[Zope] Zope PAS for pubcookie authentication

Tue Nov 21 16:52:25 EST 2006

Hi, rank newbie here, so please be gentle if I'm being stupid.

I was here last week a bit looking into authentication using the pubcookie 
SSO.  I've gotten a working version that allows me to log into the ZMI and 
I want to verify a few things, mostly if I'm opening any huge security 
holes that I'm not familiar enough with the system to see.  Also I have a 
few questions about how the plugins for various PAS functions get selected 
and how to tell which is working at any given time.

Anyway, here's the meat of the process.

Pubcookie sets up a situation using an apache module where requests to 
protected URLs get forwarded to an auth server where username and password 
are checked, and a cookie is set containing the username.  There is an 
additional apache mod called mod_fba (fake basic authentication) which 
then takes the information returned by the pubcookie server and packages 
it as if it were a basic authentication, setting the login to the username 
returned by pubcookie.

I've started messing with this all by using the PASPlugins plugin called 
apachepas as a base.  It seemed a good place to start as the 
authentication piece is handled by apache.

Apachepas defines two plugins, an ExtractionPlugin and an AuthPlugin.  The 
extraction plugin as I've rewritten it contains the following method:

   def extractCredentials(self,request):
     """
     extract credentials
     """
     user_id = request.getHeader('REMOTE_USER', None)
     if not user_id:
       return None
     return {'user_id': user_id}

The AuthPlugin as I've rewritten it contains the following method:

   def authenticateCredentials(self, credentials):
     """See IAuthenticationPlugin.
     """
     user_id = credentials.get('login', None)
     if user_id is None:
       return None
     return user_id, user_id

Now, here's my first question.  Astute observers may notice that the name 
for the login name in the credentials used by authenticateCredentials is 
different than the name set for the login in extractCredentials.  This is 
because when I peeked at the credentials passed in to 
authenticateCredentials, it appears to be using a different set of 
credentials than I set.  I'm thinking I must be missing a step in there 
somewhere, but I don't know what it is.  Is there some method being called 
somewhere that takes the {'user_id': user_id} tuple returned by 
extractCredentials and repackages it into a credentials tuple that looks 
like this:

{'extractor': 'credentials_basic_auth', 'login': 'myname', 'password': 
'password', remote_host': '', 'remote_address': 'some.address.com'}?

Or, is it that my extractCredentials plugin is not being used, despite 
being the first listed on the 'active' list for extraction plugins?

Second question:
if it is possible that the credentials returned might look different 
depending on which extraction plugin is used, is there a good way for me 
to code the authenticateCredentials plugin so that it can get the right 
element as user_id and return it?  Where do the stock plugins for PAS live 
on disk?  I'd love to look them over.

Third question:
How do plugins get selected for PAS tasks like extraction?  Is there a way 
to force the selection of my tool?  or would that break everything?

Thanks for helping a newbie here.  I'm getting up to speed slowly.

Cris

********************************
Cris Ewing
CME and Telehealth Web Services
Department of Radiology Web Services
University of Washington
School of Medicine
Work Phone: (206) 685-9116
Home Phone: (206) 365-3413
E-mail: cewing at u.washington.edu
*******************************