Changeset 6440 for TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authn.py

Timestamp:

29/01/10 14:07:36 (11 years ago)

Author:

pjkersha

Message:

• #1088 Important fix to AuthnRedirectResponseMiddleware? to set redirect ONLY when SSL client authentication has just succeeded in the upstream middleware AuthKitSSLAuthnMiddleware. This bug was causing the browser to redirect to the wrong place following OpenID sign in in the case where the user is already logged into their provider and selects a new relying party to sign into.
  • Improvements to Provider decide page interface: leave out messages about attributes that the provider can't retrieve for the RP. Also included NDG style help icon.

File:

• TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authn.py (modified) (7 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authn.py

@@ -30 +30 @@
                                               SessionHandlerMiddleware)  
 
+from ndg.security.server.wsgi.ssl import AuthKitSSLAuthnMiddleware
 
 class AuthnException(NDGSecurityMiddlewareError):
@@ -51 +52 @@
     '''HTTP Basic Authentication Middleware 
     '''
-    
     AUTHN_FUNC_ENV_KEYNAME = ('ndg.security.server.wsgi.authn.'
                               'HTTPBasicAuthMiddleware.authenticate')
@@ -280 +280 @@
         quotedReturn2URI = urllib.quote(return2URI, safe='')
         return2URIQueryArg = urllib.urlencode(
-                    {AuthnRedirectInitiatorMiddleware.RETURN2URI_ARGNAME: 
-                     quotedReturn2URI})
+            {AuthnRedirectInitiatorMiddleware.RETURN2URI_ARGNAME: 
+             quotedReturn2URI})
 
         redirectURI = self.redirectURI
@@ -306 +306 @@
         """
         if status.startswith(cls.TRIGGER_HTTP_STATUS_CODE):
-            log.debug("%s.checker caught status [%s]: invoking authentication"
-                      " handler", cls.__name__, cls.TRIGGER_HTTP_STATUS_CODE)
+            log.debug("%s.checker caught status [%s]: invoking authentication "
+                      "handler", cls.__name__, cls.TRIGGER_HTTP_STATUS_CODE)
             return True
         else:
@@ -326 +326 @@
     which performs a similar function.
     """
+    
     @NDGSecurityMiddlewareBase.initCall
     def __call__(self, environ, start_response):
@@ -345 +346 @@
             
         # Check for a return URI setting in the beaker session and if the user
-        # is authenticated, redirect to this URL deleting the beaker session
+        # has just been authenticated by the AuthKit SSL Client authentication
+        # middleware.  If so, redirect to this URL deleting the beaker session
         # URL setting
         return2URI = session.get(self.__class__.RETURN2URI_ARGNAME)    
-        if self.isAuthenticated and return2URI:
+        if self.sslAuthnSucceeded and return2URI:
             del session[self.__class__.RETURN2URI_ARGNAME]
             session.save()
@@ -366 +368 @@
                                doc="Boolean indicating if AuthKit "
                                    "'REMOTE_USER' environment variable is set")
+    
+    _sslAuthnSucceeded = lambda self: self.environ.get(
+                    AuthKitSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME,
+                    False)
+        
+    sslAuthnSucceeded = property(fget=_sslAuthnSucceeded,
+                                 doc="Boolean indicating SSL authentication "
+                                     "has succeeded in "
+                                     "AuthKitSSLAuthnMiddleware upstream of "
+                                     "this middleware")
+    
     def __init__(self, app, app_conf, **local_conf):
         super(AuthKitRedirectResponseMiddleware, self).__init__(app, app_conf,