File:  [LON-CAPA] / loncom / auth / lonshibacc.pm
Revision 1.3: download - view: text, annotated - select for diffs
Mon Dec 6 03:31:54 2021 UTC (3 years ago) by raeburn
Branches: MAIN
CVS tags: version_2_12_X, version_2_11_X, version_2_11_5_msu, version_2_11_5, version_2_11_4_uiuc, version_2_11_4_msu, version_2_11_4, HEAD
- Dual SSO and non-SSO login from /adm/login for use with additional SSO
  mechanisms besides Shibboleth.
  - Default is to use /adm/sso for "authentication" URL.
  - Different authentication URL can be set with lonOtherAuthenUrl perlvar.
  - Update documentation for lonshibauth.pm and lonshibacc.pm
  - Wording change for WAF/Proxy domain configuration
  - If Apache config contains lonSSOEmailOK set to 1, default removal
    of @ "internet domain" from username for SSO authenticated users in
    lonshibacc.pm is skipped.
  - &alias_shibboleth() routine in lonnet.pm renamed alias_sso().

# The LearningOnline Network
# Authorization handler for Shibboleth authenticated users
#
# $Id: lonshibacc.pm,v 1.3 2021/12/06 03:31:54 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#

=head1 NAME

Apache::lonshibacc - Initial Authorization handler for
SSO-authenticated users.

=head1 SYNOPSIS

Invoked for /adm/sso by
/etc/httpd/conf/loncapa_apache.conf:

PerlAuthzHandler       Apache::lonshibacc

=head1 INTRODUCTION

Authorization handler used to remove trailing @internet dom
from Shibboleth authenticated username (e.g., @mit.edu).

Authorization handler used to:

(a) remove trailing @internet dom from Shibboleth 
authenticated username (e.g., @mit.edu),
unless lonSSOEmailOK perl var is set to 1, and/or

(b) set URI for authenticated user to /adm/sso, if
lonOtherAuthenUrl is set.

After making changes to $r->user and/or $r->uri, DECLINED is
returned so lonacc.pm can be invoked as the next authorization
handler via:

PerlAuthzHandler       Apache::lonacc

=head1 HANDLER SUBROUTINE

This routine is called by Apache and mod_perl.

=cut

package Apache::lonshibacc;

use strict;
use lib '/home/httpd/lib/perl/';
use Apache::lonnet;
use Apache::Constants qw(:common);
use LONCAPA qw(:DEFAULT);

sub handler {
    my $r = shift;
    my $user = $r->user;
    if ($user ne '') {
        my $udom = $r->dir_config('lonSSOUserDomain');
        if ($udom eq '') {
            $udom = $r->dir_config('lonDefDomain');
        }
        if ($udom ne '') {
            my $uprimary_id = &Apache::lonnet::domain($udom,'primary');
            my $uint_dom = &Apache::lonnet::internet_dom($uprimary_id);
            if ($user =~ /^(\w[a-zA-Z0-9_\-.]+)\@\Q$uint_dom\E$/i) {
                my $username = $1;
                unless ($r->dir_config('lonSSOEmailOK') == 1) {
                    $user = $r->user($username);
                }
            }
        }
        if (($r->dir_config('lonOtherAuthenUrl') ne '') &&
            ($r->uri eq $r->dir_config('lonOtherAuthenUrl'))) {
            $r->uri('/adm/sso');
        }
    }
    return DECLINED;
}

1;
__END__

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>