Article delegate-en/2698 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: How force hosts to authenticate
02 Jul 2004 07:35:04 GMT "Salvatore Tarallo \(starallo\)" <prafabdyi-lnxhrzqrwznr.ml@ml.delegate.org>


Thanks Yutaka for the prompt support on this one. Could you please give
me an idea on when to expect the fix to make it into your next binary
build as I'm not too familiar with the release schedule ?
Another issue I have (that could turn into an improvement request) is
that I can't find an easy way to force authentication for all sites with
the exception of some. I understand that it is possible having the same
site list specified in both the PERMIT and as connmap for the authorizer
but I guess will be easier if it could be possible to reference in the
connmap for the AUTHORIZER statement the sites specified in the PERMIT.
An exception should be made for the "*" site.
So you could have something like:
PERMIT=http,siteA,*:http:siteB,*
AUTHORIZER=authserv:*.*.*
AUTHORIZER=noauth:PERMITTED 

This of course could be achieved with an similar result but different
implementation with
PERMIT=*:*:*
AUTHORIZER=authserv:*:hostlist:*

Let me know what do you think.

sal


-----Original Message-----
From: Yutaka Sato [mailto:feedback@delegate.org] 
Sent: Thursday, July 01, 2004 9:42 PM
To: feedback@delegate.org
Cc: Salvatore Tarallo (starallo)
Subject: Re: [DeleGate-En:2696] How force hosts to authenticate

In message
<_A2696@delegate-en.ML_> on
07/02/04(02:37:53) you "Salvatore Tarallo \(starallo\)"
<prafabdyi-lnxhrzqrwznr.ml@ml.delegate.org> wrote:
 |I'm running the latest delegate under Win2k.
 |Eveything seems to work fine with the exception of the
|authentication/authorization.
 |My objective is to have all access via http to sites only allowed with
|an authentication with the exception of specific sites.
 |I went through the manual and the other posts to no avail.
 |I could successful force proxy authentication using
|AUTHORIZER="-list{test:test}" but it doesn't seem to work if I add a
|connMap parameter.
 |For example I tried : AUTHORIZER="-list{test:test}:http:*.com:*"  with
|the intent of requesting an authentication for all clients accessing
any  |.com site but no authentication is triggered.
 |Am I on the right way ? 

Yes.  I found that AUTHORIZER with connMap is not working because the
destination information, to be matched with connMap, is not parsed
before applying the connMap for AUTHORIZER.  I will fix it as the
enclosed patch.  Thank you.

Cheers,
Yutaka
--
  D G   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


*** dist/delegate8.9.6-pre6/src/http.c	Fri Jun 25 03:28:08 2004
--- src/http.c	Fri Jul  2 04:35:18 2004
***************
*** 6504,6509 ****
--- 6504,6514 ----
  		goto EXIT;
  	}
  
+ 	/* parse request before applying AUTHORIZER */
+ 	HTTP_getHost(Conn,REQ,REQ_FIELDS);
+ 	if( rewriteRequest(Conn,QX,fc,tc) < 0 )
+ 		goto EXIT;
+ 
  	if( CTX_auth(Conn,NULL,NULL) ) /* with AUTHORIZER */
  	if( ClientAuthUser[0] == 0 )
  	{
***************
*** 6522,6530 ****
--- 6527,6537 ----
  	if( doMaxHops(Conn,QX,fc,tc) )
  		goto EXIT;
  
+ /*
  	HTTP_getHost(Conn,REQ,REQ_FIELDS);
  	if( rewriteRequest(Conn,QX,fc,tc) < 0 )
  		goto EXIT;
+ */
  
  	if( withMountAUTHORIZER(Conn) )
  	if( ClientAuthUser[0] == 0 )

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V