Changeset 3658


Ignore:
Timestamp:
20/03/08 15:54:09 (11 years ago)
Author:
pjkersha
Message:

sso: refactoring redirects from NDG Browse version.

Location:
TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/data/sessions/container_file/1/10/10bf337d1b10fd7709433bfb1e4180de.cache

    r3652 r3658  
    22S'_accessed_time' 
    33p2 
    4 F1205944556.4148951 
     4F1205946194.576649 
    55sS'_creation_time' 
    66p3 
    7 F1205941527.665767 
     7F1205946170.6376319 
    88s. 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso.cfg

    r3652 r3658  
    88[NDG_SECURITY] 
    99# Server address for secure connections 
    10 sslServer: https://localhost 
    11 server:    http://localhost:4000 
     10sslServer: https://gabriel.badc.rl.ac.uk 
     11server:    http://gabriel.badc.rl.ac.uk:4000 
    1212 
    1313# Redirect SOAP output to a file e.g. open(<somefile>, 'w') 
     
    1616 
    1717# Service addresses 
    18 sessionMgrURI: https://localhost:5700/SessionManager 
     18sessionMgrURI: https://gabriel.badc.rl.ac.uk/SessionManager 
    1919attAuthorityURI: http://localhost:5000/AttributeAuthority 
    2020 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/login.py

    r3652 r3658  
    1010    HostCheck, InvalidCertSignature, InvalidCertDN 
    1111 
    12 import base64 
     12from base64 import urlsafe_b64decode, urlsafe_b64decode 
    1313 
    1414log = logging.getLogger(__name__) 
     
    1616class LoginController(BaseController): 
    1717     
    18     def __before__(self, action):  
    19         """For each action, get 'r' return to URL argument from current URL  
    20         query string.  c.returnTo is used in some of the .kid files""" 
    21         log.debug("LoginController.__before__ ...")    
    22  
    23         c.returnTo = request.params.get('r', '') 
    24          
    25         # Check return to address - getCredentials should NOT be returned to 
    26         # with its query args intact 
    27         b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
    28         scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 
    29         if 'getCredentials' in pathInfo: 
    30             # Swap to discovery and remove sensitive creds query args 
    31             # 
    32             # TODO: re-write to be more robust and modular.  Nb.  
    33             # BaseController.__call__ should filter out 'getCredentials' 
    34             # calls from c.requestURL so this code should never need to be  
    35             # executed. 
    36             filteredReturnTo = urlunsplit((scheme,netloc,'/login','','')) 
    37             c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 
    38          
    39         # Check return to address - getCredentials should NOT be returned to 
    40         # with its query args intact 
    41         log.debug("LoginController.__before__: Decoded c.returnTo = %s" % \ 
    42                                       base64.urlsafe_b64decode(c.returnTo)) 
     18#    def __before__(self, action):  
     19#        """For each action, get 'r' return to URL argument from current URL  
     20#        query string.  c.returnTo is used in some of the .kid files""" 
     21#        log.debug("LoginController.__before__ ...")    
     22# 
     23#        c.returnTo = request.params.get('r', '') 
     24         
     25#        # Check return to address - getCredentials should NOT be returned to 
     26#        # with its query args intact 
     27#        b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
     28#        scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 
     29#        if 'getCredentials' in pathInfo: 
     30#            # Swap to discovery and remove sensitive creds query args 
     31#            # 
     32#            # TODO: re-write to be more robust and modular.  Nb.  
     33#            # BaseController.__call__ should filter out 'getCredentials' 
     34#            # calls from c.requestURL so this code should never need to be  
     35#            # executed. 
     36#            filteredReturnTo = urlunsplit((scheme,netloc,'/login','','')) 
     37#            c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 
     38#         
     39#        # Check return to address - getCredentials should NOT be returned to 
     40#        # with its query args intact 
     41#        log.debug("LoginController.__before__: Decoded c.returnTo = %s" % \ 
     42#                                      base64.urlsafe_b64decode(c.returnTo)) 
    4343         
    4444         
     
    4747        log.debug("LoginController.index ...")    
    4848 
     49        # Check the return to URL 
     50        c.b64encReturnTo = str(request.params.get('r', '')) 
     51         
    4952        if 'ndgSec' not in session:  
    5053            log.debug('No security session details found - offering login...') 
     
