[Bug 13932] New: Allow a header to be considered trusted to provide the userid
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13932 Bug ID: 13932 Summary: Allow a header to be considered trusted to provide the userid Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: gmcharlt@gmail.com Reporter: robin@catalyst.net.nz QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org When Koha is placed behind an SSO system, it'd be useful to be able to get the user ID, like happens with basic auth. This patch allows a header to be considered an authoritative source of user ID. This only works with a plack-like environment, when apache is running Koha as CGI I think the headers come through using a different method. An example configuration would be: <Location /> ... mod_auth_mellon config goes here ... Header unset X_REMOTE_USER RequestHeader unset X_REMOTE_USER RequestHeader set X_REMOTE_USER %{MELLON_sfdcid}e </Location> (REMOTE_USER seems to have a special use to apache that means it doesn't work, hence using X_REMOTE_USER.) For testing, you can fake it by replacing the variable with something hardcoded and ignore all the SSO guff. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13932 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13932 --- Comment #1 from Robin Sheat <robin@catalyst.net.nz> --- Created attachment 38301 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=38301&action=edit Bug 13932: add support for a trusted HTTP header This adds support for a 'trusted_header' option in koha-conf.xml that specified an HTTP header that you trust that contains the userid. This is to allow Koha to be behind a reverse proxy (for example, running plack fronted by apache) that does user authentication/authorisation. Note: for reasons I can't really tell, this doesn't work when apache is running Koha as CGI, but does work under plack. Test plan: * have a koha-plack setup. * configure apache to send it a header: RequestHeader set X_REMOTE_USER "testuserid" * add <trusted_header>X_REMOTE_USER</trusted_header> to koha-conf.xml * verify that the user behaves as though they're logged in. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13932 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|gmcharlt@gmail.com |robin@catalyst.net.nz -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13932 --- Comment #2 from Robin Sheat <robin@catalyst.net.nz> --- Created attachment 38627 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=38627&action=edit Bug 13932: unset userenv when using trusted header As the trusted header system doesn't keep a session hanging around, when running with plack it can end up with the userenv of another user, which is bad. So this clears it forcing it to be recreated cleanly. -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13932 Zeno Tajoli <z.tajoli@cineca.it> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Medium patch -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org