View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012458 | mantisbt | api soap | public | 2010-10-18 10:55 | 2018-03-31 20:05 |
Reporter | zigo73 | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 1.2.3 | ||||
Summary | 0012458: Problem with HTTP_AUTH and Web Services | ||||
Description | My MantisBT site is authenticated by Apache using mod_auth_kerb over HTTPS with both SPNEGO and BASIC_AUTH enabled. I have applied the patch described at http://www.eiben.weite-welt.com/2007/04/mantis_iwa/ to enable SPNEGO authentication. function mci_check_login() is used for every web services method to check authentication, but it expects username and password being provided for each call, which is not the case for authentication managed by Apache. I have patched the mci_api.php file this way to make it work: return user_id if successful, otherwise false.function mci_check_login( $p_username, $p_password ) {
} authentication.api is patched as follows (sso_user_regex is a regex used to strip the '@DOMAIN' suffix from the username in HTTP header): function auth_prepare_username( $p_username ) {
} | ||||
Steps To Reproduce | Access MantisBT via Eclipse 3.6 and mylyn-mantis 3.4.0. (use the latest nightly build, to avoid NullPointerException) and configure task repository to use HTTP Authentication. Patch MantisBT as described above to enable SPNEGO. | ||||
Tags | patch | ||||
Attached Files | http_auth_web_services_mantisbt1.2.3.patch (3,147 bytes)
From 028b683b3659090898b333de368ccfd0146d5b65 Mon Sep 17 00:00:00 2001 From: Alberto Zigoni <alberto.zigoni@gmail.com> Date: Tue, 19 Oct 2010 12:14:33 +0200 Subject: [PATCH] patch for HTTP_AUTH and web services --- api/soap/mc_api.php | 10 +++++++++- core/authentication_api.php | 18 ++++++++++++++++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/api/soap/mc_api.php b/api/soap/mc_api.php index bcd8cc4..2d0f999 100644 --- a/api/soap/mc_api.php +++ b/api/soap/mc_api.php @@ -36,12 +36,20 @@ function mci_is_mantis_offline() { # return user_id if successful, otherwise false. function mci_check_login( $p_username, $p_password ) { + + # Alberto Zigoni: patch for HTTP authentication + $t_login_method = config_get( 'login_method' ); + if(HTTP_AUTH == $t_login_method) { + $p_username = auth_prepare_username(''); + } + # End patch + if( mci_is_mantis_offline() ) { return false; } # if no user name supplied, then attempt to login as anonymous user. - if( is_blank( $p_username ) ) { + if( is_blank( $p_username )) { $t_anon_allowed = config_get( 'allow_anonymous_login' ); if( OFF == $t_anon_allowed ) { return false; diff --git a/core/authentication_api.php b/core/authentication_api.php index 32961f1..b81a5ea 100644 --- a/core/authentication_api.php +++ b/core/authentication_api.php @@ -112,6 +112,16 @@ function auth_prepare_username( $p_username ) { break; case HTTP_AUTH: if( !auth_http_is_logout_pending() ) { + /* Patch for HTTP authentication + * Add these two variables in config_inc.php + * $g_login_method = HTTP_AUTH; + * $g_sso_user_regex = '/^(.*)@<YOUR DOMAIN>$/i'; + */ + if (isset($_SERVER['REMOTE_USER'])) { + preg_match(config_get('sso_user_regex'), $_SERVER['REMOTE_USER'], $user_match); + $f_username = $user_match[1]; + } + /* End patch */ if( isset( $_SERVER['PHP_AUTH_USER'] ) ) { $f_username = $_SERVER['PHP_AUTH_USER']; } @@ -144,6 +154,9 @@ function auth_prepare_password( $p_password ) { break; case HTTP_AUTH: if( !auth_http_is_logout_pending() ) { + if (isset($_SERVER['REMOTE_USER'])) { # $_SERVER['AUTH_TYPE'] == 'Negotiate' ) + $f_password = ''; + } /* this will never get hit - see auth_prepare_username */ if( isset( $_SERVER['PHP_AUTH_PW'] ) ) { @@ -226,7 +239,8 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login = false ) { if( !user_is_anonymous( $t_user_id ) ) { # anonymous login didn't work, so check the password - if( !auth_does_password_match( $t_user_id, $p_password ) ) { + # if( !auth_does_password_match( $t_user_id, $p_password ) ) { + if ( HTTP_AUTH != $t_login_method && !auth_does_password_match( $t_user_id, $p_password ) ) { user_increment_failed_login_count( $t_user_id ); return false; } @@ -778,7 +792,7 @@ function auth_get_current_user_id() { if( null !