Shared sign-on across web applications
Posted by Graham Stratton Fri, 25 May 2007 16:35:00 GMT
I’ve spent the day on what I can only assume is a really common problem with a distinct lack of a solution.
We have a number of web applications, some Zope-based and also a Pylons app served using the Paste server. We are using Apache as a proxy in front of all of them.
We’d like users to be able to sign in to any of those applications and then access any of the others. To implement their security the applications will need to know what groups the user is a member of.
To complicate matters slightly, users need to be authenticated by NLTM if possible, failing that looked up in an LDAP directory, and if that fails verified against a relational database. For NTML users we’ll need to get the groups out at some point, presumably from LDAP.
Each of the applications will have its own way of keeping track of whether the user is logged in, probably by means of a cookie.
I think there are a few potential ways of sharing the sign-on information, given the restrictions of HTTP:
1) Something similar to OpenID, maybe actually using the OpenID protocol. Write a server which the web applications redirect to if authorization fails for some request. There are OpenID interfaces for plone and AuthKit. But there is a question as to whether the OpenID spec would allow returning of the list of groups a user belongs to.
2) Have the proxying Apache authenticate users and put this information in the environment. This would work if we only wanted to protect whole directories. An Apache module to help with this is mod_auth_tkt, which does rather more. Unfortunately it still doesn’t allow you to redirect users when authorization is required. What is needed is some way of catching a 401, as is done by AuthKit, and providing a sign-on there.
What I think mod_auth_tkt does is to hash the username with a secret code and store it in a cookie. The secret code is share between all the applications. If the browser sends a request claiming to be fred and hashing ‘fred’ with the secret code produces the code passed by the browser, the app1 can conclude that app2 successfully authenticated fred and gave him the code. This is really quite neat and I wouldn’t have thought of it.
3) Use paste.proxy as an extra proxy layer. This makes it easy to add middleware which will intercept status 401 messages and replace them with a login form. Since the proxy would not have a session, it would have to use set cookies in the same way as mod_auth_tkt to communicate user verification.
The problem is further complicated by external and internal Apache instances. The internal one proxies services mainly used internally, and only accepts requests which come either from machines internally of from the external Apache instance. The external one proxies the organisational website, and also allows external access to the internal services.

your comment on mod_auth_tkt ‘Unfortunately it still doesn’t allow you to redirect users when authorization is required.’ is wrong.
you can specify a mod_auth_tkt directive in apache conf file like the following:
TKTAuthLoginURL http://www.example.com/login
which will redirect user to login if the url is protected.
nice good article.
Going to play with it, right away. Will post updates. Cool bit.
Its very informative…. you shown nice tips which will help us in future… thanks for this article..
Keep it Up
thanks for the share
Very good post…. In recent days we need some application which works faster….. I welcomes this blog….
Thanks for sharing
We ourselves went through several websites to find knowledge with regard to this.
It is an outstanding solution and clearly written post. I managed to understand it right away!
This post is really well written as it has provided all detailed facts and information about the topic. This post speaks credibility and authenticity and exposes real caliber of the writer. Fantastic job! http://www.whitefleur.co.uk
This blog post is very informative especially on computer programmer or anything that involves the backbone on the internet. I suggest that in every acronym word, there must be a definition of it beside the word so that a newbie will know about it. A great job on sharing knowledge here on your blog. Keep it up!
I have a similar configuration and similar problems, I wonder how you solve those issues.
Well, I guess he solved those issues 1067 days later… :-)
That sound s good.I will try.And I am trying to search Tiffany Jewelry online store
its very good post i like it very much, and now subscribed your post.
It’s a good post.
I love this post.
I love this post. Expecting more like this.
Awesome.
I read it. Its good.
Good post.
Thanks this really helped me out….
Its a great pleasure reading your blog. The blog content is powerful.Very Good.
Its a nice comment.I love reading it in detail and bookmarked it.I found some real value in the content.Loved it.
Its a great pleasure reading your post.Its full of information I am looking for and I love to post a comment that “The content of your post is awesome” Great work.
Great post, I look forward to reading more.
Truely nice post.
Extremely helpful. I like the way you have written. Do you have an RSS feed?
This post really great one.I would like to appreciate your work and would like to tell to my friends. Thanks for sharing the sign-on information, given the restrictions of HTTP.
nice post i had bookmarked your blog, feel free to visit my blog at piyush group.
thanks for nice post i am really happy after reading contentof ur post or you cansend flowers to kolkata
Its very good post.I like it.
nice post i am really happy after reading contentof ur post or you cansend flowers to chennai
nice post i am really happy after reading contentof ur post or you cansend flowers to delhi
nice post i am really happy after reading content of your post or you canweb design jaipur
nice post i had bookmarked your blog end .i had very much like this
Thanks for the information…keep on sharing…nice blog site….
Its my pleasure that I got an opportunity to comment on this post. Its a very nice post and I love it.
Business Cards
Really impressed! Everything is very open and very clear explanation of issues. It contains truly information. Your website is very useful. Thanks for sharing. Looking forward to more!
I must say its a very good blog and I find it immense pleasure reading it. Junk Lemon | Cash For My Lemon | Cash For Lemon | Cash For My Lemon | Junk Lemon For Cash | Junk Lemons | Lemon Salvage | Sell Your Lemon | Salvage Lemon | Sell Junk Lemon
Thanks
Its a pleasure reading your post.
if that fails verified against a relational database. For NTML users we’ll need to get the groups out at some point, presumably from LDAP.
