This was taken from a string of emails I sent to the rails mailing
list. I was attempting to enable a single sign on between Instiki
(running on Mongrel) and Mailman running from Apache. Esentially, we
needed to authenticate against the cookie written by Ruby. It turns
out that you can write a cookie for the entire TLD of *.example.com
from Instiki (Rails). So, I changed the cookie writing code in the
wiki_controller to the following.
# app/controllers/wiki_controller.rb
cookies[''ldap_username_2006''] = {:value =>emailaddress,
:expires =>30.days.from_now,
:domain => ''.example.com''
}
cookies[''session_id''] = {:value =>session.session_id,
:expires =>30.days.from_now,
:domain => ''.example.com''
}
This had the effect of allowing the cookie to be read by all
subdomains which is completely fine. The next step was to make Apache
recognize the
cookie which was a bit harder than I thought. I amended the
/etc/httpd/conf.d/mailman.example.com.conf config file with the
following mod_rewrite rules.
# /etc/httpd/conf.d/mailman.example.com
RewriteCond %{HTTP_COOKIE} !^.*ldap_username_2006=.*$
RewriteRule .*$
http://instiki.example.com/wiki/auth?mailman_from=http://mailman.example.com%{REQUEST_URI}
So, there was a little bit of more hacking in the "auth" view to force
a redirect back to mailman if that''s where the request originated.
This
required that the auth view needed to handle the "mailman_from"
request variable being sent by the rewrite rule.
# app/views/wiki/auth.rhtml
<%= form_tag(:controller => ''wiki'' , :action =>
''ldap_authenticate'',
:redirect_mailman=>@params[''mailman_from'']) %>
Finally, ldap_authenticate has to redirect back to mailman if the
request was initiated there, and the cookie did not exist. The entire
URL is preserved. So, if you came in from a particular list request,
you are redirected back to that particular list.
# app/controllers/wiki_controller.rb
#
if @params[''redirect_mailman''].nil?
redirect_home
else
redirect_to @params[''redirect_mailman''].to_s
end
Clearly, this method of checking the ldap_username_2006 is a bare
minimum of security. If a user could guess that cookie name, and
write it, then they could get access. The right way would be to check
the session_id against the database, but it didn''t seem like
RewriteCond could do such a thing. I actually have another check in
my RewriteCond (not listed in this email) to insure the value of the
cookie complies with the regex. Even so, I''d be fairly wary of
implementing this outside of our Intranet.
The other option I considered is forking mailman to check the
session_id from the instiki database. This is probably a slightly
more sane, however this would require us to merge future mailman
patches manually.
If anyone has any thoughts on how to check a session_id against a
database with mod_rewrite (or any other Apache module), let me know.
Regards,
Tony
http://involution.com