Forum: Ruby on Rails Re: Authentication between Instiki and Mailman Solved!

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
4dd3a635239b88c8005b21c233074379?d=identicon&s=25 Tony Perrie (Guest)
on 2006-05-24 17:20
(Received via mailing list)
Basically, we needed to authenticate against the cookie written by Ruby.
It turns out that you can write a cookie for the entire TLD of
*.example.com from Instiki (Rails).  So, I changed the cookie writing
code in the wiki_controller to the following.

# app/controllers/wiki_controller.rb
cookies['ldap_username_2006'] = {:value =>emailaddress,
                       :expires =>30.days.from_now,
                       :domain => '.example.com'
                       }
cookies['session_id'] = {:value =>session.session_id,
                         :expires =>30.days.from_now,
                         :domain => '.example.com'
                        }

This had the effect of allowing the cookie to be read by all subdomains
which is completely fine.  The next step was to make Apache recognize
the
cookie which was a bit harder than I thought.  I amended the
/etc/httpd/conf.d/mailman.example.com.conf config file with the
following
mod_rewrite rules.

# /etc/httpd/conf.d/mailman.example.com
RewriteCond %{HTTP_COOKIE} !^.*ldap_username_2006=.*$
RewriteRule .*$
http://instiki.example.com/wiki/auth?mailman_from=...

So, there was a little bit of more hacking in the "auth" view to force a
redirect back to mailman if that's where the request originated.  This
required that the auth view needed to handle the "mailman_from"
request variable being sent by the rewrite rule.

# app/views/wiki/auth.rhtml
<%= form_tag(:controller => 'wiki' , :action => 'ldap_authenticate',
:redirect_mailman=>@params['mailman_from']) %>

Finally, ldap_authenticate has to redirect back to mailman if
the request was initiated there, and the cookie did not exist.  The
entire URL
is preserved.  So, if you came in from a particular list request, you
are
redirected back to that particular list.

# app/controllers/wiki_controller.rb
#
if @params['redirect_mailman'].nil?
  redirect_home
else
  redirect_to @params['redirect_mailman'].to_s
end

Clearly, this method of checking the ldap_username_2006 is a bare
minimum of security.  If a user could guess that cookie name, and
write it, then they could get access.  The right way would be to check
the session_id against the database, but it didn't seem like
RewriteCond could do such a thing.  I actually have another check in
my RewriteCond (not listed in this email) to insure the value of the
cookie complies with the regex.  Even so, I'd be fairly wary of
implementing this outside of our Intranet.

The other option I considered is forking mailman to check the
session_id from the instiki database.  This is probably a slightly
more sane, however this would require us to merge future mailman
patches manually.

If anyone has any thoughts on how to check a session_id against a
database with mod_rewrite (or any other Apache module), let me know.

Regards,

Tony
http://hoyhoy.org
Cf17040cecb2618506f5ca4c14957957?d=identicon&s=25 Robert Dempsey (flatekmonkey)
on 2006-05-24 18:09
Tony,

I am familiar with Mailman and am reading about Instiki now. Being
ignorant on these products, what is the benefit of integrating these
two? Thanks for your response so I can learn a little more.

Robert Dempsey
http://www.techcfl.com
This topic is locked and can not be replied to.