== $g_cache_current_user_id ) { return $g_cache_current_user_id; } - + $t_cookie_string = auth_get_current_user_cookie(); if( $t_result = user_search_cache( 'cookie_string', $t_cookie_string ) ) { -- 1.7.3.1 0001-Enable-MantisBT-to-participate-in-SSO-scenarios.patch (3,691 bytes)
From b767230c7a3135e3e1f0360738d9ecbde60c28df Mon Sep 17 00:00:00 2001 From: Alberto Zigoni <alberto.zigoni@gmail.com> Date: Tue, 8 Feb 2011 01:50:54 +0200 Subject: [PATCH] Enable MantisBT to participate in SSO scenarios When MantisBT is part of a larger installation it is not unusual for logins to be delegated to another service, which in turn sets an HTTP header with the authentication result. This commit allows MantisBT to participate in such scenarios. Signed-off-by: Robert Munteanu <robert.munteanu@gmail.com> --- api/soap/mc_api.php | 6 ++++++ config_defaults_inc.php | 16 ++++++++++++++-- core/authentication_api.php | 11 ++++++++++- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/api/soap/mc_api.php b/api/soap/mc_api.php index 2306eb1..cef1ffa 100644 --- a/api/soap/mc_api.php +++ b/api/soap/mc_api.php @@ -36,6 +36,12 @@ function mci_is_mantis_offline() { # return user_id if successful, otherwise false. function mci_check_login( $p_username, $p_password ) { + + $t_login_method = config_get( 'login_method' ); + if(HTTP_AUTH == $t_login_method) { + $p_username = auth_prepare_username(''); + } + if( mci_is_mantis_offline() ) { return false; } diff --git a/config_defaults_inc.php b/config_defaults_inc.php index aab2e35..8061226 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -2639,13 +2639,25 @@ $g_allow_no_category = OFF; /** * login method - * CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH. You can simply change this at - * will. MantisBT will try to figure out how the passwords were encrypted. + * CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH or HTTP_AUTH. You can simply change + * this at will. MantisBT will try to figure out how the passwords were encrypted. * @global int $g_login_method */ $g_login_method = MD5; /** + * SSO regular expression for matching users + * + * <p>This is only useful when <tt>$g_login_method</tt> is set to <tt>HTTP_AUTH</tt> + * as it will extract the username from the HTTP headers.</p> + * + * <p>Example value: <tt>'/^(.*)@example.com$/i';</tt></p> + * + * @global int $g_sso_user_regex + */ +$g_sso_user_regex = ''; + +/** * limit reporters. Set to ON if you wish to limit reporters to only viewing * bugs that they report. * @global int $g_limit_reporters diff --git a/core/authentication_api.php b/core/authentication_api.php index 631fb0c..0dc8c28 100644 --- a/core/authentication_api.php +++ b/core/authentication_api.php @@ -146,6 +146,12 @@ function auth_prepare_username( $p_username ) { break; case HTTP_AUTH: if( !auth_http_is_logout_pending() ) { + + if (isset($_SERVER['REMOTE_USER'])) { + preg_match(config_get('sso_user_regex'), $_SERVER['REMOTE_USER'], $user_match); + $f_username = $user_match[1]; + } + if( isset( $_SERVER['PHP_AUTH_USER'] ) ) { $f_username = $_SERVER['PHP_AUTH_USER']; } @@ -178,6 +184,9 @@ function auth_prepare_password( $p_password ) { break; case HTTP_AUTH: if( !auth_http_is_logout_pending() ) { + if (isset($_SERVER['REMOTE_USER'])) { + $f_password = ''; + } /* this will never get hit - see auth_prepare_username */ if( isset( $_SERVER['PHP_AUTH_PW'] ) ) { @@ -260,7 +269,7 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login = false ) { if( !user_is_anonymous( $t_user_id ) ) { # anonymous login didn't work, so check the password - if( !auth_does_password_match( $t_user_id, $p_password ) ) { + if ( HTTP_AUTH != $t_login_method && !auth_does_password_match( $t_user_id, $p_password ) ) { user_increment_failed_login_count( $t_user_id ); return false; } -- 1.7.1 | ||||
