File:
[LON-CAPA] /
loncom /
auth /
lonshibauth.pm
Revision
1.12:
download - view:
text,
annotated -
select for diffs
Wed Nov 3 01:04:02 2021 UTC (2 years, 10 months ago) by
raeburn
Branches:
MAIN
CVS tags:
HEAD
- Bug 6907
- Use of token to store linkprot or linkkey compatible with use of
btoken and iptoken (for load balancing and IP change respectively).
- Launching access from a deeplink, with its own ltoken and/or linkkey,
for a user session originally launched from a different deeplink will
update required session information.
1: # The LearningOnline Network
2: # Redirect Shibboleth authentication to designated URL (/adm/sso).
3: #
4: # $Id: lonshibauth.pm,v 1.12 2021/11/03 01:04:02 raeburn Exp $
5: #
6: # Copyright Michigan State University Board of Trustees
7: #
8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
9: #
10: # LON-CAPA is free software; you can redistribute it and/or modify
11: # it under the terms of the GNU General Public License as published by
12: # the Free Software Foundation; either version 2 of the License, or
13: # (at your option) any later version.
14: #
15: # LON-CAPA is distributed in the hope that it will be useful,
16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18: # GNU General Public License for more details.
19: #
20: # You should have received a copy of the GNU General Public License
21: # along with LON-CAPA; if not, write to the Free Software
22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23: #
24: # /home/httpd/html/adm/gpl.txt
25: #
26: # http://www.lon-capa.org/
27: #
28:
29: =head1 NAME
30:
31: Apache::lonshibauth - Redirect Shibboleth authentication
32:
33: =head1 SYNOPSIS
34:
35: Invoked when lonOtherAuthen is set to yes, and type is Shibboleth
36:
37: If server is configured as a Shibboleth SP, the main Apache
38: configuration file, e.g., /etc/httpd/conf/httpd.conf
39: (for RHEL/CentOS/Scentific Linux/Fedora) should contain:
40:
41: LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
42:
43: or equivalent (depending on Apache version)
44: before the line to include conf/loncapa_apache.conf
45:
46: =head1 INTRODUCTION
47:
48: Redirects a user requiring Single Sign On via Shibboleth to a
49: URL -- /adm/sso -- on the server which is configured to use that service.
50:
51: =head1 HANDLER SUBROUTINE
52:
53: This routine is called by Apache and mod_perl.
54:
55: =over 4
56:
57: If $r->user defined and requested uri not /adm/sso
58: redirect to /adm/sso
59:
60: Otherwise return DECLINED
61:
62: =back
63:
64: =cut
65:
66: package Apache::lonshibauth;
67:
68: use strict;
69: use lib '/home/httpd/lib/perl/';
70: use Apache::lonnet;
71: use Apache::loncommon;
72: use Apache::lonacc;
73: use Apache::Constants qw(:common REDIRECT);
74: use LONCAPA qw(:DEFAULT :match);
75:
76: sub handler {
77: my $r = shift;
78: my $target = '/adm/sso';
79: if (&Apache::lonnet::get_saml_landing()) {
80: $target = '/adm/login';
81: }
82: if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne '/adm/sso')) {
83: my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
84: my $hostname = &Apache::lonnet::hostname($lonhost);
85: if (!$hostname) { $hostname = $r->hostname(); }
86: my $protocol = $Apache::lonnet::protocol{$lonhost};
87: unless ($protocol eq 'https') { $protocol = 'http'; }
88: my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost);
89: if (($alias ne '') &&
90: (&Apache::lonnet::alias_shibboleth($lonhost))) {
91: $hostname = $alias;
92: }
93: my $dest = $protocol.'://'.$hostname.$target;
94: if ($target eq '/adm/login') {
95: my $querystring = &set_token($r,$lonhost);
96: if ($querystring ne '') {
97: $dest .= '?'.$querystring;
98: }
99: } else {
100: my $uri = $r->uri;
101: if ($uri =~ m{^/tiny/$match_domain/\w+$}) {
102: my $querystring = &set_token($r,$lonhost);
103: if ($querystring ne '') {
104: $dest .= '?'.$querystring;
105: }
106: } else {
107: if ($r->args ne '') {
108: $dest .= (($dest=~/\?/)?'&':'?').$r->args;
109: }
110: unless (($uri eq '/adm/roles') || ($uri eq '/adm/logout')) {
111: unless ($r->args =~ /origurl=/) {
112: $dest.=(($dest=~/\?/)?'&':'?').'origurl='.$uri;
113: }
114: }
115: }
116: }
117: $r->header_out(Location => $dest);
118: return REDIRECT;
119: } else {
120: return DECLINED;
121: }
122: }
123:
124: sub set_token {
125: my ($r,$lonhost) = @_;
126: my ($firsturl,$querystring,$ssotoken,@names,%token);
127: @names = ('role','symb','ltoken','linkkey');
128: map { $token{$_} = 1; } @names;
129: unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/logout')) {
130: $firsturl = $r->uri;
131: }
132: if ($r->args ne '') {
133: &Apache::loncommon::get_unprocessed_cgi($r->args);
134: }
135: if ($r->uri =~ m{^/tiny/$match_domain/\w+$}) {
136: if ($env{'form.ttoken'}) {
137: my %info = &Apache::lonnet::tmpget($env{'form.ttoken'});
138: &Apache::lonnet::tmpdel($env{'form.ttoken'});
139: if ($info{'ltoken'}) {
140: $env{'form.ltoken'} = $info{'ltoken'};
141: } elsif ($info{'linkkey'} ne '') {
142: $env{'form.linkkey'} = $info{'linkkey'};
143: }
144: } else {
145: unless (($env{'form.ltoken'}) || ($env{'form.linkkey'})) {
146: &Apache::lonacc::get_posted_cgi($r,['linkkey']);
147: }
148: }
149: }
150: my $extras;
151: foreach my $name (@names) {
152: if ($env{'form.'.$name} ne '') {
153: if ($name eq 'ltoken') {
154: my %info = &Apache::lonnet::tmpget($env{'form.ltoken'});
155: &Apache::lonnet::tmpdel($env{'form.ltoken'});
156: if ($info{'linkprot'}) {
157: $extras .= '&linkprot='.&escape($info{'linkprot'});
158: last;
159: }
160: } else {
161: $extras .= '&'.$name.'='.&escape($env{'form.'.$name});
162: }
163: }
164: }
165: if (($firsturl ne '') || ($extras ne '')) {
166: $extras .= ':sso';
167: $ssotoken = &Apache::lonnet::reply('tmpput:'.&escape($firsturl).
168: $extras,$lonhost);
169: $querystring = 'sso='.$ssotoken;
170: }
171: if ($r->args ne '') {
172: foreach my $key (sort(keys(%env))) {
173: if ($key =~ /^form\.(.+)$/) {
174: my $name = $1;
175: next if (($token{$name}) || ($name eq 'ttoken'));
176: $querystring .= '&'.$name.'='.$env{$key};
177: }
178: }
179: }
180: return $querystring;
181: }
182:
183: 1;
184: __END__
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>