Re: Single login/sign-on for different web apps?
On Wed, 16 Jan 2002, Mark Maunder wrote:
The only way I could come up with, was to have the browser redirected
to every domain name with an encrypted uri variable to prove it is
signed on which causes each host included in the single sign on to
assign an auth cookie to the browser.
Instead of redirecting the entire page you could just include images
(the typical 1x1 pixel) from each server on the You've been logged on
page and have each of them set a cookie for that domain name.
For this to work with modern browsers (i.e. IE6 and properly configured
mozillas) you'll need to include a compact policy in your P3P header[1],
otherwise the browser will consider this an unauthorised attempt to serve
a third party image and block the cookie.
Later.
Mark.
[1] See http://www.w3c.org/p3p/,
http://2shortplanks.com/temp/P3P-ToCP-0.02.tar.gz for more information
--
s'' Mark Fowler London.pm Bath.pm
http://www.twoshortplanks.com/ [EMAIL PROTECTED]
';use Term'Cap;$t=Tgetent Term'Cap{};print$t-Tputs(cl);for$w(split/ +/
){for(0..30){$|=print$t-Tgoto(cm,$_,$y). $w;select$k,$k,$k,.03}$y+=2}
Re[2]: Single login/sign-on for different web apps?
Of course, the best authentication system for banking I've seen is from UBS. They send you a scratchlist of around 100 numbers. Every time you login you use one of the numbers and cross it off. Very slick. Does that really work in practice? That sounds really annoying. Is this for business banking or for retail? How do they get the next 100 numbers to the user? Do they mail it out when they've used 90? It works, as I'm a customer of UBS. They do it for everybody, business and private. They send the the scratchlist by post, even, registered. When you reach the 80th number, a new list will be automatically sent. BR Christian
Re: Single login/sign-on for different web apps?
I hadn't really taken a look at personal certificates until this thread came up. It looks like thawte is offering personal certificates at no charge. http://www.thawte.com/getinfo/products/personal/contents.html Yep, and the society I work in develops a GPLed PKI, which is a Perl+PHP+LDAP app for rolling your own certificates (both user and server): http://idx-pki.idealx.com/ Certificates are indeed a straightforward way of getting SSO - but you have to carry your certificate with you whenever you change workstations. Here are reasonable solutions (trading security for convenience): * most secure: use USB crypto tokens (slow and extra per-user price, but will safeguard the private key and destroy it upon attack); * very secure: use dedicated workstations, one per user (impractical), or laptops (expensive but may be amortized with other needs); * not so secure (equivalent of password SSO): carry the key on a floppy, and keep it password-encrypted at all times. On the server side, you have to get your Apache to grok certificates (easy with recent versions of openssl), and the authentication info then gets passed down to PHP and Perl scripts as environment variables (OK, this guy is called CN=John Doe, OU=sales, O=yourcompany - trust me on this). You have to patch your apps, sure, but all the burden of binding a bunch of crypto bits to a name is removed from you in a highly secure fashion. -- Tout n'y est pas parfait, mais on y honore certainement les jardiniers Dominique Quatravaux [EMAIL PROTECTED]
Re: Single login/sign-on for different web apps?
At 9:06 PM + 1/16/02, Mark Maunder wrote: That's cool, but any ideas on how to do this with different domain names i.e. foo.com, bar.com, baz.com and boo.com? You can't create cookies for the .com domain, so there's no way to hand out auth cookies from foo.com (when the user logs into foo.com) and have the browser send them to bar.com too. Also foo.com can't hand out cookies for bar.com, so you can't implement a single sign on using cookies for multiple domain names from the same host. The only way I could come up with, was to have the browser redirected to every domain name with an encrypted uri variable to prove it is signed on which causes each host included in the single sign on to assign an auth cookie to the browser. So the browser is logged into foo.com, bar.com baz.com and boo.com by logging into foo.com which assigns a cookie and redirects to bar.com which assigns a cookie and redirects it to baz.com which assigns a cookie and redirects it to boo.com which assigns a cookie and redirects it back to foo.com. It has now collected all cookies required for signon to all domain names and is logged into all of them. That's not terribly efficient for the user. If I were to do this, I'd probably put some You are now logged in page that loads images from foo.com, bar.com, baz.com, and boo.com (transparent single pixel gifs would work). Now the user is logged in to all those servers (provided that the gifs returned were returned with Set-Cookie headers). The same thing can be done with authentication. Most browsers allow you to write urls as http://user:[EMAIL PROTECTED]/images/spacer.gif It's not pretty, and not super secure, but it does work. Rob -- When I used a Mac, they laughed because I had no command prompt. When I used Linux, they laughed because I had no GUI.
mod_deflate problem with chunked encoding
The following webpage on a mod_deflate enabled server is not working correctly in some browsers: http://www.aaanime.net/pmak/sylphiel/ If I telnet www.aaanime.net 80 and send the following commands: GET /pmak/sylphiel/ HTTP/1.1 Host: www.aaanime.net Accept-Encoding: gzip then the data it sends back is partially gzip, and partially plain text! It is sent with Transfer-Encoding: chunked and the first 1 or 2 chunks are gzipped, but the rest are not. The source code for the page is an .shtml file. Inside that .shtml file, I have the directive !--#exec cgi=navbar.cgi--. Everything until after that directive is gzipped, then the rest of it is not. navbar.cgi is a simple perl script that does: print Content-type: text/html\n\n; followed by a few more print statements. Any idea how to fix this problem? Do I need to provide any additional information in particular? Thanks.
Re: mod_deflate problem with chunked encoding
Philip Mak wrote: The following webpage on a mod_deflate enabled server is not working correctly in some browsers: [OT stuff snipped] did you email the right list? I'm not sure why mod_deflate and mod_accel problems keep popping up here of late, but maybe there's some mis-information floating around somewhere in the docs on these two modules? not that this list is opposed to OT but interesting discussion from time to time :) --Geoff
Re: mod_deflate problem with chunked encoding
Philip Mak wrote: On Thu, Jan 17, 2002 at 07:38:17PM -0500, Geoffrey Young wrote: Philip Mak wrote: The following webpage on a mod_deflate enabled server is not working correctly in some browsers: [OT stuff snipped] did you email the right list? I figured that the mod_perl mailing list was the best place to post about these problems, since mod_deflate/mod_accel doesn't have its own mailing list and there's a lot of people on this list who use it... that's fine - you don't have to justify the post to me :) a few of us have been wondering where all the traffic on these modules has been coming from, is all - I thought it might genuinely be some mis-documentation or something... --Geoff
[OT] Trouble with dprofpp and Devel::DProf
Hi all, Anyone using 5.7.0 had any trouble with dprofpp? Devel::DProf writes tmon.out OK but dprofpp doesn't understand it. The whole kit came with 5.7.0 in one source tarball. I searched p5p with the Google and the perl.com engine and came up with nothing. 73, Ged.
Re: Apache::Session getting DESTROYed in wrong order
On Friday, January 4, 2002, at 02:22 AM, Ken Williams wrote:
For the sake of thread completion, here's a script which demonstrates
the bug. It turns out to be a Perl bug (5.6.1, at least), not an
Apache::Session bug. I'll post to p5p after I post here.
I was surprised to find the it's not a bug, it's a feature defense on
p5p. So here's an update. The following is either a workaround, or the
proper fix, depending on what you think Perl's proper behavior should
be. ;-)
{
local *session;
tie %session, 'Apache::Session::MySQL', ...;
...
}
The local *session; is the important bit. It doesn't work to do
local %session;, because %session will still be tied even after it
goes out of scope, and thus the hash data will never get written to
storage.
In a Mason context, which is where I'm using it, I do this in my
top-level autohandler (ignore the main:: subroutines, they're just for
pedagogy):
%init
# 'local' so it's available to lower-level components
local *session;
my $dbh = ::get_dbh;
my $session_id = ::get_cookie('_session_id');
tie %session, 'Apache::Session::MySQL', $session_id,
{Handle = $dbh, LockHandle = $dbh};
...
/%init
-Ken
Re: Apache::Session getting DESTROYed in wrong order
In a Mason context, which is where I'm using it, I do this in my
top-level autohandler (ignore the main:: subroutines, they're just for
pedagogy):
%init
# 'local' so it's available to lower-level components
local *session;
my $dbh = ::get_dbh;
my $session_id = ::get_cookie('_session_id');
tie %session, 'Apache::Session::MySQL', $session_id,
{Handle = $dbh, LockHandle = $dbh};
...
/%init
Geez, that's awfully confusing to look at (local and typeglobs is not a
newbie-friendly combo). Isn't there a simpler way? What about putting
it in pnotes?
- Perrin
Re: Apache::Session getting DESTROYed in wrong order
On Friday, January 18, 2002, at 12:44 AM, Perrin Harkins wrote:
In a Mason context, which is where I'm using it, I do this in my
top-level autohandler (ignore the main:: subroutines, they're just for
pedagogy):
%init
# 'local' so it's available to lower-level components
local *session;
my $dbh = ::get_dbh;
my $session_id = ::get_cookie('_session_id');
tie %session, 'Apache::Session::MySQL', $session_id,
{Handle = $dbh, LockHandle = $dbh};
...
/%init
Geez, that's awfully confusing to look at (local and typeglobs is not a
newbie-friendly combo). Isn't there a simpler way? What about putting
it in pnotes?
I don't think there's a simpler way. Putting it in pnotes means that
all other components will also have to use $r-pnotes('session'), rather
than just using %session.
Perhaps local(*session) is better than local *session? It at least
looks less like a pointer to local. ;-)
-Ken
Re: mod_deflate problem with chunked encoding
On Thu, 17 Jan 2002, Geoffrey Young wrote: Philip Mak wrote: On Thu, Jan 17, 2002 at 07:38:17PM -0500, Geoffrey Young wrote: Philip Mak wrote: The following webpage on a mod_deflate enabled server is not working correctly in some browsers: [OT stuff snipped] did you email the right list? I figured that the mod_perl mailing list was the best place to post about these problems, since mod_deflate/mod_accel doesn't have its own mailing list and there's a lot of people on this list who use it... If you have mod_accel/mod_deflate problem feel free contact me directly. Igor Sysoev
Re: mod_deflate problem with chunked encoding
On Thu, 17 Jan 2002, Philip Mak wrote: The following webpage on a mod_deflate enabled server is not working correctly in some browsers: http://www.aaanime.net/pmak/sylphiel/ If I telnet www.aaanime.net 80 and send the following commands: GET /pmak/sylphiel/ HTTP/1.1 Host: www.aaanime.net Accept-Encoding: gzip then the data it sends back is partially gzip, and partially plain text! It is sent with Transfer-Encoding: chunked and the first 1 or 2 chunks are gzipped, but the rest are not. The source code for the page is an .shtml file. Inside that .shtml file, I have the directive !--#exec cgi=navbar.cgi--. Everything until after that directive is gzipped, then the rest of it is not. navbar.cgi is a simple perl script that does: print Content-type: text/html\n\n; followed by a few more print statements. Any idea how to fix this problem? Do I need to provide any additional information in particular? Thanks. The problem really exists. I suspect '!--#exec' although '!--#include' works fine on our several sites. I'll try to repeat it in my local enviroment. Igor Sysoev
mod-perl with cygwin
Hello modperl, Can anybody install mod_perl on cygwin ports? -- Best regards, úÁÑÃ mailto:[EMAIL PROTECTED]
ANNOUNCE: Log::Dispatch::Config 0.11_02
http://bulknews.net/lib/archives/Log-Dispatch-Config-0.11_02.tar.gz 0.11_02 Fri Jan 18 05:08:22 JST 2002 * [API change] No check on config mtime by default New class method: configure_and_watch() (Thanks to Hiroyuki Oyama [EMAIL PROTECTED]) - Modified configurator API This release is a beta release. If you have trouble with this API change or something, please let me know ASAP. -- Tatsuhiko Miyagawa [EMAIL PROTECTED]
cvs commit: modperl-2.0/src/modules/perl mod_perl.c
stas02/01/17 22:50:10
Modified:src/modules/perl mod_perl.c
Log:
- modperl_startup() already handles PerlModule/Require directives, so
handle these separately inly if modperl_startup() wasn't called. which is
the case for vhosts which inherit the perl interpretor from the base.
Revision ChangesPath
1.105 +8 -7 modperl-2.0/src/modules/perl/mod_perl.c
Index: mod_perl.c
===
RCS file: /home/cvs/modperl-2.0/src/modules/perl/mod_perl.c,v
retrieving revision 1.104
retrieving revision 1.105
diff -u -r1.104 -r1.105
--- mod_perl.c9 Jan 2002 00:31:39 - 1.104
+++ mod_perl.c18 Jan 2002 06:50:10 - 1.105
@@ -264,14 +264,15 @@
created parent interpreter for VirtualHost %s\n,
modperl_server_desc(s, p));
}
-
-if (!modperl_config_apply_PerlModule(s, scfg, perl, p)) {
-exit(1);
-}
-if (!modperl_config_apply_PerlRequire(s, scfg, perl, p)) {
-exit(1);
+else {
+if (!modperl_config_apply_PerlModule(s, scfg, perl, p)) {
+exit(1);
+}
+if (!modperl_config_apply_PerlRequire(s, scfg, perl, p)) {
+exit(1);
+}
}
-
+
#ifdef USE_ITHREADS
if (!MpSrvENABLE(scfg)) {
cvs commit: modperl-2.0/t/response/TestDirective perlmodule.pm
stas02/01/17 22:52:01
Added: t/directive perlmodule.t
t/response/TestDirective perlmodule.pm
Log:
- add a test to test handling of PerlModule/Require directives for vhosts
which inherit the interpretor from the parent. this time use the
PerlModule directive for testing.
Revision ChangesPath
1.1 modperl-2.0/t/directive/perlmodule.t
Index: perlmodule.t
===
# this test tests PerlRequire configuration directive
use strict;
use warnings FATAL = 'all';
use Apache::Test;
use Apache::TestUtil;
use Apache::TestRequest;
my $module = 'TestDirective::perlmodule';
plan tests = 1;
Apache::TestRequest::module($module);
my $config = Apache::Test::config();
my $hostport = Apache::TestRequest::hostport($config);
t_debug(connecting to $hostport);
ok t_cmp($module,
GET_BODY(/TestDirective::perlmodule),
testing PerlModule in $module);
1.1 modperl-2.0/t/response/TestDirective/perlmodule.pm
Index: perlmodule.pm
===
package TestDirective::perlmodule;
# This test is similar to TestDirective::perlrequire. Here we test
# whether vhost inheriting the parent perl from the base can handle
# PerlModule directives.
use strict;
use warnings FATAL = 'all';
use Apache::Test ();
use Apache::Const -compile = 'OK';
use File::Spec::Functions qw(catfile);
sub handler {
my $r = shift;
$r-content_type('text/plain');
$r-puts($ApacheTest::PerlModuleTest::MAGIC || '');
Apache::OK;
}
sub APACHE_TEST_CONFIGURE {
my ($class, $self) = @_;
my $vars = $self-{vars};
my $target_dir = catfile $vars-{documentroot}, 'testdirective';
my $magic = __PACKAGE__;
my $content = EOF;
package ApacheTest::PerlModuleTest;
\$ApacheTest::PerlModuleTest::MAGIC = '$magic';
1;
EOF
my $file = catfile $target_dir, 'perlmodule-vh', 'ApacheTest',
'PerlModuleTest.pm';
$self-writefile($file, $content, 1);
}
1;
__END__
Base
PerlSwitches -Mlib=@documentroot@/testdirective/perlmodule-vh
/Base
VirtualHost TestDirective::perlmodule
PerlModule ApacheTest::PerlModuleTest
Location /TestDirective::perlmodule
SetHandler modperl
PerlResponseHandler TestDirective::perlmodule
/Location
/VirtualHost
cvs commit: modperl-2.0/t/response/TestDirective perlmodule.pm perlrequire.pm
stas02/01/17 22:57:32
Modified:t/response/TestDirective perlmodule.pm perlrequire.pm
Log:
- wrap long lines ( 80)
Revision ChangesPath
1.2 +2 -1 modperl-2.0/t/response/TestDirective/perlmodule.pm
Index: perlmodule.pm
===
RCS file: /home/cvs/modperl-2.0/t/response/TestDirective/perlmodule.pm,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- perlmodule.pm 18 Jan 2002 06:52:01 - 1.1
+++ perlmodule.pm 18 Jan 2002 06:57:32 - 1.2
@@ -32,7 +32,8 @@
\$ApacheTest::PerlModuleTest::MAGIC = '$magic';
1;
EOF
-my $file = catfile $target_dir, 'perlmodule-vh', 'ApacheTest',
'PerlModuleTest.pm';
+my $file = catfile $target_dir,
+'perlmodule-vh', 'ApacheTest', 'PerlModuleTest.pm';
$self-writefile($file, $content, 1);
}
1.5 +3 -1 modperl-2.0/t/response/TestDirective/perlrequire.pm
Index: perlrequire.pm
===
RCS file: /home/cvs/modperl-2.0/t/response/TestDirective/perlrequire.pm,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- perlrequire.pm18 Jan 2002 06:53:46 - 1.4
+++ perlrequire.pm18 Jan 2002 06:57:32 - 1.5
@@ -33,6 +33,7 @@
my $vars = $self-{vars};
my $target_dir = catfile $vars-{documentroot}, 'testdirective';
+
# create two different PerlRequireTest.pm packages to be loaded by
# vh and main interpreters, on the fly before the tests start
while (my($test, $magic) = each %require_tests) {
@@ -41,7 +42,8 @@
\$ApacheTest::PerlRequireTest::MAGIC = '$magic';
1;
EOF
-my $file = catfile $target_dir, $test, 'ApacheTest', 'PerlRequireTest.pm';
+my $file = catfile $target_dir,
+$test, 'ApacheTest', 'PerlRequireTest.pm';
$self-writefile($file, $content, 1);
}
}
