Re: Shib SP, how to implement an access control plugin
Scott Koranda
> >
> >I would like to better understand what is invovled in
> >implementing an access control plugin. What is the best
> >approach?
>
> Unfortunately there are no documents on extending the SP because of the
> lack of interest (which is circular but true). The resources that exist
> are basically:
>
> - the existing code (obviously)
> - using doxygen to generate the API documentation across all three packages
> - a skeleton project for starting an extension library that's checked into
> svn, called cpp-sp-ext
I am being prompted for a password when I attempt to checkout
cpp-sp-ext:
$ svn co https://svn.shibboleth.net/cpp-sp-ext
Authentication realm: <https://svn.shibboleth.net:443> Shibboleth SVN Repository
Password for 'skoranda':
May I have checkout privileges please?
>
> The skeleton project is sometimes not up to date in terms of build files,
> but it's a mostly working autoconf project with some bare bones code for
> the mechanics of getting a library loaded. If you're serious about it, I
> can probably find enough time to document at least the mechanics that go
> into a plugin. It's not that much to write up, just not a ten minute
> exercise.
Please do not exert that effort on our account at this time.
The team doing the particular legacy application integration work underway
that prompted my question is able to use the combination of
Shibboleth (for authentication) and mod_authnz_external (for
authorization) for now. Our testing showed that by using a
combination of
AuthzShibAuthoritative Off
ShibRequireAll On
we can do what we need to do for now.
I am going to personally try and spend some time learning how
to develop a plugin but it is not my highest priority and the
details you have already given me should suffice for some
time.
Thanks,
Scott K
--
To unsubscribe from this list send an email to dev-uns...@shibboleth.net
Brent Putman
On 12/8/11 3:14 PM, Scott Koranda wrote:
> I am being prompted for a password when I attempt to checkout
> cpp-sp-ext:
>
> $ svn co https://svn.shibboleth.net/cpp-sp-ext
It's actually: https://svn.shibboleth.net/extensions/cpp-sp-ext/
Most/all of our extensions for both IdP and SP are centralized under
that /extensions project.
Cantor, Scott
>
>May I have checkout privileges please?
Brent answered, but for the record, nothing we have in svn has any
limitations on checkout, so any time you get prompted on a checkout, it
means the URL is wrong.
>I am going to personally try and spend some time learning how
>to develop a plugin but it is not my highest priority and the
>details you have already given me should suffice for some
>time.
Ok.
-- Scott
Scott Koranda
> >
> >I would like to better understand what is invovled in
> >implementing an access control plugin. What is the best
> >approach?
>
> myself, but Outlook, etc.)
>
> Unfortunately there are no documents on extending the SP because of the
> lack of interest (which is circular but true). The resources that exist
> are basically:
>
> - the existing code (obviously)
> - using doxygen to generate the API documentation across all three packages
> - a skeleton project for starting an extension library that's checked into
> svn, called cpp-sp-ext
>
> but it's a mostly working autoconf project with some bare bones code for
> the mechanics of getting a library loaded. If you're serious about it, I
> can probably find enough time to document at least the mechanics that go
> into a plugin. It's not that much to write up, just not a ten minute
> exercise.
So I have what appears to be a working access control plugin.
It is the simplest possible plugin--I hardcoded into the
authorized() method
return shib_acl_true;
After configuring shibboleth2.xml to get the plugin loaded and
an appropriate <RequestMapper> I am able to access the
protected content. Recompiling after changing the code to
return shib_acl_false;
(and restarting shibd and Apache httpd) and I am no longer
able to access the content (no warnings or errors in the log
file so I am fairly confident the plugin still loaded and it
is truly the plugin that is denying access).
Since it's fresh for me I am happy to write up a step-by-step
tutorial if it would be helpful. Shall I?
If so where in the wiki would you like it? Or should I write it
in my own space and link it under "Documentation" in
https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions
Thanks,
Scott K
P.S. Linux only. I do not do Windows.
