Ignore:
Timestamp:
30/08/07 09:39:27 (12 years ago)
Author:
pjkersha
Message:

base64 encode return URI 'r' argument in query strings. This is a fix for
#845 and may address #862

ows_server/ows_server/config/ndgMiddleware.py: added global for getCredentials
path

ows_server/ows_server/controllers/login.py: include code to decode return URL
in doRedirect

ows_server/ows_server/controllers/logout.py: ...likewise for logout

ows_server/ows_server/lib/security_util.py: use cls for class methods

ows_server/ows_server/templates/ndgPage.kid: base64 encode return URL for
login and logout callbacks.

ows_server/ows_server/templates/login.kid: use new global $g.getCredentials
to specify full URL path

ows_server/ows_server/templates/wayf.kid: altered help message for return URL
check. Hovering over URL won't help the user now because 'r' arg is base64
encoded.

Location:
TI05-delivery/ows_framework/trunk/ows_server/ows_server
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/ndgMiddleware.py

    r2791 r2858  
    4141        self.globals.server=cf.get('DEFAULT','server','') 
    4242        self.globals.wayfuri='%s/wayf'%self.globals.server 
     43        self.globals.getCredentials='%s/getCredentials'%self.globals.server 
    4344         
    4445        self.globals.logout='%s/logout'%self.globals.server 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/login.py

    r2798 r2858  
    11import sys 
    22from urlparse import urlparse 
     3import base64 
    34 
    45from ows_server.lib.base import * 
     
    6667        if 'ndgSec' in session: self.__doRedirect() 
    6768        self.__setup() 
    68  
    6969        return render_response('login') 
    7070 
     
    144144        self.__setup() 
    145145        self.__securitySetup() 
    146          
     146 
    147147        # TODO: check with Bryan what this is for 
    148148        # P J Kershaw 09/08/07 
     
    194194            # Only add token if return URI is in a different domain 
    195195            thisHostname = request.host.split(':')[0] 
    196             returnToHostname = urlparse(c.returnTo)[1] 
    197             cc=c.returnTo 
     196             
     197            # Decode return to address 
     198            cc = base64.urlsafe_b64decode(c.returnTo) 
     199 
     200            returnToHostname = urlparse(cc)[1] 
    198201 
    199202            if thisHostname not in returnToHostname: 
    200                 if '?' in c.returnTo: 
     203                if '?' in cc: 
    201204                    cc+='&%s' % LoginServiceQuery() 
    202205                else: 
     
    205208            h.redirect_to(cc) 
    206209        else: 
    207             c.xml='Login Successful' 
    208210            return render_response('content') 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/logout.py

    r2798 r2858  
    44from paste.request import parse_querystring 
    55import sys # include in case tracefile is set to sys.stderr  
     6import base64 # decode the return to address 
    67 
    78from ndg.security.common.SessionMgr import SessionMgrClient 
     
    8889        session.save() 
    8990 
    90                 
     91        # Decode the return to address 
     92        b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
     93        
    9194        # and now go back to whence we had come 
    92         h.redirect_to(c.returnTo) 
     95        h.redirect_to(b64decReturnTo) 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/security_util.py

    r2798 r2858  
    7979    
    8080    @classmethod 
    81     def makeQueryStr(self): 
     81    def makeQueryStr(cls): 
    8282        """Create the query string containing the required security  
    8383        credentials to return to the service provider 
     
    8989        # roles to a single string ready for passing over URL 
    9090        secDict = session[SecuritySession.key].copy() 
    91         secDict['roles'] = LoginServiceQuery.rolesSep.join(secDict['roles']) 
     91        secDict['roles'] = cls.rolesSep.join(secDict['roles']) 
    9292         
    9393        # Return the full query as a string 
    94         return LoginServiceQuery.argSep.join(["%s=%s" % (k, secDict[k]) \ 
    95                                        for k in LoginServiceQuery.keys]) 
     94        return cls.argSep.join(["%s=%s" % (k, secDict[k]) for k in cls.keys]) 
    9695 
    9796    @classmethod 
    98     def stripFromURI(self): 
     97    def stripFromURI(cls): 
    9998        """Make a new query string using Pylons request.params but stripping 
    10099        args relating to security 
     
    102101        @rtype: string 
    103102        @return: URL query string with security args removed""" 
    104         return LoginServiceQuery.argSep.join(['%s=%s' % (i,request.params[i])\ 
    105                                        for i in request.params \ 
    106                                        if i not in LoginServiceQuery.keys]) 
     103        return cls.argSep.join(['%s=%s' % (i, request.params[i]) \ 
     104                                for i in request.params if i not in cls.keys]) 
    107105 
    108106    @classmethod 
    109     def decodeRequestParams(self): 
     107    def decodeRequestParams(cls): 
    110108        """Get security parameters from request.params received from Login  
    111109        Service (IdP).  Decode parameters where necessary: roles are sent as a 
     
