Article delegate-en/2728 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: How force hosts to authenticate
12 Aug 2004 08:47:06 GMT "Salvatore Tarallo \(starallo\)" <prafabdyi-o7da2luke5xr.ml@ml.delegate.org>


Thanks for the support Yutaka-san
I was under the impression that the multiple AUTHORIZER statements would
behave like an ACL where the first match, regardless the fact that the
access was permitted or denied (or like in this case requesting or not
an authentication,  ended the processing.
As you point out in your last paragraph, what I was trying to achieve
was to have some exception to the authentication (with the negated
hosts) and a more general catch-all authentication line.
It seems that this is not possible with multiple AUTHORIZER but the
solution you provided with the multiple lines in the HOSTLIST does fine
for me.

Cheers,
Sal
 

-----Original Message-----
From: Yutaka Sato [mailto:feedback@delegate.org] 
Sent: Wednesday, August 11, 2004 6:25 PM
To: feedback@delegate.org
Cc: Salvatore Tarallo (starallo)
Subject: Re: [DeleGate-En] How force hosts to authenticate

On 08/09/04(17:33) you "Salvatore Tarallo \(starallo\)"
<starallo@cisco..> wrote in
<_A2722@delegate-en.ML_>
 |07/08 17:05:55.96 [5244] 0+0: ext[11]
 
|AUTHORIZER=-list{guest:guest}:http,https:!*.microsoft.com,!*.cisco.com,
!
 |*.windowsupdate.com:*
 |07/08 17:05:55.96 [5244] 0+0: ext[12]
 |AUTHORIZER=-list{guest:guest}:http,https:!*.repubblica.it:*
 |
 |I'd assume that the first line would prevent an authorization for all
|cisco domain but that doesn't seem to be the case.
 |
 |07/08 17:06:04.18 [2600] 1+1: REQUEST = GET
|http://www.cisco.com/swa/i/logo.gif HTTP/1.1^M
 |07/08 17:06:04.25 [2600] 1+1/1: HCKA:[1] closed -- a:proxy
|authentication required  |  |Are you saying that the delegate doesn't
stop the parsing at the first  |match ?

No, but DeleGate continues searching until it find the first match.
In your case, your destination host "cisco.com" does NOT match the first
AUTHORIZER, so DeleGate tried the next one, then it matched.

 |Does this also imply that any AUTHORIZER line with a  |conectionmap by
default to all sites for the protocols specified except  |for the
excluded ones ?
 |For example, what would be the expected behaviour of delegate with the
|two AUTHORIZER parameters specified above ?

Any destination host except negated in the lists of first AUTHORIZER
uses it.  Hosts negated in the first tries the second one.

What is special in your example is that those AUTHORZIERs have only
negation lists, with the same AuthServer and protList.  Imagine more
general situation where you have multiple AUTHORIZER (or PERMIT, CMAP,
and so on) including non-negation and/or with diffirent AuthServer and
protList like this:

  AUTHORIZER=auth1:prot1:dst1:src1
  AUTHORIZER=auth2:prot2:dst2:src2

When a destination host is not applied in the first one, is there any
reason to ignore the matching with tne next one?


So my question is why you need to split a list of hosts into multiple
AUTHORIZER.  If those are in a single list, you will not see such
problem.
If the list is too long to edit or maintain, then it can be splitted
into multiple lines using HOSTLIST like this.

  AUTHORIZER=-list{guest:guest}:http,https:!noauthHosts
 
HOSTLIST=noauthHosts:!*.microsoft.com,!*.cisco.com,!*.windowsupdate.com
  HOSTLIST=noauthHosts:+,!*.repubblica.it:*

Also there is an pseudo authorizer "-any" which accepts any
authentication information.  It can be used as follows:

  AUTHORIZER=-any:*.microsoft.com,*.cisco.com,*.windowsupdate.com
  AUTHORIZER=-any:*.repubblica.it
  AUTHORIZER=-list{guest:guest}

But maybe what you need is to through passing to specified hosts without
asking any Autentication.  It can be realiased by changing the code of
DeleGate as enclosed.

Cheers,
Yutaka
--
  D G   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

*** dist/delegate8.9.6-pre13/src/http.c	Sat Aug  7 03:27:49 2004
--- src/http.c	Thu Aug 12 01:14:27 2004
***************
*** 6529,6535 ****
  		else	set_realsite(Conn,"tcprelay",host,port);
  	}
  
! 	if( CTX_auth(Conn,NULL,NULL) ) /* with AUTHORIZER */
  	if( ClientAuthUser[0] == 0 )
  	{
  		if( doauth(Conn,tc) < 0 )
--- 6529,6535 ----
  		else	set_realsite(Conn,"tcprelay",host,port);
  	}
  
! 	if( CTX_auth(Conn,NULL,NULL) <= 0 ) /* with AUTHORIZER not -any
*/
  	if( ClientAuthUser[0] == 0 )
  	{
  		if( doauth(Conn,tc) < 0 )


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V