Skip to content

Fix subrequest auth via request caching #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
malthe wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix subrequest auth via request caching #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions docs/CHANGES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
2.3.2 (unreleased)
------------------

- Fix support for subrequest authentication. The credentials must be
cached on the parent request because the authorization ticket is
only valid during a limited time window.
[malthe]

- Allow PAS plugin loading to continue in debug mode (development) with an error warning if the kerberos library cannot be loaded on unix.
[fredvd]

Expand Down
23 changes: 16 additions & 7 deletions netsight/windowsauthplugin/plugin.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

from zExceptions import Forbidden
from zLOG import LOG, ERROR, DEBUG, INFO
from zope.annotation.interfaces import IAnnotations

import sys
import urlparse
Expand All @@ -34,6 +35,9 @@

import interface

KEY = "netsight.windowsauthplugin.credentials"


class WindowsauthpluginHelper( BasePlugin ):
"""Multi-plugin to do Kerberos based SSO

Expand Down Expand Up @@ -94,14 +98,18 @@ def authenticateCredentials( self, credentials ):
return None

request = self.REQUEST
response = request.RESPONSE
remote_host = request.getClientAddr()

# We are actually already authenticated... maybe we are in a subrequest
if request.get('AUTHENTICATED_USER', None) is not None:
username = request.AUTHENTICATED_USER.getName()
return username, username
# This request may be a subrequest which is supposed to
# leverage the same authentication information as the parent
# request.
request = request.get('PARENT_REQUEST', request)
cache = IAnnotations(request)
value = cache.get(KEY)
if value is not None:
return value

response = request.RESPONSE
remote_host = request.getClientAddr()
ticket = credentials['ticket']

if WINDOWS:
Expand Down Expand Up @@ -155,7 +163,8 @@ def authenticateCredentials( self, credentials ):
response = request.RESPONSE
pas_instance.updateCredentials(request, response, username, '')

return username, username
value = cache[KEY] = username, username
return value


security.declarePrivate( 'extractCredentials' )
Expand Down