From 1c3ce75dceaa195ca22601c2b14c0719cd149c5d Mon Sep 17 00:00:00 2001 From: Jeff Godin Date: Fri, 12 Oct 2012 09:44:25 -0400 Subject: [PATCH] Enable optional shared ses cookie for SSO-like use Enable a shared ses cookie which is set at the domain level and can then be used by other web based systems to verify an Evergreen user. One example would be EZproxy with one of the CGI authentication options. TODO: move shared_ses_domain_regex into a single location Signed-off-by: Jeff Godin --- Open-ILS/examples/apache/eg_vhost.conf | 4 ++ .../src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm | 82 ++++++++++++++++------ 2 files changed, 64 insertions(+), 22 deletions(-) diff --git a/Open-ILS/examples/apache/eg_vhost.conf b/Open-ILS/examples/apache/eg_vhost.conf index 9fd59b2604..66de6e89a8 100644 --- a/Open-ILS/examples/apache/eg_vhost.conf +++ b/Open-ILS/examples/apache/eg_vhost.conf @@ -551,6 +551,10 @@ RewriteRule ^/openurl$ ${openurl:%1} [NE,PT] PerlSetVar OILSWebWebDir "/openils/var/web" PerlSetVar OILSWebDefaultTemplateExtension "tt2" + # An optional domain-level cookie "shared_ses" which will contain the + # evergreen auth token in addition to the standard "ses" cookie + #PerlSetVar OILSWebSharedSesCookieDomain "example.org" + # Enable Template-Toolkit error debugging messages (apache error log) PerlSetVar OILSWebDebugTemplate "true" diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm index 4c4cd6c364..f05684be92 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm @@ -27,6 +27,7 @@ use OpenILS::WWW::EGCatLoader::SMS; my $U = 'OpenILS::Application::AppUtils'; use constant COOKIE_SES => 'ses'; +use constant COOKIE_SHARED_SES => 'shared_ses'; use constant COOKIE_LOGGEDIN => 'eg_loggedin'; use constant COOKIE_PHYSICAL_LOC => 'eg_physical_loc'; use constant COOKIE_SSS_EXPAND => 'eg_sss_expand'; @@ -252,7 +253,7 @@ sub load_common { $ctx->{home_page} = 'http://' . $self->apache->hostname . $self->ctx->{opac_root} . "/home"; $ctx->{logout_page} = 'https://' . $self->apache->hostname . $self->ctx->{opac_root} . "/logout"; - if($e->authtoken($self->cgi->cookie(COOKIE_SES))) { + if($e->authtoken($self->cgi->cookie(COOKIE_SES)) || $e->authtoken($self->cgi->cookie(COOKIE_SHARED_SES))) { if($e->checkauth) { @@ -383,27 +384,47 @@ sub load_login { # both login-related cookies should expire at the same time my $login_cookie_expires = ($persist) ? CORE::time + $response->{payload}->{authtime} : undef; - return $self->generic_redirect( - $cgi->param('redirect_to') || $acct, - [ - # contains the actual auth token and should be sent only over https + my $cookies = [ + # contains the actual auth token and should be sent only over https + $cgi->cookie( + -name => COOKIE_SES, + -path => '/', + -secure => 1, + -value => $response->{payload}->{authtoken}, + -expires => $login_cookie_expires + ), + # contains only a hint that we are logged in, and is used to + # trigger a redirect to https + $cgi->cookie( + -name => COOKIE_LOGGEDIN, + -path => '/', + -secure => 0, + -value => '1', + -expires => $login_cookie_expires + ) + ]; + + if (defined($self->apache->dir_config('OILSWebSharedSesCookieDomain'))) { + my $shared_ses_domain = $self->apache->dir_config('OILSWebSharedSesCookieDomain'); + my $shared_ses_domain_regex = '\.' . $shared_ses_domain . '$'; + + if ($self->apache->hostname =~ /$shared_ses_domain_regex/) { + push @$cookies, + # an optional domain-shared copy of the auth token, useful for + # some SSO-like environments $cgi->cookie( - -name => COOKIE_SES, + -name => COOKIE_SHARED_SES, -path => '/', + -domain => $shared_ses_domain, -secure => 1, -value => $response->{payload}->{authtoken}, -expires => $login_cookie_expires - ), - # contains only a hint that we are logged in, and is used to - # trigger a redirect to https - $cgi->cookie( - -name => COOKIE_LOGGEDIN, - -path => '/', - -secure => 0, - -value => '1', - -expires => $login_cookie_expires - ) - ] + ); + } + } + + return $self->generic_redirect( + $cgi->param('redirect_to') || $acct, $cookies ); } @@ -418,10 +439,8 @@ sub load_logout { # while logged in, go ahead and clear it out. $self->clear_anon_cache; - return $self->generic_redirect( - $redirect_to || $self->ctx->{home_page}, - [ - # clear value of and expire both of these login-related cookies + my $cookies = [ + # clear value of and expire all of these login-related cookies $self->cgi->cookie( -name => COOKIE_SES, -path => '/', @@ -434,7 +453,26 @@ sub load_logout { -value => '', -expires => '-1h' ) - ] + ]; + + if (defined($self->apache->dir_config('OILSWebSharedSesCookieDomain'))) { + my $shared_ses_domain = $self->apache->dir_config('OILSWebSharedSesCookieDomain'); + my $shared_ses_domain_regex = '\.' . $shared_ses_domain . '$'; + + if ($self->apache->hostname =~ /$shared_ses_domain_regex/) { + push @$cookies, + $self->cgi->cookie( + -name => COOKIE_SHARED_SES, + -path => '/', + -domain => $shared_ses_domain, + -value => '', + -expires => '-1h' + ); + } + } + + return $self->generic_redirect( + $redirect_to || $self->ctx->{home_page}, $cookies ); } -- 2.11.0