AUTOLOGIN(8) | DACS Web Services Manual | AUTOLOGIN(8) |
NAME¶
autologin - Convert an Apache identity to a DACS identitySYNOPSIS¶
autologin [dacsoptions[1]]
DESCRIPTION¶
This program is part of the DACS suite.The autologin CGI program, in conjunction with appropriate Apache and DACS configuration, is used to automatically convert an identity already established by Apache into a DACS identity. After standard HTTP Basic or Digest Authentication (RFC 2617[2]) has been performed successfully, autologin causes DACS credentials to be generated and returned. This capability lets DACS leverage any of Apache's existing authentication methods through simple configuration.
A user that has completed Basic or Digest Authentication (following a 401 Authorization Required response from the web server) invokes autologin. autologin generates credentials by constructing a request to dacs_authenticate(8)[3]. The value of the REMOTE_USER environment variable, as set by Apache, is used by dacs_authenticate to derive the DACS username.
Note
This web service is deprecated in favour of the RFC 2617[2] capability built-in to DACS. For details, please refer to the HTTP Authentication[4] section in dacs_acs(8)[5].
Security
autologin is not installed by default when DACS is built, in part because it can be a bit tricky to configure correctly and securely. Because this program is run during authentication processing, its file permissions must be set to prevent replacement or alteration by users other than a DACS administrator.
OPTIONS¶
Only the standard dacsoptions[1] command line arguments are recognized.Web Service Arguments¶
autologin understands the following CGI arguments. All arguments are required unless otherwise indicated.DACS_CONF
DACS_ERROR_URL
NOREDIRECT
DACS_JURISDICTION
DACS_SET_JURISDICTION
JURISDICTION_URI
just_dump_stdin
EXAMPLE¶
A typical use of autologin is to support coexistence on the same Web site of DACS-wrapped content, services. legacy applications, or content deployed under HTTP Basic or Digest Authentication. The following example illustrates configuration of Apache and DACS for the deployment under HTTP Basic Authentication of a web log application, Blogo. Blogo will be deployed within a DACS jurisdiction METALOGIC. The URI space of interest will be example.com/metalogic/*.In the Apache configuration file httpd.conf, a Location is defined for the Blogo application under Basic Authentication:
<Location /metalogic/blogo> AuthType Basic AuthName "FedDev" AuthUserFile /local/etc/auth-file Require valid-user # Note: For Apache 2.4, instead use: # Require dacs-authz </Location>
A Location under Basic Authentication also is defined where the autologin utility is deployed:
<Location /metalogic/dacs-native> AuthType Basic AuthName "FedDev" AuthUserFile /local/etc/auth-file Require valid-user # Note: For Apache 2.4, instead use: # Require dacs-authz </Location>
At the same time, other content in METALOGIC is protected by DACS:
<Location /metalogic/dev> Allow from all AuthType DACS AuthDACS dacs-acs Require valid-user # Note: For Apache 2.4, instead use: # Require dacs-authz </Location>
Note
Basic Authentication cannot be specified in a subdirectory of a directory or location that has been configured for DACS access control. As above, DACS and Basic Authentication must be configured in separate locations.
In the DACS configuration file, dacs.conf, jurisdiction METALOGIC is configured as follows:
<Jurisdiction uri="example.com/metalogic"> JURISDICTION_NAME "METALOGIC" ACS_ERROR_HANDLER "902 https://example.com/metalogic/dacs-native/autologin\ ?DACS_CONF=${Conf::DACS_CONF}&JURISDICTION_URI=example.com/metalogic" <!-- Authenticate using Apache Basic/Digest Auth. --> <Auth id="native"> URL "https://example.com/metalogic/dacs/local_native_authenticate" STYLE "native" CONTROL "sufficient" </Auth> </Jurisdiction>
Note
The native style of authentication must be configured when autologin is being used as described. See dacs_authenticate(8)[6].
The preceding configuration results in the following behaviour. A user accessing Blogo directly (https://example.com/metalogic/blogo) is challenged to enter a valid username and password (with respect to the Apache accounts in /local/etc/auth-file). If the user subsequently accesses DACS content requiring DACS authentication but no DACS credentials are present:
If the user accesses DACS content without first visiting the Blogo application, the 902 event handler fires, resulting in a browser redirect to autologin. Since autologin is itself behind Basic Authentication, the user will be prompted for a username and password. Once Basic Authentication succeeds, autologin is invoked with REMOTE_USER set (and therefore so is dacs_authenticate) and the process described above is repeated.
autologin may also be used as the target of an explicit authentication link. For example:
<a href="https://example.com/metalogic/dacs-native/autologin?\ DACS_CONF=/local/dacs/federations/example.com/dacs.conf&\ DACS_SET_JURISDICTION=METALOGIC&\ JURISDICTION_URI=example.com/metalogic&\ DACS_ERROR_URL=https://example.com">Login</a>
Following the link above results first in a Basic Authentication challenge and then sets DACS credentials in jurisdiction METALOGIC.
NOTES¶
autologin cannot generate credentials in a jurisdiction other than the one in which autologin is deployed.The behaviour of browsers with respect to the HTTP 401 Authorization status code may have undesired consequences. For example, browsers continually send username and password in any matching request. If a user does not exit the browser, this can result in DACS credentials automatically being regenerated long after their configured lifetime has expired. RFC 2617[2] provides no way for the server to "signout" a user, and neither do many browsers other than by ending the browser session or clearing browser history appropriately. This makes it inconvenient for a user to reauthenticate with respect to DACS using this technique.
DIAGNOSTICS¶
The program exits 0 if successful, 1 if an error occurred.SEE ALSO¶
dacs_authenticate(8)[3] (in particular, the native authentication style), dacs_autologin_ssl(8)[7], dacs_acs(8)[5], dacs.conf(5)[8]AUTHOR¶
Metalogic Software Corp.[9] and Distributed Systems Software (www.dss.ca[10])COPYING¶
Copyright2003-2014 Distributed Systems Software. See the LICENSE[11] file that accompanies the distribution for licensing information.NOTES¶
- 1.
- dacsoptions
- 2.
- RFC 2617
- 4.
- HTTP Authentication
- 5.
- dacs_acs(8)
- 8.
- dacs.conf(5)
- 9.
- Metalogic Software Corp.
- 10.
- www.dss.ca
- 11.
- LICENSE
06/02/2017 | DACS 1.4.38a |