File:
[LON-CAPA] /
loncom /
auth /
lonshibacc.pm
Revision
1.3:
download - view:
text,
annotated -
select for diffs
Mon Dec 6 03:31:54 2021 UTC (3 years, 1 month ago) by
raeburn
Branches:
MAIN
CVS tags:
version_2_12_X,
version_2_11_X,
version_2_11_6,
version_2_11_5_msu,
version_2_11_5,
version_2_11_4_uiuc,
version_2_11_4_msu,
version_2_11_4,
HEAD
- Dual SSO and non-SSO login from /adm/login for use with additional SSO
mechanisms besides Shibboleth.
- Default is to use /adm/sso for "authentication" URL.
- Different authentication URL can be set with lonOtherAuthenUrl perlvar.
- Update documentation for lonshibauth.pm and lonshibacc.pm
- Wording change for WAF/Proxy domain configuration
- If Apache config contains lonSSOEmailOK set to 1, default removal
of @ "internet domain" from username for SSO authenticated users in
lonshibacc.pm is skipped.
- &alias_shibboleth() routine in lonnet.pm renamed alias_sso().
# The LearningOnline Network
# Authorization handler for Shibboleth authenticated users
#
# $Id: lonshibacc.pm,v 1.3 2021/12/06 03:31:54 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
=head1 NAME
Apache::lonshibacc - Initial Authorization handler for
SSO-authenticated users.
=head1 SYNOPSIS
Invoked for /adm/sso by
/etc/httpd/conf/loncapa_apache.conf:
PerlAuthzHandler Apache::lonshibacc
=head1 INTRODUCTION
Authorization handler used to remove trailing @internet dom
from Shibboleth authenticated username (e.g., @mit.edu).
Authorization handler used to:
(a) remove trailing @internet dom from Shibboleth
authenticated username (e.g., @mit.edu),
unless lonSSOEmailOK perl var is set to 1, and/or
(b) set URI for authenticated user to /adm/sso, if
lonOtherAuthenUrl is set.
After making changes to $r->user and/or $r->uri, DECLINED is
returned so lonacc.pm can be invoked as the next authorization
handler via:
PerlAuthzHandler Apache::lonacc
=head1 HANDLER SUBROUTINE
This routine is called by Apache and mod_perl.
=cut
package Apache::lonshibacc;
use strict;
use lib '/home/httpd/lib/perl/';
use Apache::lonnet;
use Apache::Constants qw(:common);
use LONCAPA qw(:DEFAULT);
sub handler {
my $r = shift;
my $user = $r->user;
if ($user ne '') {
my $udom = $r->dir_config('lonSSOUserDomain');
if ($udom eq '') {
$udom = $r->dir_config('lonDefDomain');
}
if ($udom ne '') {
my $uprimary_id = &Apache::lonnet::domain($udom,'primary');
my $uint_dom = &Apache::lonnet::internet_dom($uprimary_id);
if ($user =~ /^(\w[a-zA-Z0-9_\-.]+)\@\Q$uint_dom\E$/i) {
my $username = $1;
unless ($r->dir_config('lonSSOEmailOK') == 1) {
$user = $r->user($username);
}
}
}
if (($r->dir_config('lonOtherAuthenUrl') ne '') &&
($r->uri eq $r->dir_config('lonOtherAuthenUrl'))) {
$r->uri('/adm/sso');
}
}
return DECLINED;
}
1;
__END__
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lonshibacc.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / auth