    119117            # request.params is actually a MultiDict type but for the purposes 
    120118            # of this code it can be treated as a regular dict type 
    121             keys = dict([(k, request.params[k]) for k in self.keys]) 
     119            keys = dict([(k, request.params[k]) for k in cls.keys]) 
    122120        except KeyError, e: 
    123121            OwsError, \ 
     
    127125        # Modify roles from a comma delimited string into a list 
    128126        if 'roles' in keys: 
    129             keys['roles'] = keys['roles'].split(LoginServiceQuery.rolesSep) 
     127            keys['roles'] = keys['roles'].split(cls.rolesSep) 
    130128 
    131129        return keys 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/login.kid

    r2794 r2858  
    1818     
    1919    <span py:def="loginForm()" class="loginForm"> 
    20                 <form action="/getCredentials?r=${c.returnTo}" method="POST">     
     20                <form action="$g.getCredentials?r=${c.returnTo}" method="POST">     
    2121                <table cellspacing="0" border="0" cellpadding="5"> 
    2222                <tbody> 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/ndgPage.kid

    r2853 r2858  
    179179    </span> 
    180180     
    181     <!-- Login and out buttons --> 
    182      
     181    <!-- Login and out buttons -->     
    183182    <span py:def="logOut()" class="logOut"> 
     183            <?python 
     184            # Encode the return URL to avoid problems parsing URLs with multiple 
     185            # ?'s - for example one in the URL and one in the value for 'r' 
     186            from base64 import urlsafe_b64encode 
     187            b64encRequestURL = urlsafe_b64encode(c.requestURL) 
     188            ?> 
    184189        <form action="$g.logout"> 
    185             <input type="hidden" name="r" value="$c.requestURL"/> 
     190            <input type="hidden" name="r" value="${b64encRequestURL}"/> 
    186191            <input type="submit" value="Logout"/> 
    187192        </form> 
     
    189194     
    190195    <span py:def="logIn()" class="logIn"> 
     196            <?python 
     197            # Encode the return URL to avoid problems parsing URLs with multiple 
     198            # ?'s - for example one in the URL and one in the value for 'r' 
     199            from base64 import urlsafe_b64encode 
     200            b64encRequestURL = urlsafe_b64encode(c.requestURL) 
     201            ?> 
    191202        <form action="$g.wayfuri"> 
    192             <input type="hidden" name="r" value="$c.requestURL"/> 
     203            <input type="hidden" name="r" value="${b64encRequestURL}"/> 
    193204            <input type="submit" value="Login"/> 
    194205        </form> 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/wayf.kid

    r2688 r2858  
    44        <div py:replace="header()"/> 
    55        <h4> Where are you from? </h4> 
     6        <?python 
     7        # Decode the return URL so that it can be displayed to the user. 
     8        # The URL has previously been encoded from ndgPage.kid 
     9        from base64 import urlsafe_b64decode 
     10        b64decReturnTo = urlsafe_b64decode(c.returnTo) 
     11        ?> 
    612        <p> You can login in at  
    713        <ul py:for="h in c.providers"> 
     
    1016        <p>Before clicking on these links, please check that the links redirect to a site 
    1117        you trust with your security credentials.</p> 
    12         <p> How can I tell? If you hover over the link, you should see (look at the bottom of  
    13         your browser) that it consists of a <i>normal</i> url,  
    14         followed by ?r=http://anotherURL. You should be sure that 
    15         you trust anotherURL, because it will get access to your credentials!</p> 
     18        <p> How can I tell?  For any of the above, following login you will be  
     19        redirected back to the URL: <a href="${b64decReturnTo}">${b64decReturnTo}</a></p> 
    1620        <div py:replace="footer()"/> 
    1721    </body> 
     22     
     23        <div py:def="footer()" id="Footer"> 
     24        <center><table><tbody> 
     25            <tr> 
     26                <td align="center" width="60%"> 
     27                    <table><tbody> 
     28                    <tr><td><span py:replace="linkimage(g.ndgLink,g.ndgImage,'NDG')"/></td> 
     29                    <td> This portal is a product of the <a href="http://ndg.nerc.ac.uk"> NERC DataGrid</a> 
     30                    Not all functionality is completely implemented, bugs and problems are expected </td> 
     31                    </tr> 
     32                    </tbody></table> 
     33                </td> 
     34                <td width="40%" align="center"> 
     35                    <div id="loginStatus"> 
     36                        <!--! now we choose one of the next two (logged in or not) --> 
     37                        <div py:if="'ndgSec' in session"><table><tbody><tr><td> User [${session['ndgSec']['u']}] logged in 
     38                        at [${session['ndgSec']['h']}] with roles [${session['ndgSec']['roles']}]</td><td> 
     39                        &nbsp;<span py:replace="logOut()"/></td></tr></tbody></table></div> 
     40                        <div py:if="'ndgSec' not in session"></div> 
     41                    </div> 
     42                </td> 
     43                <td><span py:replace="linkimage(g.stfcLink,g.stfcImage,'Hosted by the STFC CEDA')"/></td> 
     44            </tr> 
     45        </tbody></table></center> 
     46    </div> 
    1847</html> 
Note: See TracChangeset for help on using the changeset viewer.