MyFedora cross domain authentication issues

Fri Mar 14 15:02:19 UTC 2008

On Thu, 2008-03-13 at 17:59 -0500, Toshio Kuratomi wrote:
> John (J5) Palmieri wrote:
> > Hi guys,
> > 
> > We just recently got a test instance up at publictest10 and I have
> > started working on accessing resources as an authenticated user.  There
> > is a large issue here however since the browser's security model
> > rightfully prevents us from doing requests such as this.  There are
> > several ways around this security all with their own pitfalls.
> > 
> > The first one which I use is to have a proxy page which make the calls
> > on the server which is not subject to the security concerns.  The issue
> > with this is it can't be authenticated and involves shipping data
> > through an extra server.
> > 
> > The second way is to use JSONP callback script injection.  This one
> > involves the json call returning data as a javascript callback which is
> > then script injected into the page and eval'ed.  This is extremely
> > insecure as it allows the server to send back any javascript which is
> > executed on the user's browser.  I've tested this by sending an alert
> > back from bohdi's 'list' call and it can display any data available to
> > the browser.
> > 
> > Another way which I am not sure is possible would be to do URL rewriting
> > to make it look like all of our resources are coming from the same
> > domain, e.g. http://myfedora.fedoraproject.org/bodhi would be rewritten
> > to point to a bodhi instance.  Though this might work if they were
> > running under the same apache instance, I am pretty sure it would fall
> > down if they were running on different servers.
> > 
> > The last way, which I discussed with the Fas guys sometime back would be
> > the ability to forward credentials from a proxy.  This would require Fas
> > support that I am pretty sure is not there yet.  I'm not even sure how
> > it would be implemented.
> > 
> J5: Look at how jsonfas is implemented and tell me if that would for ths 
> model.
> 
> bzr branch bzr://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel
> 
> cd python-fedora-devel/fedora/tg/identity
> vim jsonfasprovider.py
> # Take a look at JsonFasIdentity
> 
> -Toshio

It look promising though I am not totally sure how it works.  Let me see
if I get this right. At the start of the proxied request (basically just
a TG controller in my domain which is called via JSON) I create a
JsonFasIdentity and supply it with the user, username and password using
the tg.identity object or is that the JsonFasIdentity?  It will then set
the correct cookies for the next link.  I make my next JSON call to a
FAS2 enabled resource like Bodhi and Bodhi treats me as if I was logged
in?  Is this correct?  Do I call logout on the JsonFasIdentity object?
Can this stand up to being called 10 times per page load for each query
I need to make?

If this works it will solve my issues.

-- 
John (J5) Palmieri <johnp at redhat.com>