    108111        Session Manager following user login""" 
    109112        log.debug("LoginController.getCredentials ...")    
     113 
     114        # Check the return to URL 
     115        c.b64encReturnTo = str(request.params.get('r', '')) 
    110116 
    111117        if 'username' not in request.params: 
     
    150156                    "pass-phrase and try again." 
    151157            log.error("Session Manager connect returned: %s" % e) 
     158            raise e 
    152159            response.status_code = 401 
    153160            return render('ndg.security.login') 
     
    198205        a cookie.  If the requestor is in the same domain as the login then 
    199206        this is not necessary.""" 
    200          
    201         # and now go back to whence we had come 
    202         if c.returnTo!='': 
    203             # is there a keyword on redirect_to that can make this https? See: 
    204             # http://pylonshq.com/project/pylonshq/browser/Pylons/trunk/pylons/decorators/secure.py#L69 
    205  
     207        log.debug("LoginController._redirect...") 
     208         
     209        # This is set in index and getCredentials 
     210        if c.b64encReturnTo: 
     211         
    206212            # Only add token if return URI is in a different domain 
    207213            thisHostname = request.host.split(':')[0] 
    208214             
    209215            # Decode return to address 
    210             cc = base64.urlsafe_b64decode(c.returnTo) 
    211             log.debug('Login redirect to [%s]' % cc) 
    212  
    213             returnToHostname = urlsplit(cc)[1] 
    214 #            returnToHostname = 'localhost' 
    215 #            if thisHostname not in returnToHostname: 
     216            returnToURL = urlsafe_b64decode(c.b64encReturnTo) 
     217            log.debug('Login redirect to [%s]' % returnToURL) 
     218 
     219            returnToURLHostname = urlsplit(returnToURL)[1] 
     220#            returnToURLHostname = 'localhost' 
     221#            if thisHostname not in returnToURLHostname: 
    216222            if True: 
    217223                # Returning to a different domain - copy the security session 
    218224                # details into the URL query string 
    219                 if '?' in cc: 
    220                     cc+='&%s' % LoginServiceQuery() 
     225                if '?' in returnToURL: 
     226                    returnToURL += '&%s' % LoginServiceQuery() 
    221227                else: 
    222                     cc+='?%s' % LoginServiceQuery() 
     228                    returnToURL += '?%s' % LoginServiceQuery() 
    223229             
    224230            # Check return-to address by examining peer cert 
    225231            log.debug("Checking return-to URL for valid SSL peer cert. ...") 
     232 
     233            # Inclusive namespace prefixes for WS-Security digital signature 
     234            # (Exclusive C14N only) 
     235            refC14nKw={'unsuppressedPrefixes':g.securityCfg.wssRefInclNS} 
     236            signedInfoC14nKw = {'unsuppressedPrefixes': 
     237                                g.securityCfg.wssSignedInfoInclNS} 
    226238             
    227239            # Look-up list of Cert DNs for trusted requestors 
    228240            aaClnt = AttAuthorityClient(uri=g.securityCfg.aaURI, 
    229                     signingCertFilePath=g.securityCfg.wssCertFilePath, 
    230                     signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 
    231                     signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 
    232                     caCertFilePathList=g.securityCfg.wssCACertFilePathList, 
    233                     tracefile=g.securityCfg.tracefile) 
     241                        signingCertFilePath=g.securityCfg.wssCertFilePath, 
     242                        signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 
     243                        signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 
     244                        caCertFilePathList=g.securityCfg.wssCACertFilePathList, 
     245                        refC14nKw=refC14nKw, 
     246                        signedInfoC14nKw=signedInfoC14nKw, 
     247                        tracefile=g.securityCfg.tracefile) 
    234248             
    235249            HostInfo = aaClnt.getAllHostsInfo() 
    236250            requestServerDN = [val['loginRequestServerDN'] \ 
    237251                               for val in HostInfo.values()] 
    238             log.debug("Expecting DN for SSL peer one of: %s"%requestServerDN) 
     252            log.debug(\ 
     253            "Attribute Authority [%s] expecting DN for SSL peer one of: %s" % \ 
     254                      (g.securityCfg.aaURI, requestServerDN)) 
    239255            hostCheck=HostCheck(acceptedDNs=requestServerDN, 
    240256                    caCertFilePathList=g.securityCfg.sslCACertFilePathList)             
    241             testConnection = HTTPSConnection(returnToHostname,  
     257            testConnection = HTTPSConnection(returnToURLHostname,  
    242258                                             None,  
    243259                                             postConnectionCheck=hostCheck) 
    244260 
    245             log.debug('Testing connection to "%s"' % returnToHostname) 
     261            log.debug('Testing connection to "%s"' % returnToURLHostname) 
    246262            try: 
    247263                try: 
     
