[Bug 11219] New: CAS authentication fails with URL parameters
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Bug ID: 11219 Summary: CAS authentication fails with URL parameters Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Authentication Assignee: gmcharlt@gmail.com Reporter: fridolyn.somers@biblibre.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Bug 10029 tries to fix the use of URL parameters in CAS authentication. But is does not work. The full URL must be used in all methods of C4::Auth_with_cas. Also, in checkpw_cas(), the 'ticket' parameter must be removed to find the original URL. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Fridolyn SOMERS <fridolyn.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |10029 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Fridolyn SOMERS <fridolyn.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Assignee|gmcharlt@gmail.com |fridolyn.somers@biblibre.co | |m --- Comment #1 from Fridolyn SOMERS <fridolyn.somers@biblibre.com> --- Created attachment 22807 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=22807&action=edit Bug 11219 - CAS authentication fails with URL parameters See commit message -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Fridolyn SOMERS <fridolyn.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Koha Team AMU <koha.aixmarseille@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |koha.aixmarseille@gmail.com -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Koha Team AMU <koha.aixmarseille@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Koha Team AMU <koha.aixmarseille@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 sandboxes@biblibre.com <sandboxes@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off CC| |sandboxes@biblibre.com --- Comment #2 from sandboxes@biblibre.com <sandboxes@biblibre.com> --- Patch tested with a sandbox, by Koha team AMU <koha.aixmarseille@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 sandboxes@biblibre.com <sandboxes@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #22807|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 --- Comment #3 from sandboxes@biblibre.com <sandboxes@biblibre.com> --- Created attachment 23138 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23138&action=edit Bug 11219 - CAS authentication fails with URL parameters Bug 10029 tries to fix the use of URL parameters in CAS authentication. But is does not work. The full URL must be used in all methods of C4::Auth_with_cas. Also, in checkpw_cas(), the 'ticket' parameter must be removed to find the original URL. This patch removes the 'ticket' parameter from query before calling checkpw_cas() since the ticket is passed as method arguemnt. In C4::Auth_with_cas, many methods use the same code to get the CAS handler and the service URI. This patch adds a private method _get_cas_and_service() to do the job. Test plan : Test plan : - Enable CAS - Go to opac without been logged-in - Try to place hold on a record => You get to /cgi-bin/koha/opac-reserve.pl?biblionumber=XXX showing authentication page => Check that CAS link contains query param "biblionumber" - Click on CAS link and log in => Check you return well logged-in to reserve page with biblionumber param - Check CAS loggout - Check Proxy CAS auth Signed-off-by: Koha team AMU <koha.aixmarseille@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de --- Comment #4 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Hi Fridolin and Team AMU, is there a way to test this without a working CAS environment? -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 --- Comment #5 from Fridolyn SOMERS <fridolyn.somers@biblibre.com> --- (In reply to Katrin Fischer from comment #4)
Hi Fridolin and Team AMU, is there a way to test this without a working CAS environment?
I don't know. But I'd say same has Bug 10029. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #23138|0 |1 is obsolete| | --- Comment #6 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 23744 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23744&action=edit [PASSED QA] Bug 11219 - CAS authentication fails with URL parameters Bug 10029 tries to fix the use of URL parameters in CAS authentication. But is does not work. The full URL must be used in all methods of C4::Auth_with_cas. Also, in checkpw_cas(), the 'ticket' parameter must be removed to find the original URL. This patch removes the 'ticket' parameter from query before calling checkpw_cas() since the ticket is passed as method arguemnt. In C4::Auth_with_cas, many methods use the same code to get the CAS handler and the service URI. This patch adds a private method _get_cas_and_service() to do the job. Test plan: - Enable CAS - Go to opac without been logged-in - Try to place hold on a record => You get to /cgi-bin/koha/opac-reserve.pl?biblionumber=XXX showing authentication page => Check that CAS link contains query param "biblionumber" - Click on CAS link and log in => Check you return well logged-in to reserve page with biblionumber param - Check CAS loggout - Check Proxy CAS auth Signed-off-by: Koha team AMU <koha.aixmarseille@gmail.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Passes all tests in t, xt, and t/db_dependent/Auth.t. Also passes QA script. As I have no working CAS server, I focused on regression testing: Activated Persona and casAuthentication. - Verified normal login against database still works. - Verified Persona login works. Note: With Persona you are always forwarded to the patron account - so you have to search for the record again before you can place a hold. - Verified that the CAS URL contains the biblionumber when logging in while placing a hold. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Fridolin SOMERS <fridolyn.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 --- Comment #7 from Fridolin SOMERS <fridolyn.somers@biblibre.com> --- Created attachment 26967 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=26967&action=edit Bug 11219 - Bug 11219 - CAS authentication fails with URL parameters - followup This followup corrects the fact that when using $query->url(), both GET and POST params are get. Using $query->url_param() will only get params directly in URL. Test plan : - Enable CAS - Go to login page : cgi-bin/koha/opac-user.pl - Try to connect with local login using random login and password (they will be transmitted by POST) - You stay to login page - Look at CAS login URL => Without this patch it will contain the random login and password as parameters of opac-user.pl => With this patch it does not contain any parameter -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #26967|0 |1 is obsolete| | CC| |matthias.meusburger@biblibr | |e.com --- Comment #8 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Created attachment 26971 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=26971&action=edit signed patch -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Fridolin SOMERS <fridolyn.