AUTOLOGIN(8) | DACS Web Services Manual | AUTOLOGIN(8) |
NAME¶
autologin - Convert an Apache identity to a DACS identitySYNOPSIS¶
autologin [dacsoptions[1]]
DESCRIPTION¶
This program is part of the DACS suite. The autologin CGI program, in conjunction with appropriate Apache and DACS configuration, is used to automatically convert an identity already established by Apache into a DACS identity. After standard HTTP Basic or Digest Authentication ( RFC 2617[2]) has been performed successfully, autologin causes DACS credentials to be generated and returned. This capability lets DACS leverage any of Apache's existing authentication methods through simple configuration. A user that has completed Basic or Digest Authentication (following a 401 Authorization Required response from the web server) accesses autologin. autologin generates credentials by constructing a request to dacs_authenticate(8)[3]. The value of the REMOTE_USER environment variable, as set by Apache, is used by dacs_authenticate to derive the DACS username.OPTIONS¶
Only the standard dacsoptions[1] command line arguments are recognized.Web Service Arguments¶
autologin understands the following CGI arguments. All arguments are required unless otherwise indicated. DACS_CONFThe path to the DACS configuration file that
should be used to locate jurisdiction configuration information needed by
dacs_authenticate.
DACS_ERROR_URL
When autologin is invoked as a result of
DACS event handling, DACS_ERROR_URL is automatically passed by
dacs_acs(8)[5] and represents the original URL to which access was
denied. In typical use, autologin is configured as the handler for a
dacs_acs902 error code (NO_AUTH, "Authentication by DACS is
required"). autologin then invokes dacs_authenticate. If
DACS authentication is successful, dacs_authenticate ordinarily
issues a browser redirect to the value of DACS_ERROR_URL and a cookie
bearing the credentials are set in the browser (but see the NOREDIRECT
argument).
NOREDIRECT
If this optional argument is present (its value is
immaterial), autologin instructs dacs_authenticate to not
issue a browser redirect to the value of DACS_ERROR_URL.
DACS_JURISDICTION
When autologin is invoked as a result of
DACS event handling, DACS_JURISDICTION is set by DACS to
the name of the jurisdiction that received the request. By default,
autologin generates credentials for the jurisdiction at which
dacs_authenticate is invoked (specifically, DACS_JURISDICTION).
This can be overridden by the DACS_SET_JURISDICTION parameter.
DACS_SET_JURISDICTION
This optional argument explicitly names the jurisdiction
in which autologin should generate credentials.
DACS_SET_JURISDICTION overrides the value, if any, of
DACS_JURISDICTION and must be the same as the jurisdiction in which
autologin is deployed.
JURISDICTION_URI
This is the URI identifying the jurisdiction in the
DACS configuration file corresponding to the value specified in a
DACS_JURISDICTION or DACS_SET_JURISDICTION argument. This
argument is optional since the jurisdiction name can be used for this
purpose.
just_dump_stdin
This optional argument is useful for debugging. If the
value of QUERY_STRING is exactly jump_dump_stdin, then the program will
simply copy its standard input to the standard output as text/plain.
EXAMPLE¶
A typical use of autologin is to support coexistence on the same Web site of DACS-wrapped content, services. legacy applications, or content deployed under HTTP Basic or Digest authentication. The following example illustrates configuration of Apache and DACS for the deployment under HTTP Basic authentication of a Web log application, Blogo. Blogo will be deployed within a DACS jurisdiction METALOGIC. The URI space of interest will be example.com/metalogic/*. In the Apache configuration file httpd.conf, a Location is defined for the Blogo application under Basic authentication:<Location /metalogic/blogo> AuthType Basic AuthName "FedDev" AuthUserFile /local/etc/auth-file Require valid-user # Note: For Apache 2.4, instead use: # Require dacs-authz </Location>
<Location /metalogic/dacs-native> AuthType Basic AuthName "FedDev" AuthUserFile /local/etc/auth-file Require valid-user # Note: For Apache 2.4, instead use: # Require dacs-authz </Location>
<Location /metalogic/dev> Allow from all AuthType DACS AuthDACS dacs-acs Require valid-user # Note: For Apache 2.4, instead use: # Require dacs-authz </Location>
<Jurisdiction uri="example.com/metalogic"> JURISDICTION_NAME "METALOGIC" ACS_ERROR_HANDLER "902 https://example.com/metalogic/dacs-native/autologin\ ?DACS_CONF=${Conf::DACS_CONF}&JURISDICTION_URI=example.com/metalogic" <!-- Authenticate using Apache Basic/Digest Auth. --> <Auth id="native"> URL "https://example.com/metalogic/dacs/local_native_authenticate" STYLE "native" CONTROL "sufficient" </Auth> </Jurisdiction>
•The 902 event handler is invoked,
resulting in a browser redirect to autologin.
•The REMOTE_USER environment variable is
present in the environment as a result of successful Basic
authentication.
•autologin runs dacs_authenticate
(as a command, not as a web service).
•dacs_authenticate then invokes
local_native_authenticate, which uses the value of REMOTE_USER
as the USERNAME argument.
•If authentication succeeds, DACS
credentials for REMOTE_USER in jurisdiction METALOGIC are generated.
These credentials are returned to the browser within a cookie and the browser
is redirected to the value of DACS_ERROR_URL (recall that
DACS_ERROR_URL was passed to autologin by dacs_acs when
the 902 handler was invoked and is forwarded to
dacs_authenticate).
If the user accesses DACS content without first visiting the Blogo
application, the 902 event handler fires, resulting in a browser
redirect to autologin. Since autologin is itself behind Basic
authentication, the user will be prompted for a username and password. Once
Basic authentication succeeds, autologin is invoked with
REMOTE_USER set (and therefore so is dacs_authenticate) and the
process described above is repeated.
autologin may also be used as the target of an explicit authentication
link. For example:
<a href="https://example.com/metalogic/dacs-native/autologin?\ DACS_CONF=/local/dacs/federations/example.com/dacs.conf&\ DACS_SET_JURISDICTION=METALOGIC&\ JURISDICTION_URI=example.com/metalogic&\ DACS_ERROR_URL=https://example.com">Login</a>
NOTES¶
autologin cannot generate credentials in a jurisdiction other than the one in which autologin is deployed. The behaviour of browsers with respect to the HTTP 401 Authorization status code may have undesired consequences. For example, browsers continually send username and password in any matching request. If a user does not exit the browser, this can result in DACS credentials automatically being regenerated long after their configured lifetime has expired. RFC 2617[2] provides no way for the server to "signout" a user, and neither do many browsers ( Firefox[7] is an exception), other than by ending the browser session. This makes it inconvenient for a user to reauthenticate with respect to DACS using this technique.DIAGNOSTICS¶
The program exits 0 if everything was fine, 1 if an error occurred.SEE ALSO¶
dacs_authenticate(8)[3] (in particular, the native authentication style), dacs_autologin_ssl(8)[8], dacs_acs(8)[5], dacs.conf(5)[9]AUTHOR¶
Metalogic Software Corp.[10] and Distributed Systems Software ( www.dss.ca[11])COPYING¶
Copyright2003-2013 Distributed Systems Software. See the LICENSE[12] file that accompanies the distribution for licensing information.NOTES¶
- 1.
- dacsoptions
- 2.
- RFC 2617
- 4.
- HTTP Authentication
- 5.
- dacs_acs(8)
- 7.
- Firefox
- 9.
- dacs.conf(5)
- 10.
- Metalogic Software Corp.
- 11.
- www.dss.ca
- 12.
- LICENSE
07/17/2013 | DACS 1.4.28b |