    251267                    c.xml = """Request to redirect back to %s with your  
    252268credentials refused: there is a problem with the SSL certificate of this site. 
    253   Please report this to your site administrator.""" % returnToHostname 
     269  Please report this to your site administrator.""" % returnToURLHostname 
    254270                    response.status_code = 400 
    255271                    return render('ndg.security.login') 
     
    257273                testConnection.close() 
    258274 
    259             log.debug("SSL peer cert. is OK - redirecting to [%s] ..." % cc) 
    260             h.redirect_to(cc) 
     275            log.debug("SSL peer cert. is OK - redirecting to [%s] ..." % \ 
     276                                                                returnToURL) 
     277            # redirect_to doesn't like unicode 
     278            h.redirect_to(str(returnToURL)) 
    261279        else: 
     280            log.debug(\ 
     281        "LoginController._redirect: no redirect URL set - render login page") 
    262282            c.xml='Logged in' 
    263283            return render('ndg.security.login') 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/logout.py

    r3652 r3658  
    1515    session cookie content 
    1616    ''' 
    17      
    18     def __before__(self): 
    19         """Get return to URL""" 
    20         c.returnTo = request.params.get('r', '') 
    21          
    22         # Check return to address - getCredentials should NOT be returned to 
    23         # with its query args intact 
    24         try: 
    25             b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
    26         except Exception, e: 
    27             log.error("Decoding return to address: %s" % e) 
    28             return 
    29          
    30         scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 
    31 #        if 'getCredentials' in pathInfo: 
    32 #            # Swap back to login and remove sensitive creds query args 
    33 #            # 
    34 #            # TODO: re-write to be more robust and modular.  Nb.  
    35 #            # BaseController.__call__ should filter out 'getCredentials' 
    36 #            # calls from c.requestURL so this code should never need to be  
    37 #            # executed. 
    38 #            filteredReturnTo = urlunsplit((scheme,netloc,'/login','','')) 
    39 #            c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 
     17#     
     18#    def __before__(self): 
     19#        """Get return to URL""" 
     20#        log.debug("LogoutController.__before__ ...") 
     21#        log.debug("LogoutController.__before__ ...") 
     22# 
     23#        c.returnTo = request.params.get('r', '') 
     24#         
     25#        # Check return to address - getCredentials should NOT be returned to 
     26#        # with its query args intact 
     27#        try: 
     28#            b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
     29#        except Exception, e: 
     30#            log.error("Decoding return to address: %s" % e) 
     31#            return 
     32#         
     33#        scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 
     34##        if 'getCredentials' in pathInfo: 
     35##            # Swap back to login and remove sensitive creds query args 
     36##            # 
     37##            # TODO: re-write to be more robust and modular.  Nb.  
     38##            # BaseController.__call__ should filter out 'getCredentials' 
     39##            # calls from c.requestURL so this code should never need to be  
     40##            # executed. 
     41##            filteredReturnTo = urlunsplit((scheme,netloc,'/login','','')) 
     42##            c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 
    4043 
    4144     
     