1) Something similar to OpenID, maybe actually using the OpenID protocol. Write a server which the web applications redirect to if authorization fails for some request. There are OpenID interfaces for plone and AuthKit. But there is a question as to whether the OpenID spec would allow returning of the list of groups a user belongs to.
Have the proxying Apache authenticate users and put this information in the environment. This would work if we only wanted to protect whole directories. An Apache module to help with this is mod_auth_tkt, which does rather more. Unfortunately it still doesn’t allow you to redirect users when authorization is required. What is needed is some way of catching a 401, as is done by AuthKit,
If you use Active Directory you could have each app use AD for authentication, login could then be seamless. Otherwise, if the applications can talk to each other behind the scenes, you could use sessionids and have one app handling id generation serving all of your other applications.
really good post i had read your post and bookmarked your post further knowledge.
nice post i had read your post and bookmarked your post further knowledge.
Really thankful good post i had bookmarked your blog end. i had very much like this.
I wanted to thank you for this excellent read!! I definitely loved every little bit of it. I have you bookmarked your web site to check out the latest stuff you post.
play with it, right away. Will post updates. Cool bit.
play with it, right away. Will post updates. Cool bit.
you can specify a mod_auth_tkt directive in apache conf file like the following:
Its a very good post, i had subscribed your post.Please update the latest information.
you shown nice tips which will help us in future… thanks for this article..
Thank for the amazing post…I have bookmarked the website….
WoW Great post.I love to read more stuff like this.
This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free. It is the old what goes around comes around routine. Did you want to acquired lots of links and I see lots of track backs??
Nice blog with very strong content. I love reading it over again.
car hire kerry
Hire a car Bergamo
car hire portugal
car hire italy
car hire ireland
car hire france
sports betting online
casino online
web hosting news
web hosting guide
host guide
Nice to be visiting your blog again, it has been months for me. Well this article that i’ve been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share
In recent days we need some application which works faster….. I welcomes this blog….
Is Awesome to Read your Post,I Really like it,I think to make the same application like it,Thanks
Remember you will not always win. Some days, the most resourceful individual will taste defeat. But there is, in this case, always tomorrow – after you have done your best to achieve success today.
It is a great pleasure got an opportunity to comment on this post. Its a very nice post and I love it.
Its my pleasure that I got an opportunity to comment on this post. Its a very nice post and I love it
This was a useful post and I think it is rather easy to see from the other comments as well that this post is well written and useful. Keep up the good work.
I am grateful to you for sharing this post with us. I have been in search of this post and found the post at the right time. I appreciate for your hard work.
Really a nice Article i gives me a lot of information thaks for suck a good article…..................
Fine information, thanks to the author. This work is really useful and significant.
I happen to enter your blog with the help of Google search. To my sheer luck I got what I was searching for. Thanks
Generally I do not post on blogs, but I would like to say that this post really forced me to do so, Excellent post!
You have a point. Very insightful. A nice different perspective.
Well, the info your share here is great and informative to me as I am very new to the subject. But I love reading and getting some more knowledge on it. Thanks
Nothing is useless in this article…..
I love this post. Expecting more like this.
Great site you got here and all the posts are really worth the read. I was wondering if I could use some write-ups on my website, I will link back to your website or page where I took the article to properly cite the source. If this is a problem please let me know and I will take it down right away. Best regards – Karen
There are OpenID interfaces for plone and AuthKit. But there is a question as to whether the OpenID spec would allow returning of the list of groups a user belongs to.
great site. very good stuff.
Thanks a lot for your good advice – really appreciated.
OpenID interfaces for plone and AuthKit. But there is a question as to whether the OpenID spec would allow returning of the list of groups a user belongs to.
Thanks ones again for this great blog.Thanks
>>>>>!!<<<<
Not too many people would actually think about this the way you just did. I’m really impressed that there’s so much about this subject that’s been uncovered and you did it so well, with so much class.
A directory is a set of objects with attributes organized logically in a hierarchical manner. A simple example is the telephone directory, which consists of a list of names (of either persons or organizations) organized alphabetically, with each name having an address and phone number associated with it.
I like your post & i will always be coming frequently to read more of your post.Thank you very much for your post once more.
The internet is with a doubt growing into the most important medium of communication across the globe and its due to sites like this that ideas are spreading so quickly.
Thanks for info- I really love this site!
I would like to say that this post really forced me to do so, Excellent post!
Savvytel is a prepaid mobile offering Mobile Prepaid, Mobile Post Paid, Prepaid Mobile, Cheap Calls, Mobile Plans, 3g Mobile, prepaid phones, Phone Prepaid, 3g Prepaid, Recharge Prepaid, Best prepaid on the vodafone network.
I would like to share it with all my friends and hope they will like it too.
Fine information, thanks to the author. This work is really useful and significant.
Good post….thanks for sharing.. very useful for me, I will bookmark this for my future needs.
Everything is very open and very clear explanation of issues. It contains truly information.
if that fails verified against a relational database. For NTML users we’ll need to get the groups out at some point, presumably from LDAP.
Great post. keep it up.
This post is really well written as it has provided all detailed facts and information about the topic. This post speaks credibility and authenticity and exposes real caliber of the writer. Doing business in UK
I am happy to find your distinguished way of writing the post. Now you make it easy for me to understand and implement the concept.
Very good job.
Great site.
Really impressed! Everything is very open and very clear explanation of issues. It contains truly information. Your website is very useful. Thanks for sharing. Looking forward to more!
Keep this going…
Generally I do not post on blogs, but I would like to say that this post really forced me to do so, Excellent post!
The internet is with a doubt growing into the most important medium of communication across the globe and its due to sites like this that ideas are spreading so quickly.