Ignore:
Timestamp:
29/01/10 14:07:36 (11 years ago)
Author:
pjkersha
Message:
  • #1088 Important fix to AuthnRedirectResponseMiddleware? to set redirect ONLY when SSL client authentication has just succeeded in the upstream middleware AuthKitSSLAuthnMiddleware. This bug was causing the browser to redirect to the wrong place following OpenID sign in in the case where the user is already logged into their provider and selects a new relying party to sign into.
    • Improvements to Provider decide page interface: leave out messages about attributes that the provider can't retrieve for the RP. Also included NDG style help icon.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/ssl.py

    r6069 r6440  
    6969     
    7070    PARAM_PREFIX = 'sslAuthn.' 
     71     
     72    # isValidCert requires special parsing of certificate when passed via a  
     73    # proxy 
     74    X509_CERT_PAT = re.compile('(\s?-----[A-Z]+\sCERTIFICATE-----\s?)|\s+') 
     75     
     76    # Flag to other middleware that authentication succeeded by setting this key 
     77    # in the environ to True.  This is done in the isValidCert method 
     78    AUTHN_SUCCEEDED_ENVIRON_KEYNAME = ('ndg.security.server.wsgi.ssl.' 
     79                                       'ApacheSSLAuthnMiddleware.authenticated') 
    7180     
    7281    def __init__(self, app, global_conf, prefix=PARAM_PREFIX, **app_conf): 
     
    321330        # Then, treat as a base64 encoded string decoding and passing as DER 
    322331        # format to the X.509 parser 
    323         x509CertPat = re.compile('(\s?-----[A-Z]+\sCERTIFICATE-----\s?)|\s+') 
    324         cert = x509CertPat.sub('', sslClientCert) 
     332         
     333        cert = self.__class__.X509_CERT_PAT.sub('', sslClientCert) 
    325334        derCert = base64.decodestring(cert) 
    326335        self.__clientCert = X509Cert.Parse(derCert, format=X509Cert.formatDER) 
    327336         
     337        # Check validity time 
     338        if not self.__clientCert.isValidTime(): 
     339            return False 
     340         
     341        # Verify against trust root if set 
    328342        if len(self.caCertStack) == 0: 
    329343            log.warning("No CA certificates set for Client certificate " 
     
    343357                          "unexpected exception type %s: %s" % (type(e), e)) 
    344358                return False 
    345              
     359            
     360        # Verify against list of acceptable DNs if set 
    346361        if len(self.clientCertDNMatchList) > 0: 
    347362            dn = self.__clientCert.dn 
    348363            for expectedDN in self.clientCertDNMatchList:  
    349364                if dn == expectedDN: 
     365                    self.environ[ 
     366                        ApacheSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME 
     367                    ] = True 
    350368                    return True 
    351369                 
    352370            return False 
    353              
     371 
     372        self.environ[ 
     373            ApacheSSLAuthnMiddleware.AUTHN_SUCCEEDED_ENVIRON_KEYNAME] = True             
    354374        return True 
    355375 
Note: See TracChangeset for help on using the changeset viewer.