    106109    def _redirect(self): 
    107110        """Handle redirect back to previous page""" 
    108         if c.returnTo: 
     111         
     112        # Redirect URL is held in 'r' URL arg of this request 
     113        b64encReturnTo = str(request.params.get('r', '')) 
     114 
     115        if b64encReturnTo: 
    109116            # Decode the return to address 
    110117            try: 
    111                 b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
     118                b64decReturnTo = base64.urlsafe_b64decode(b64encReturnTo) 
    112119            except Exception, e: 
    113120                log.error("logout - decoding return URL: %s" % e)  
    114                 c.xml = "Error decoding URL to return to" 
     121                c.xml = "Error carrying out browser redirect following logout" 
    115122                return render('ndg.security.error') 
    116123             
     124            # Check for 'getCredentials' - avoid in case username/password 
     125            # contained in the URL! 
     126            getCredentialsIdx = b64decReturnTo.rfind('/getCredentials') 
     127            if getCredentialsIdx != -1: 
     128                log.debug(\ 
     129                    "Reverting request URL from getCredentials to login...") 
     130                b64decReturnTo = b64decReturnTo[:getCredentialsIdx] + '/login' 
     131             
    117132            # and now go back to whence we had come 
     133            log.debug("LogoutController._redirect: redirect to %s" % \ 
     134                                                              b64decReturnTo) 
    118135            h.redirect_to(b64decReturnTo) 
    119136        else: 
     137            log.debug("LogoutController._redirect: no redirect URL set.") 
    120138            return render('ndg.security.error') 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/wayf.py

    r3652 r3658  
    77log = logging.getLogger(__name__) 
    88 
     9 
    910class WayfController(BaseController): 
    1011    """Where Are You From Controller - display a list of trusted sites for  
     
    1314    def __before__(self, action):  
    1415        """For each action, get 'r' return to URL argument from current URL  
    15         query string.  c.returnTo is used in some of the .kid files""" 
    16         c.returnTo = request.params.get('r', '') 
     16        query string.  c.b64encReturnTo is used in some of the .kid files""" 
     17        c.b64encReturnTo = request.params.get('r', '')  
     18        log.debug("WayfController.__before__: c.b64encReturnTo = %s" % \ 
     19                                                              c.b64encReturnTo) 
    1720         
    18         # Check return to address - getCredentials should NOT be returned to 
    19         # with its query args intact 
    20         b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
    21         scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 
    22         if 'getCredentials' in pathInfo: 
    23             # Swap to discovery and remove sensitive creds query args 
    24             # 
    25             # TODO: re-write to be more robust and modular.  Nb.  
    26             # BaseController.__call__ should filter out 'getCredentials' 
    27             # calls from c.requestURL so this code should never need to be  
    28             # executed. 
    29             filteredReturnTo = urlunsplit((scheme,netloc,'/login','','')) 
    30             c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 
     21        # Decode the return URL so that it can be displayed to the user by  
     22        # wayf.kid 
     23        # The URL has previously been encoded from the BaseController and set  
     24        # in ndgPage.kid   
     25        # Use str() - urlsafe_b64decode() doesn't like unicode 
     26        c.returnTo = base64.urlsafe_b64decode(str(c.b64encReturnTo)) 
    3127         
    32         # Check return to address - getCredentials should NOT be returned to 
    33         # with its query args intact 
    34         log.debug("LoginController.__before__: Decoded c.returnTo = %s" % \ 
    35                                       base64.urlsafe_b64decode(c.returnTo)) 
     28        # Ensure login can return to an address over https to  
     29        # preserve confidentiality of credentials 
     30        if g.securityCfg.server in c.returnTo: 
     31            c.returnTo = c.returnTo.replace(g.securityCfg.server,  
     32                                            g.securityCfg.sslServer) 
     33            c.b64encReturnTo = urlsafe_b64encode(c.returnTo)         
     34            log.debug(\ 
     35    "WayfController.__before__: switched return to address to https = %s" % \ 
     36                                                              c.returnTo)  
     37#         
     38#        # Check return to address - getCredentials should NOT be returned to 
     39#        # with its query args intact 
     40#        b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
     41#        scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 
     42#        if 'getCredentials' in pathInfo: 
     43#            # Swap to discovery and remove sensitive creds query args 
     44#            # 
     45#            # TODO: re-write to be more robust and modular.  Nb.  
     46#            # BaseController.__call__ should filter out 'getCredentials' 
     47#            # calls from c.requestURL so this code should never need to be  
     48#            # executed. 
     49#            filteredReturnTo = urlunsplit((scheme,netloc,'/login','','')) 
     50#            c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 
     51#         
     52#        # Check return to address - getCredentials should NOT be returned to 
     53#        # with its query args intact 
     54#        log.debug("LoginController.__before__: Decoded c.returnTo = %s" % \ 
     55#                                      base64.urlsafe_b64decode(c.returnTo)) 
    3656 
    3757    def index(self): 
    3858        ''' NDG equivalent to Shibboleth WAYF ''' 
    39         log.debug("WayfController.index ...")    
     59        log.debug("WayfController.index ...") 
    4060 
    4161        # Inclusive namespace prefixes for WS-Security digital signature 
    4262        # (Exclusive C14N only) 
    43         refC14nKw={'unsuppressedPrefixes':g.securityCfg.wssRefInclNS} 
     63        refC14nKw = {'unsuppressedPrefixes':g.securityCfg.wssRefInclNS} 
    4464        signedInfoC14nKw = {'unsuppressedPrefixes': 
    4565                            g.securityCfg.wssSignedInfoInclNS} 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/lib/base.py