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |critical --- Comment #9 from Fridolin SOMERS <fridolyn.somers@biblibre.com> --- I set as critical because it may show a user/password -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #23744|0 |1 is obsolete| | Attachment #26971|0 |1 is obsolete| | --- Comment #10 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 27054 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=27054&action=edit [PASSED QA] Bug 11219 - CAS authentication fails with URL parameters Bug 10029 tries to fix the use of URL parameters in CAS authentication. But is does not work. The full URL must be used in all methods of C4::Auth_with_cas. Also, in checkpw_cas(), the 'ticket' parameter must be removed to find the original URL. This patch removes the 'ticket' parameter from query before calling checkpw_cas() since the ticket is passed as method arguemnt. In C4::Auth_with_cas, many methods use the same code to get the CAS handler and the service URI. This patch adds a private method _get_cas_and_service() to do the job. Test plan: - Enable CAS - Go to opac without been logged-in - Try to place hold on a record => You get to /cgi-bin/koha/opac-reserve.pl?biblionumber=XXX showing authentication page => Check that CAS link contains query param "biblionumber" - Click on CAS link and log in => Check you return well logged-in to reserve page with biblionumber param - Check CAS loggout - Check Proxy CAS auth Signed-off-by: Koha team AMU <koha.aixmarseille@gmail.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Passes all tests in t, xt, and t/db_dependent/Auth.t. Also passes QA script. As I have no working CAS server, I focused on regression testing: Activated Persona and casAuthentication. - Verified normal login against database still works. - Verified Persona login works. Note: With Persona you are always forwarded to the patron account - so you have to search for the record again before you can place a hold. - Verified that the CAS URL contains the biblionumber when logging in while placing a hold. Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Retested 2014-04-12 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 --- Comment #11 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- First patch is PQA, I signed off on the second patch. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 --- Comment #12 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 27055 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=27055&action=edit [SIGNED OFF] Bug 11219 - CAS authentication fails with URL parameters - followup This followup corrects the fact that when using $query->url(), both GET and POST params are get. Using $query->url_param() will only get params directly in URL. Test plan : - Enable CAS - Go to login page : cgi-bin/koha/opac-user.pl - Try to connect with local login using random login and password (they will be transmitted by POST) - You stay to login page - Look at CAS login URL => Without this patch it will contain the random login and password as parameters of opac-user.pl => With this patch it does not contain any parameter Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #27054|0 |1 is obsolete| | --- Comment #13 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 27095 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=27095&action=edit Bug 11219 - CAS authentication fails with URL parameters Bug 10029 tries to fix the use of URL parameters in CAS authentication. But is does not work. The full URL must be used in all methods of C4::Auth_with_cas. Also, in checkpw_cas(), the 'ticket' parameter must be removed to find the original URL. This patch removes the 'ticket' parameter from query before calling checkpw_cas() since the ticket is passed as method arguemnt. In C4::Auth_with_cas, many methods use the same code to get the CAS handler and the service URI. This patch adds a private method _get_cas_and_service() to do the job. Test plan: - Enable CAS - Go to opac without been logged-in - Try to place hold on a record => You get to /cgi-bin/koha/opac-reserve.pl?biblionumber=XXX showing authentication page => Check that CAS link contains query param "biblionumber" - Click on CAS link and log in => Check you return well logged-in to reserve page with biblionumber param - Check CAS loggout - Check Proxy CAS auth Signed-off-by: Koha team AMU <koha.aixmarseille@gmail.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Passes all tests in t, xt, and t/db_dependent/Auth.t. Also passes QA script. As I have no working CAS server, I focused on regression testing: Activated Persona and casAuthentication. - Verified normal login against database still works. - Verified Persona login works. Note: With Persona you are always forwarded to the patron account - so you have to search for the record again before you can place a hold. - Verified that the CAS URL contains the biblionumber when logging in while placing a hold. Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Retested 2014-04-12 Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #27055|0 |1 is obsolete| | --- Comment #14 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 27096 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=27096&action=edit Bug 11219 - CAS authentication fails with URL parameters - followup This followup corrects the fact that when using $query->url(), both GET and POST params are get. Using $query->url_param() will only get params directly in URL. Test plan : - Enable CAS - Go to login page : cgi-bin/koha/opac-user.pl - Try to connect with local login using random login and password (they will be transmitted by POST) - You stay to login page - Look at CAS login URL => Without this patch it will contain the random login and password as parameters of opac-user.pl => With this patch it does not contain any parameter Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |rel_3_16_candidate -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master CC| |gmcharlt@gmail.com --- Comment #15 from Galen Charlton <gmcharlt@gmail.com> --- Pushed to master. Thanks, Fridolin! -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Fridolin SOMERS <fridolyn.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |Pushed to Stable --- Comment #16 from Fridolin SOMERS <fridolyn.somers@biblibre.com> --- Pushed to 3.14.x, will be in 3.14.10 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Fridolin SOMERS <fridolyn.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |12398 -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Mason James <mtj@kohaaloha.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mtj@kohaaloha.com Keywords|rel_3_16_candidate | --- Comment #17 from Mason James <mtj@kohaaloha.com> --- (In reply to Galen Charlton from comment #15)
Pushed to master. Thanks, Fridolin!
Patch already added to 3.16.x branch -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11219 Fridolin SOMERS <fridolyn.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Stable |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org