Cantor, Scott
>
>(and restarting shibd and Apache httpd) and I am no longer
>able to access the content (no warnings or errors in the log
>file so I am fairly confident the plugin still loaded and it
>is truly the plugin that is denying access).
Any logging would have to come from the plugin, I don't think there's any
logging at the point the plugin is called.
>Since it's fresh for me I am happy to write up a step-by-step
>tutorial if it would be helpful. Shall I?
That would be very appreciated.
>If so where in the wiki would you like it? Or should I write it
>in my own space and link it under "Documentation" in
>
>https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions
That would be fine for now.
-- Scott
Christopher Bongaarts
> So I have what appears to be a working access control plugin.
> Since it's fresh for me I am happy to write up a step-by-step
> tutorial if it would be helpful. Shall I?
>
> If so where in the wiki would you like it? Or should I write it
> in my own space and link it under "Documentation" in
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions
Maybe a good idea to add a "developing SP plugins" page off of:
https://wiki.shibboleth.net/confluence/display/SHIB2/DevelopmentDocs
with a link it as well.
--
%% Christopher A. Bongaarts %% c...@umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
Scott Koranda
> On 12/9/11 8:49 PM, "Scott Koranda" <skor...@gmail.com> wrote:
>>
>>(and restarting shibd and Apache httpd) and I am no longer
>>able to access the content (no warnings or errors in the log
>>file so I am fairly confident the plugin still loaded and it
>>is truly the plugin that is denying access).
>
> Any logging would have to come from the plugin, I don't think there's any
> logging at the point the plugin is called.
>
>>Since it's fresh for me I am happy to write up a step-by-step
>>tutorial if it would be helpful. Shall I?
>
> That would be very appreciated.
I apologize it has taken so long to get back to this--lots of other priorities.
>
>>If so where in the wiki would you like it? Or should I write it
>>in my own space and link it under "Documentation" in
>>
>>https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions
>
> That would be fine for now.
>
Please find a first draft of a tutorial at
https://www.lsc-group.phys.uwm.edu/wiki/ShibSPAccessControlPluginTutorial
I am not a C++ programmer so I would be grateful for a review to point
out where I have used bad form. I can only say it compiles and
functions as advertised.
If you find the tutorial helpful and want to collaborate on evolving
it and/or locating it elsewhere please let me know.
Thanks,
Scott K
Cantor, Scott
>
> https://www.lsc-
> group.phys.uwm.edu/wiki/ShibSPAccessControlPluginTutorial
That's great. I would be willing to transfer that into the wiki at some point if you slap a CC license on that. I can change the LIGO references easily enough.
> I am not a C++ programmer so I would be grateful for a review to point
> out where I have used bad form. I can only say it compiles and
> functions as advertised.
It's not a complex enough example to really run into anything. About the only adjustment is that most of the time extensions that are self-contained in a single compilation unit don't need to use a namespace, they should stick everything in:
namespace {
}
That creates an anonymous namespace that will ensure the symbols are unique and won't collide with anything else.
-- Scott
Scott Koranda
> >
> > https://www.lsc-
> > group.phys.uwm.edu/wiki/ShibSPAccessControlPluginTutorial
>
> That's great. I would be willing to transfer that into the
> wiki at some point if you slap a CC license on that.
Done. Please let me know if the particular license is an
issue.
> I can
> change the LIGO references easily enough.
>
> > I am not a C++ programmer so I would be grateful for a
> > review to point out where I have used bad form. I can only
> > say it compiles and functions as advertised.
>
> It's not a complex enough example to really run into
> anything. About the only adjustment is that most of the time
> extensions that are self-contained in a single compilation
> unit don't need to use a namespace, they should stick
> everything in:
>
> namespace { }
>
> That creates an anonymous namespace that will ensure the
> symbols are unique and won't collide with anything else.
>
Ah, I see.
I have made that change to the tutorial.
Thanks,
Scott K