related to | 0011084 | acknowledged | Login Dialog keeps popping up when using HTTP_AUTH |
Thanks for the patch and for the detailed explanation. Can you provide a git patch as outlined at http://docs.mantisbt.org/master/en/developers.html#DEV.CONTRIB.SUBMIT ? |
|
Here is the patch. It is my first time with Git, I hope I have not messed up with it. |
|
The patch looks fine so far. Excellent even, given that it's your first git patch :-) A couple of comments:
|
|
If you require the g_ sso_user_regex parameter, how about making it something which is globally useful, like (.)(@. )? Don't know top of my head if that really works but I would like to make it as easy as usable out-of-the-box as possible. |
|
Well, the thing is that only in Kerberos based authentication the user takes the form of username@KERBEROS.REALM. When using other kinds of HTTP authentication (like for example using a db) there is no need to strip off the '@REALM' part. In fact, your regex (.)(@.) would not even work in case of non kerberos based HTTP authentication:
This is the reason behind using a regular expression. Anyway, I have only experimented with mod_auth_kerb so far. |
|
Thanks for pointing this out. Then I suggest adding a default regexp like (.*) , and suggesting what good values you have for mod_auth_kerb in the default value documentation and in the reference guide . We can add more documentation later, if available. |
|
Rombert, that's fine for me. I am not a PHP developer, I just needed to make things work, so I've done it "quick and dirty". Let me know if you need more help, I will be glad to help testing this feature in upcoming versions. I think Integrated Windows Authentication is something very interesting to provide as a standard Mantis feature. |
|
OK then. Can you please add ( either in the patch, or as an issue comment ) some suggestions regarding the good values for 'sso_user_regex' that you know of? |
|
I think that for mod_auth_kerb based authentication, a good regular expression is '/^(.*)@YOUR.KERBEROS.REALM$/i' To make it simpler, you could define a boolean variable called something like "spnego_strip_off_realm" to decide, in case of SPNEGO authentication, if the realm should be stripped off or not. In this case, you can simply evaluate a substring of the REMOTE_USER env variable. Anyway, I think the best way to implement this would be as a Mantis plugin. |
|
Thanks. I'm going to focus on getting the patch implemented and documented. We'll see about convenience later. |
|
I've added all the core devs here, since this is as far as I can go with my review. I do not know that part of the code well, and will not be able to commit it. @core devs: I would appreciate if one of you could take it from here, as I've done all I dare for this issue. |
|
Agreed with the idea. Just some comments on the patch from 2011-02-07:
Otherwise the patch seems OK from what I can see. I have changed the target version from 1.2.x to 1.3.x as the stable branch should not be seeing new features - that should be reserved for the development branch. Well done! |
|
Is this issue still alive? I took a look at the nightly build towards 1.3.x, but last night I couldn't see any of the proposed changes in mc_api.php and authentication_api.php Ofcourse I will adjust my 1.2.x installation using the ziggo73's explanation, tnx! :) |
|
I'm going to have a look after the next release. |
|
Rombert, given our discussion the other day, where do we stand on fixing this sort of thing? :) Paul |
|