[LON-CAPA-cvs] cvs: doc /loncapafiles loncapafiles.lpml loncom loncapa_apache.conf loncom/auth lonshibacc.pm lonshibauth.pm
raeburn
raeburn at source.lon-capa.org
Mon Mar 5 15:51:33 EST 2012
raeburn Mon Mar 5 20:51:33 2012 EDT
Added files:
/loncom/auth lonshibauth.pm lonshibacc.pm
Modified files:
/loncom loncapa_apache.conf
/doc/loncapafiles loncapafiles.lpml
Log:
- Support for Single Sign On with Shibboleth 2.
Index: loncom/loncapa_apache.conf
diff -u loncom/loncapa_apache.conf:1.211 loncom/loncapa_apache.conf:1.212
--- loncom/loncapa_apache.conf:1.211 Tue Feb 28 15:14:25 2012
+++ loncom/loncapa_apache.conf Mon Mar 5 20:51:25 2012
@@ -1,7 +1,7 @@
##
## loncapa_apache.conf -- Apache HTTP LON-CAPA configuration file
##
-## $Id: loncapa_apache.conf,v 1.211 2012/02/28 15:14:25 raeburn Exp $
+## $Id: loncapa_apache.conf,v 1.212 2012/03/05 20:51:25 raeburn Exp $
##
#
@@ -52,6 +52,12 @@
PerlAuthenHandler Apache::checkauthen
PerlSetVar lonOtherAuthen no
+<IfModule mod_shib>
+ PerlAuthenHandler Apache::lonshibauth
+ PerlSetVar lonOtherAuthen yes
+ PerlSetVar lonOtherAuthenType Shibboleth
+</IfModule>
+
#PerlWarn On
<LocationMatch "^/+res/adm/pages/[^/]+\.(gif|png)$">
PerlAuthenHandler 'sub { return OK }'
@@ -663,6 +669,18 @@
PerlHandler Apache::migrateuser
</Location>
+<Location /adm/sso>
+ <IfModule mod_shib>
+ AuthType shibboleth
+ ShibUseEnvironment On
+ ShibRequestSetting requireSession 1
+ ShibRequestSetting redirectToSSL 443
+ require valid-user
+ PerlAuthzHandler Apache::lonshibacc
+ PerlAuthzHandler Apache::lonacc
+ </IfModule>
+</Location>
+
<Location /adm/annotations>
AuthType LONCAPA
Require valid-user
Index: doc/loncapafiles/loncapafiles.lpml
diff -u doc/loncapafiles/loncapafiles.lpml:1.788 doc/loncapafiles/loncapafiles.lpml:1.789
--- doc/loncapafiles/loncapafiles.lpml:1.788 Mon Feb 27 03:06:43 2012
+++ doc/loncapafiles/loncapafiles.lpml Mon Mar 5 20:51:32 2012
@@ -2,7 +2,7 @@
"http://lpml.sourceforge.net/DTD/lpml.dtd">
<!-- loncapafiles.lpml -->
-<!-- $Id: loncapafiles.lpml,v 1.788 2012/02/27 03:06:43 raeburn Exp $ -->
+<!-- $Id: loncapafiles.lpml,v 1.789 2012/03/05 20:51:32 raeburn Exp $ -->
<!--
@@ -5864,6 +5864,24 @@
<status>works/unverified</status>
</file>
<file>
+ <source>loncom/auth/lonshibauth.pm</source>
+ <target dist='default'>home/httpd/lib/perl/Apache/lonshibauth.pm</target>
+ <categoryname>handler</categoryname>
+ <description>Redirect Shibboleth authentication to Single Sign On
+ i.e., to: /adm/sso
+ </description>
+ <status>works/unverified</status>
+</file>
+<file>
+ <source>loncom/auth/lonshibacc.pm</source>
+ <target dist='default'>home/httpd/lib/perl/Apache/lonashibacc.pm</target>
+ <categoryname>handler</categoryname>
+ <description>Authorization handler used to remove trailing @internet dom
+ from Shibboleth authenticated username (e.g., @mit.edu).
