for the user to provide their user name and
password on. So the client should support HTML forms and the HTTP POST
method, and should also provide some way to display content and get a
username and password from a user.
In other words, for a client to use cosign, it has to meet many of the
basic feature requirements for a web browser.
These requirements are not unique to cosign -- Shibboleth, PubCookie,
and other systems also share these same requirements.
If you want to implement "single sign on" authentication for a command
line client that does not implement redirection, cookies, user input,
etc., then I suggest either Kerberos plus SPNEGO over HTTP, or,
alternatively, X.509 client certificates (PKI). cosign has at least
basic support for both SPNEGO and X.509 -- if the client has a Kerberos
ticket or X.509 certificate which satisfies the factor requirements of
the cosign-protected service, the central cosign weblogin server will
accept them and the user will not be prompted for their username and
password. (However, the University of Michigan does not currently have
SPNEGO or X.509 enabled on its production weblogin servers; contact
[EMAIL PROTECTED] if you have a need for them).
I have no idea if the Subversion command line client supports either
SPNEGO or X.509, but, if it did not, you could always add support for
them and submit patches back to the Subversion project.
I hope this helps. And, hopefully, other people will also chime in with
their ideas and suggestions.
Mark Montague
ITCS Web/Database Production Team
The University of Michigan
[EMAIL PROTECTED]
On Fri, Jul 11, 2008 12:35 PM, Chris Africa <[EMAIL PROTECTED]> wrote:
> I sent this question to the subversion user group and didn't receive
> any responses. I apologize if you are getting it twice.
>
> Is anyone using Cosign to authenticate Subversion repositories with
> Apache 2?
>
> I've been successful in getting the web site set up and viewable in a
> browser, but no one can connect to the Subversion server via https. We
> get 302 errors, which I believe from my investigations are related to
> the fact that the client doesn't know how to handle redirection.
> Removing the Cosign authentication directives eliminates the error.
>
> If someone else *has* done this successfully, maybe I just need to
> recheck my configurations.
>
> Thanks!
>
> --
> Chris Africa
> Web Project Manager
> Department of Mechanical Engineering
> University of Michigan
> 734-764-8482
> Fridays: 734-730-6221
> AIM/iChat/Skype ID: baiewola
>
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
> _______________________________________________
> Cosign-discuss mailing list
> Cosign-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>
>
>
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
