Login from other form

Hi,

Trying my luck here again as you have set me on the right track before. I sent this message before but got no reactions, so if you think I am addressing the wrong audience please let me know.

I am trying to login a user into the RT web interface as he or she
authenticates on another website. After successful authentication there
I can get an encrypted username and password passed to RT (decrypt it)
and then … I need to trigger the login functionality of RT somehow.

I tried quite some things with PHP (cURL, snoopy etc) and even
JavaScript to submit the login form without pressing the submit button,
but I do not seem to be able to get those approaches to deliver.

Maybe, pretty likely actually, I am overseeing an easy option and one of
you can give me a push in the proper direction. I do know some PHP but
PERL so far is not my cup of coffee. I see no real function attached to the action attribute of the form in /Elements/Login

Thanks a lot!

– Jac

I tried quite some things with PHP (cURL, snoopy etc) and even
JavaScript to submit the login form without pressing the submit button,
but I do not seem to be able to get those approaches to deliver.

Instead of trying to automate the form submission, what you should
probably do is bypass the authentication altogether. One simple way is
to set the REMOTE_USER environment variable to the person’s RT user
name, and then set $RT::WebExternalAuth to true. If you don’t want such
a simplistic and relatively insecure method of user spoofing available,
you can override the code in the base autohandler (e.g.
/opt/share/html/autohandler) to add in a transformation from your
encrypted user credentials to a real RT user. In 3.6.3 the code to be
inserted would probably go here:

If it’s a noauth file, don’t ask for auth.

if ( $m->base_comp->path =~ $RT::WebNoAuthRegex ) {
$m->comp( { base_comp => $m->request_comp }, $m->fetch_next, %ARGS);
$m->abort;
}

If RT is configured for external auth, let’s go through and get

REMOTE_USER
elsif ($RT::WebExternalAuth) {

 # do we actually have a REMOTE_USER equivlent?
 if ( RT::Interface::Web::WebCanonicalizeInfo() ) {

between the first IF and the ELSIF. Look inside of the

 if ( RT::Interface::Web::WebCanonicalizeInfo() ) {

block to see what to do once you have a user name. Basically, you want
to do some part of this:

     $session{'CurrentUser'} = RT::CurrentUser->new();
     my $load_method = $RT::WebExternalGecos ? 'LoadByGecos' : 'Load';

     if ( $^O eq 'MSWin32' and $RT::WebExternalGecos ) {
         my $NodeName = Win32::NodeName();
         $user =~ s/^\Q$NodeName\E\\//i;
     }

     $session{'CurrentUser'}->$load_method($user);

followed by a check to see if you actually loaded a user:

 if ( $session{'CurrentUser'}->Id() )

Or something like that. HTH!

Regards,

joe
Joe Casadonte
joe.casadonte@oracle.com

========== ==========
== The statements and opinions expressed here are my own and do not ==
== necessarily represent those of Oracle Corporation. ==
========== ==========

GUBBELS Jac wrote:

Hi,

Trying my luck here again as you have set me on the right track before.
I sent this message before but got no reactions, so if you think I am
addressing the wrong audience please let me know.

I am trying to login a user into the RT web interface as he or she
authenticates on another website. After successful authentication there
I can get an encrypted username and password passed to RT (decrypt it)
and then … I need to trigger the login functionality of RT somehow.

I tried quite some things with PHP (cURL, snoopy etc) and even
JavaScript to submit the login form without pressing the submit button,
but I do not seem to be able to get those approaches to deliver.

Maybe, pretty likely actually, I am overseeing an easy option and one of
you can give me a push in the proper direction. I do know some PHP but
PERL so far is not my cup of coffee. I see no real function attached to
the action attribute of the form in /Elements/Login

If it helps, I’m in the middle of writing a custom Database
authentication module for RT that will authenticate out of any databse
there is a DBI driver for in many different ways.

The bit that really concerns you is that it also authenticates out of
cookies.

In the current design, the website it is integrated into sets a cookie
with a loginID hash, and then stores that assignment, along with the
userID in a table. When you then go to RT, RT checks for the cookie,
checks it against the login name, and if the login name refers to a
valid RT user, it logs them straight in with no prompt.

Any use?

Kind Regards,

Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com