Changeset 2934 for TI05-delivery


Ignore:
Timestamp:
08/10/07 09:37:50 (12 years ago)
Author:
pjkersha
Message:

Added https capability for discovery login. Discovery service port is exposed outside with http and https viritual hosts. Login pages use the https virtual host.

ows_server/ndgDiscovery.config: added sslServer param for NDG_SECURITY section - needed for running discovery login over https

ows_server/ows_server/controllers/login.py:

  • LogController?.wayf for efficiency use single call to new Attribute Authority getAllHostsInfo() rather than consecutive calls to getHostInfo() and getAllHostsInfo() as before
  • LoginController?.doRedirect makes a check on the return to address by checking the peer's SSL certificate against a list of accepted DNs returned from Attribute Authority getAllHostsInfo()

ows_server/ows_server/lib/base.py:

Location:
TI05-delivery/ows_framework/trunk/ows_server
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • TI05-delivery/ows_framework/trunk/ows_server/ndgDiscovery.config

    r2929 r2934  
    1111# the following is the server on which this browse/discovery instance runs! 
    1212server:         http://localhost:8080 
     13 
    1314# 
    1415# the following is the server on which the NDG discovery service is running! (Not to be confused with 
     
    113114[NDG_SECURITY] 
    114115# Server address for secure connections 
    115 sslServer: https://localhost 
     116#sslServer: https://localhost 
     117sslServer: https://ndgbeta.badc.rl.ac.uk 
    116118 
    117119# Redirect SOAP output to a file e.g. open(<somefile>, 'w') 
    118 #tracefile: None 
    119 tracefile: sys.stderr 
     120tracefile: None 
     121#tracefile: sys.stderr 
    120122 
    121123# Service addresses 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/login.py

    r2929 r2934  
    5151        query string.  c.returnTo is used in some of the .kid files""" 
    5252        c.returnTo = request.params.get('r', '') 
    53  
     53        log.debug("Decoded c.returnTo = %s" % \ 
     54                                      base64.urlsafe_b64decode(c.returnTo)) 
     55     
    5456     
    5557    def index(self): 
     
    8587        except Exception,e: 
    8688            c.xml='Error establishing security context [%s]'%cgi.escape(str(e)) 
    87             return Response(render('content'),code=400) 
     89            return Response(render('content'), code=400) 
    8890         
    8991        # Connect to Session Manager 
     
    158160        log.debug("Calling Attribute Authority getTrustedHostInfo and " + \ 
    159161                  "getHostInfo for wayf") 
    160         trustedHosts = aaClnt.getTrustedHostInfo() 
    161         thisHost = aaClnt.getHostInfo() 
    162          
    163         try: 
    164             trustedHosts[thisHost.keys()[0]] = thisHost.values()[0] 
    165         except TypeError: 
    166             raise OwsError, \ 
    167                         "thisHost returned from Attribute Authority is empty"  
    168              
    169         c.providers=dict([(k,v['loginURI']) for k,v in trustedHosts.items()]) 
     162 
     163        hosts = aaClnt.getAllHostsInfo()     
     164        c.providers=dict([(k, v['loginURI']) for k, v in hosts.items()]) 
    170165         
    171166        if 'panelView' in session: del session['panelView'] 
     
    192187 
    193188            returnToHostname = urlsplit(cc)[1] 
    194  
     189#            returnToHostname = 'localhost' 
    195190#            if thisHostname not in returnToHostname: 
    196191            if True: 
     
    204199            # Check return-to address by examining peer cert 
    205200            log.debug("Checking return-to URL for valid SSL peer cert. ...") 
    206             hostCheck=HostCheck(caCertFilePathList=g.securityCfg.sslCACertFilePathList)             
    207             cxn = HTTPSConnection(returnToHostname,  
    208                                   None,  
    209                                   postConnectionCheck=hostCheck) 
     201             
     202            # Look-up list of Cert DNs for trusted requestors 
     203            aaClnt = AttAuthorityClient(uri=g.securityCfg.aaURI, 
     204                    signingCertFilePath=g.securityCfg.wssCertFilePath, 
     205                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 
     206                    signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 
     207                    caCertFilePathList=g.securityCfg.wssCACertFilePathList, 
     208                    tracefile=g.securityCfg.tracefile) 
     209             
     210            HostInfo = aaClnt.getAllHostsInfo() 
     211            requestServerDN = [val['loginRequestServerDN'] \ 
     212                               for val in HostInfo.values()] 
     213            log.debug("Expecting DN for SSL peer one of: %s"%requestServerDN) 
     214            hostCheck=HostCheck(acceptedDNs=requestServerDN, 
     215                    caCertFilePathList=g.securityCfg.sslCACertFilePathList)             
     216            testConnection = HTTPSConnection(returnToHostname,  
     217                                             None,  
     218                                             postConnectionCheck=hostCheck) 
     219 
     220            log.debug('Testing connection to "%s"' % returnToHostname) 
    210221            try: 
    211222                try: 
    212                     cxn.connect() 
     223                    testConnection.connect() 
    213224                except InvalidCertSignature, e: 
    214225                    log.error("Login: requestor SSL cert.: %s" % e) 
     
    218229                    return Response(render('login'), code=400) 
    219230            finally:     
    220                 cxn.close() 
     231                testConnection.close() 
    221232 
    222233            log.debug("SSL peer cert. is OK - redirecting to [%s] ..." % cc) 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/base.py

    r2929 r2934  
    4242        # construct URL picking up setting of server name from config to  
    4343        # avoid exposing absolute URL hidden behind mod_proxy see #857             
    44         baseURL = request.environ['ndgConfig'].get('DEFAULT', 'server') 
    45         c.requestURL = baseURL + urllib.quote(environ.get('PATH_INFO', '')) 
     44        c.requestURL = g.server + urllib.quote(environ.get('PATH_INFO', '')) 
    4645 
    4746        query = '&'.join(["%s=%s" % item for item in request.params.items()]) 
Note: See TracChangeset for help on using the changeset viewer.