Home > mod_authnz_wind

mod_authnz_wind

Mod_authnz_wind is a project mainly written in Python, it's free.

mod python authentication for CAS-like Single Sign On

Download

mod_wind with mod_python version:0.9.5 author:Schuyler Duveen email:[email protected] sponsor:Columbia Center for New Media Teaching and Learning

This is an authentication/authorization handler for apache and mod_python which use Columbia University's Wind protocol: http://www.columbia.edu/acis/webdev/wind.html http://www.columbia.edu/acis/rad/authmethods/wind/index.html based largely on Yale's CAS authentication.

This was done, because I didn't want to implement wind groups support in C (hacking mod_cas). However, it basically works exactly the same, and has an order of magnitude less code.

DOWNLOAD

SVN Repository: http://svn.cc.columbia.edu/svn/ccnmtl/mod_authnz_wind/ Browse at: http://svn.cc.columbia.edu/viewvc/auth/mod_authnz_wind/?root=ccnmtl

INSTALL

Before you install, you may want to edit the constants at the top of the mod_authnz_wind/init.py.

Python and mod_python are necessary before continuing.
Once you do that, if you have setup_tools, just run 'easy_install .' in the mod_authnz_wind directory with the file setup.py in it. Without setup_tools, the important thing is that mod_authnz_wind (with init..py) is in a directory in mod_python's PYTHONPATH (usually someplace like /usr/lib/python2.4/site-packages).

Once you do that, if you have setup_tools, just run 'easy_install .' in the mod_authnz_wind directory with the file setup.py in it. setup_tools is an optional package, and you might not have it installed, or in your path.

Note: If you can not write to the Python directory, or want to install the module in a different location, you can install a virtual instance of python that is seperate. Directions for installing and using virtual python can be found at:

http://peak.telecommunity.com/DevCenter/EasyInstall#creating-a-virtual-python

You're on your own on installing mod_python, but it's a lot easier than mod_perl.

Once everything's installed, do something like this in your Apache Conf:

#you MUST change the WindService to your service name PythonOption WindService MY_WIND_SERVICE_HERE PythonAuthenHandler mod_authnz_wind PythonAuthzHandler mod_authnz_wind AuthType Wind AuthName "Restricted Area" require valid-user #require group unixgroup.cunix.local:columbia.edu #require user sbd12

For mod_python version 3.1 (and less than 3.2), mod_python can't determine whether requests are through http or https, so you must set this with another PythonOption. Add this line, setting to 'http' or 'https': PythonOption HttpOrHttps http

You might want to debug/test it by putting it in an apache-accessible directory and set it up like:

AddHandler mod_python .py PythonOption WindService MY_WIND_SERVICE_HERE PythonAuthenHandler mod_authnz_wind PythonAuthzHandler mod_authnz_wind PythonHandler mod_authnz_wind PythonDebug On AuthType Wind AuthName "Restricted Area" require valid-user #require group unixgroup.cunix.local:columbia.edu #require user abc123 sbd12

ANONYMOUS PASSTHROUGH

Sometimes you want Wind authentication to be 'optional'--only if someone has a wind account will they login and get privileged access. Anonymous passthrough is enabled with:

#warning: setting it to 'False' still keeps it on, 
#if you set it to anything, it must be "" to disable
PythonOption AnonymousPassthrough True

Then, the website is responsible for directing Wind users to authenticate. Until someone clicks to login with Wind, they are 'authenticated' as user "anonymous" Both the anonymous username and anonymous groups are configurable with more python options:

changes anonymous username to 'guest'

PythonOption AnonymousUser guest
#adds the groups 'student' and 'columbia' to an anonymous user
PythonOption AnonymousGroups student,columbia

TROUBLESHOOTING

  1. Wind services are often url-specific. If you're trying to set this up at another URL/hostname then Wind won't forward after login, if your Wind service is not generic.
  2. The Wind service should be setup to return plain-text response (not XML)

CHANGES

version 0.9.7

  • fix anonymous passthrough after anonymous session state
  • remove LOGOUT_ARG from wind login redirect url version 0.9.6
  • allow Anonymous passthrough version 0.9.5
  • fixed locking bug triggered by Session.Session(req) observed occasionally in login/logout/re-login patterns
  • PythonOption HttpOrHttps so modpython 3.1 doesn't constantly give errors
  • If WindService is not set and WIND_SERVICE is empty string then service argument is not sent in Wind redirect to comply with deprecated service argument. version 0.9.4
  • PythonOption WindService so you don't have to hard code it version 0.9.3
  • support for mod_python 3.1(.4) with subrequests version 0.9.1
  • improve sub-request authorization version 0.9
  • fixed bug with apache sub-requests
  • supports https version 0.8
  • no longer using Session across authz so code is less hacky and 'PythonOption ApplicationPath /' is unnecessary
  • supports coming from ports other than 80

TODO

  1. handle the error strings that validate_windticket() returns better
  2. support Wind's XML format
Previous:EPrints-Document-List

©2024 OSPHUB.COM