Forum: Ruby on Rails Re: Authentication between Instiki and Mailman Solved!

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Tony P. (Guest)
on 2006-05-24 19:20
(Received via mailing list)
Basically, we needed to authenticate against the cookie written by Ruby.
It turns out that you can write a cookie for the entire TLD of
* from Instiki (Rails).  So, I changed the cookie writing
code in the wiki_controller to the following.

# app/controllers/wiki_controller.rb
cookies['ldap_username_2006'] = {:value =>emailaddress,
                       :expires =>30.days.from_now,
                       :domain => ''
cookies['session_id'] = {:value =>session.session_id,
                         :expires =>30.days.from_now,
                         :domain => ''

This had the effect of allowing the cookie to be read by all subdomains
which is completely fine.  The next step was to make Apache recognize
cookie which was a bit harder than I thought.  I amended the
/etc/httpd/conf.d/ config file with the
mod_rewrite rules.

# /etc/httpd/conf.d/
RewriteCond %{HTTP_COOKIE} !^.*ldap_username_2006=.*$
RewriteRule .*$

So, there was a little bit of more hacking in the "auth" view to force a
redirect back to mailman if that's where the request originated.  This
required that the auth view needed to handle the "mailman_from"
request variable being sent by the rewrite rule.

# app/views/wiki/auth.rhtml
<%= form_tag(:controller => 'wiki' , :action => 'ldap_authenticate',
:redirect_mailman=>@params['mailman_from']) %>

Finally, ldap_authenticate has to redirect back to mailman if
the request was initiated there, and the cookie did not exist.  The
entire URL
is preserved.  So, if you came in from a particular list request, you
redirected back to that particular list.

# app/controllers/wiki_controller.rb
if @params['redirect_mailman'].nil?
  redirect_to @params['redirect_mailman'].to_s

Clearly, this method of checking the ldap_username_2006 is a bare
minimum of security.  If a user could guess that cookie name, and
write it, then they could get access.  The right way would be to check
the session_id against the database, but it didn't seem like
RewriteCond could do such a thing.  I actually have another check in
my RewriteCond (not listed in this email) to insure the value of the
cookie complies with the regex.  Even so, I'd be fairly wary of
implementing this outside of our Intranet.

The other option I considered is forking mailman to check the
session_id from the instiki database.  This is probably a slightly
more sane, however this would require us to merge future mailman
patches manually.

If anyone has any thoughts on how to check a session_id against a
database with mod_rewrite (or any other Apache module), let me know.


Robert D. (Guest)
on 2006-05-24 20:09

I am familiar with Mailman and am reading about Instiki now. Being
ignorant on these products, what is the benefit of integrating these
two? Thanks for your response so I can learn a little more.

Robert D.
This topic is locked and can not be replied to.