Hey, all! tl;dr: When running koha under plack and using shibboleth authentication, what is the currently-recommended way to communicate auth details from mod_shib to koha?
Long version: I'm in the process of converting our Koha installation from running under vanilla CGI to using plack/starman. This was simple enough from the perspsctive of straight-up library functionality, but we're using shibboleth to authenticate against the campus IDP, and that has raised a few issues. We've already found https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17776 in the bug tracker and I have successfully adapted the patch tou our customized C4::Auth/C4::Auth_with_shibboleth and logged in via shibboleth, but (as noted in the bug tracker discussion) this uses HTTP headers to communicate the authentication details to the back-end application. In order to avoid possible vulnerabilities resulting from the use of HTTP headers, I went to the shibboleth documentation at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking [1] and, in the section for Apache, found the assertion that: "Under no circumstances should you rely on the request header option other than as a temporary measure while adjusting applications to use the environment option. There are no known scenarios in which environment variables can't be used" Is there a way to use environment variables in a plack+shibboleth installation? The docs assert that it should be possible (as there are "no known scenarios" where it isn't), but that would imply that one process (apache) is able to modify the environment of another, already- running, independent non-child process (starman) running under a different uid/gid, which should not generally be possible - and, even if it is possible, it would require apache to run as root, which would create major security risks of its own. The bug tracker discussion includes a brief mention of possibly using a plack middleware to change the worker process envoronment, but that seems like it would just push the issue back a level from "how do I talk to starman without using http headers" to "how do I talk to the middleware without using http headers" without actually solving the core issue. Is it actually possible to use environment variables in this scenario? If not, what's the best practice to secure it against http header spoofing? [1] The SHIB2 documentation states that it's no longer supported, but we're using an sp2 shibd and, in any case, the same text appears verbatim on the equivalent SP3 page. -- Dave Sherohman _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha