Apache does not reckon tickets as valid
98 views
Skip to first unread message
Maurix
May 5, 2014, 5:47:10 AM5/5/14
to mod_auth_p...@googlegroups.com
Hello.
I set up a trial server to test mod_auth_pubtkt, because I wish to use it in a website to replace the current Shibboleth-based authentication.
So, I set up a server (it's a test, for now!) with two virtual hosts, temporalily on port 80. A the end of this message you can find che virtual hosts configuration.
When a browser connects to client1.myserver.com, it's correctly redirected to sso.myserver.com and it authenticates, but after authentication the browser it is not redirected on client1.myserver.com.
Moreover, if the same browser opens client1.myserver.com again, it is redirected to sso.myserver.com, so it seems that authentication is requested every time (or is not reckon as valid).
Can you please help me?
Thanks in advance.
Maurix
PS Virtual hosts configuration follows:
<VirtualHost *:80>
ServerName sso.myserver.com
DocumentRoot /var/www/html/server
LogLevel debug
TKTAuthPublicKey /var/www/html/server/php-login/private/tkt_pubkey_dsa.pem
<Directory />
Order Allow,Deny
Allow from all
AuthType mod_auth_pubtkt
TKTAuthDebug 3
TKTAuthCookieName "auth_pubtkt"
TKTAuthRequireSSL off
TKTAuthToken "auth_pubtkt"
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName client1.myserver.com
DocumentRoot /var/www/html/client1
LogLevel debug
TKTAuthPublicKey /var/www/html/server/php-login/private/tkt_pubkey_dsa.pem
<Directory /var/www/html/client1/private>
Order Allow,Deny
Allow from all
AuthType mod_auth_pubtkt
TKTAuthLoginURL http://sso.myserver.com/php-login/login.php
TKTAuthTimeoutURL http://sso.myserver.com/php-login/login.php?timeout= 1
TKTAuthUnauthURL http://sso.myserver.com/php-login/login.php?unauth=1
TKTAuthToken "auth_pubtkt"
TKTAuthCookieName "auth_pubtkt"
TKTAuthRequireSSL off
TKTAuthDebug 3
require valid-user
</Directory>
</VirtualHost>
Alex Muntada
May 5, 2014, 7:16:32 AM5/5/14
to mod_auth_p...@googlegroups.com
Maurix:
> When a browser connects to client1.myserver.com, it's correctly redirected
> to sso.myserver.com and it authenticates, but after authentication the
> browser it is not redirected on client1.myserver.com.
I'm using my own login script, so i cannot tell about the one
you're using. Just check that the login page gets an URL param
"back" and that the login script sends a "Location" header with
the unescaped value of "back".
> Moreover, if the same browser opens client1.myserver.com again, it is
> redirected to sso.myserver.com, so it seems that authentication is
> requested every time (or is not reckon as valid).
Make sure your auth_pubtkt cookie is valid with the script
attached, e.g.
$ perl check-auth-pubtkt-cookie.pl 'uid%3D...' pubkey.pem
You can get the cookie value on firefox following these steps:
* Control-I
* Security
* View Cookies
* Cookie name: auth_pubtkt
* Content: uid%3D...
Any browser plugin that helps you see the HTTP headers would be
very useful. But you can try also from the command line:
$ curl -H 'Cookie: auth_pubtkt="uid%3D..."' -I http://client1.myserver.com
Cheers,
Alex
> When a browser connects to client1.myserver.com, it's correctly redirected
> to sso.myserver.com and it authenticates, but after authentication the
> browser it is not redirected on client1.myserver.com.
you're using. Just check that the login page gets an URL param
"back" and that the login script sends a "Location" header with
the unescaped value of "back".
> Moreover, if the same browser opens client1.myserver.com again, it is
> redirected to sso.myserver.com, so it seems that authentication is
> requested every time (or is not reckon as valid).
attached, e.g.
$ perl check-auth-pubtkt-cookie.pl 'uid%3D...' pubkey.pem
You can get the cookie value on firefox following these steps:
* Control-I
* Security
* View Cookies
* Cookie name: auth_pubtkt
* Content: uid%3D...
Any browser plugin that helps you see the HTTP headers would be
very useful. But you can try also from the command line:
$ curl -H 'Cookie: auth_pubtkt="uid%3D..."' -I http://client1.myserver.com
Cheers,
Alex
Maurix
May 6, 2014, 12:28:59 PM5/6/14
to mod_auth_p...@googlegroups.com
Thank you Alex.
Now cookies are OK, but I still have some problems.
Virtualhost "client1", as you can see in my previous post, contains a directory /private with authentication. Access to root directory does not require autentication.
When a browser access to index.php document in the root directory, an iframe shows the login page provided by SSO server. Users can authenticate on it, so they get a valid cookie. Index.php also provides links to pages located in /private directory, with access restricted to authenticated users.
I supposed that access to pages in /private directory should be possible for previously authenticated users. Instead, when an authenticated user clicks on a link to an access restricted page, redirection to SSO server occurs and authentication is requested again. Moreover, after authentication, the browser is not redirected to the "back" location; if the user try to manually acess the "back" address, his browser is redirected to SSO server again.
Cheers,
Maurix
Alex Muntada
May 6, 2014, 2:02:43 PM5/6/14
to mod_auth_p...@googlegroups.com
Maurix:
> I supposed that access to pages in /private directory should be possible
> for previously authenticated users. Instead, when an authenticated user
> clicks on a link to an access restricted page, redirection to SSO server
> occurs and authentication is requested again. Moreover, after
> authentication, the browser is not redirected to the "back" location; if
> the user try to manually acess the "back" address, his browser is
> redirected to SSO server again.
When the apache server redirects to SSO is because it could not
validate the cookie or no cookie was received at all. Can you
see anything regarding this on the apache logs?
You should verify that you're using the right pubkey in apache,
that the cookie timeout has not expired and that the token that
apache requests is present on the cookie. Make sure also that
the client IP does not change if you're adding it to the cookie.
Cheers,
Alex
> I supposed that access to pages in /private directory should be possible
> for previously authenticated users. Instead, when an authenticated user
> clicks on a link to an access restricted page, redirection to SSO server
> occurs and authentication is requested again. Moreover, after
> authentication, the browser is not redirected to the "back" location; if
> the user try to manually acess the "back" address, his browser is
> redirected to SSO server again.
validate the cookie or no cookie was received at all. Can you
see anything regarding this on the apache logs?
You should verify that you're using the right pubkey in apache,
that the cookie timeout has not expired and that the token that
apache requests is present on the cookie. Make sure also that
the client IP does not change if you're adding it to the cookie.
Cheers,
Alex
Message has been deleted
Maurix
May 8, 2014, 3:51:04 AM5/8/14
to mod_auth_p...@googlegroups.com
Thanks, Alex.
Now it seems to work.
Cheers,
Maurix
Reply all
Reply to author
Forward
0 new messages