+ </description>
+ <status>works/unverified</status>
+</file>
+<file>
<source>loncom/lonnet/perl/lonrep.pm</source>
<target dist='default'>home/httpd/lib/perl/Apache/lonrep.pm</target>
<categoryname>handler</categoryname>
Index: loncom/auth/lonshibauth.pm
+++ loncom/auth/lonshibauth.pm
# The LearningOnline Network
# Redirect Shibboleth authentication to designated URL (/adm/sso).
#
# $Id: lonshibauth.pm,v 1.1 2012/03/05 20:51:29 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
=head1 NAME
Apache::lonshibauth - Redirect Shibboleth authentication
=head1 SYNOPSIS
Invoked when lonOtherAuthen is set to yes, and type is Shibboleth
If server is configured as a Shibboleth SP, the main Apache
configuration file, e.g., /etc/httpd/conf/httpd.conf
(for RHEL/CentOS/Scentific Linux/Fedora) should contain:
LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
or equivalent (depending on Apache version)
before the line to include conf/loncapa_apache.conf
=head1 INTRODUCTION
Redirects a user requiring Single Sign On via Shibboleth to a
URL -- /adm/sso -- on the server which is configured to use that service.
=head1 HANDLER SUBROUTINE
This routine is called by Apache and mod_perl.
=over 4
If $r->user defined and requested uri not /adm/sso
redirect to /adm/sso
Otherwise return DECLINED
=back
=cut
package Apache::lonshibauth;
use strict;
use lib '/home/httpd/lib/perl/';
use Apache::Constants qw(:common);
use LONCAPA qw(:DEFAULT);
sub handler {
my $r = shift;
my $target = '/adm/sso';
if (($r->user eq '') && ($r->uri() ne $target)) {
my $dest = &Apache::lonnet::absolute_url($r->hostname()).$target;
$r->subprocess_env;
if ($ENV{'QUERY_STRING'} ne '') {
$dest .= '?'.$ENV{'QUERY_STRING'};
}
$r->header_out(Location => $dest);
return REDIRECT;
} else {
return DECLINED;
}
}
1;
__END__
Index: loncom/auth/lonshibacc.pm
+++ loncom/auth/lonshibacc.pm
# The LearningOnline Network
# Authorization handler for Shibboleth authenticated users
#
# $Id: lonshibacc.pm,v 1.1 2012/03/05 20:51:29 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
=head1 NAME
Apache::lonshibacc - Authorization handler if Shibboleth-authenticated
=head1 SYNOPSIS
Invoked for /adm/sso by
/etc/httpd/conf/loncapa_apache.conf:
PerlAuthzHandler Apache::lonshibacc
=head1 INTRODUCTION
Authorization handler used to remove trailing @internet dom
from Shibboleth authenticated username (e.g., @mit.edu).
After making change to $r->user, will return DECLINE so
lonacc.pm can be invoked as the next authorization handler.
PerlAuthzHandler Apache::lonacc
=head1 HANDLER SUBROUTINE
This routine is called by Apache and mod_perl.
=cut
package Apache::lonshibacc;
use strict;
use lib '/home/httpd/lib/perl/';
use Apache::lonnet;
use Apache::Constants qw(:common);
use LONCAPA qw(:DEFAULT);
sub handler {
my $r = shift;
my $user = $r->user;
if ($user ne '') {
my $udom = $r->dir_config('lonSSOUserDomain');
if ($udom eq '') {
$udom = $r->dir_config('lonDefDomain');
}
if ($udom ne '') {
my $uprimary_id = &Apache::lonnet::domain($udom,'primary');
my $uint_dom = &Apache::lonnet::internet_dom($uprimary_id);
if ($user =~ /^(\w+)\@\Q$uint_dom\E$/i) {
my $username = $1;
$user = $r->user($username);
}
}
}
return DECLINED;
}
1;
__END__
More information about the LON-CAPA-cvs
mailing list