    r3652 r3658  
    1818from base64 import urlsafe_b64encode 
    1919 
     20from sso.lib.security_util import setSecuritySession, LoginServiceQuery 
     21 
    2022import logging 
    2123log = logging.getLogger(__name__) 
     
    3234        BaseController.count += 1 
    3335        log.debug("BaseController.__call__ %02d ..." % BaseController.count) 
    34 #        if BaseController.count >= 4: 
    35 #            log.debug("HERE") 
    36 #            raise Exception("Error") 
    37 #        # construct URL picking up setting of server name from config to  
    38 #        # avoid exposing absolute URL hidden behind mod_proxy see #857  
    39 #        # Also, avoid returning to getCredentials and potentially exposing 
    40 #        # username/pass-phrase on URL. 
    41 #        # TODO: rework getCredentials get-out for more modular solution 
    42 #        pathInfo = urllib.quote(environ.get('PATH_INFO', ''))  
    43 #        if 'getCredentials' in pathInfo: 
    44 #            log.debug(\ 
    45 #                "Reverting request URL from getCredentials to login...") 
    46 #            c.requestURL = g.securityCfg.server + '/login'        
    47 #        else: 
    48 #            c.requestURL = g.securityCfg.server + pathInfo 
    49 #            query='&'.join(["%s=%s"%item for item in request.params.items()]) 
    50 #            if query: 
    51 #                c.requestURL += '?' + query 
    52 #         
    53 #        # Base 64 encode to enable passing around in 'r' argument of query 
    54 #        # string for use with login/logout 
    55 #        c.b64encRequestURL = urlsafe_b64encode(c.requestURL) 
    56 # 
    57 #        if 'h' in request.params: 
    58 #            # 'h' corresponds to the setting of a session manager host i.e. 
    59 #            # the request has come from a completed login from the login  
    60 #            # service 
    61 #            log.debug("Setting security session from URL query args ...") 
    62 #             
    63 #            # Copy the query arguments into security session keys 
    64 #            setSecuritySession() 
    65 #             
    66 #            session.save() 
    67 #             
    68 #            # Re-construct the URL removing the security related arguments 
    69 #            qs = LoginServiceQuery.stripFromURI() 
    70 # 
    71 #            log.debug('Switching from https to http...') 
    72 #            cc = g.securityCfg.serve +urllib.quote(environ.get('PATH_INFO','')) 
    73 #            if qs: 
    74 #                cc += "?" + qs 
    75 #                 
    76 #            log.debug('URL transport switched to http: "%s"' % cc) 
    77 #            h.redirect_to(cc) 
     36 
     37        # construct URL picking up setting of server name from config to  
     38        # avoid exposing absolute URL hidden behind mod_proxy see #857  
     39        # Also, avoid returning to getCredentials and potentially exposing 
     40        # username/pass-phrase on URL. 
     41        # TODO: rework getCredentials get-out for more modular solution 
     42        pathInfo = urllib.quote(environ.get('PATH_INFO', ''))  
     43        if 'getCredentials' in pathInfo: 
     44            log.debug("Reverting request URL from getCredentials to login...") 
     45            c.requestURL = g.securityCfg.server + '/login'        
     46        else: 
     47            c.requestURL = g.securityCfg.server + pathInfo 
     48            query='&'.join(["%s=%s"%item for item in request.params.items()]) 
     49            if query: 
     50                c.requestURL += '?' + query 
     51 
     52        log.debug("BaseController.__call__: c.requestURL = %s" % c.requestURL) 
     53         
     54        if 'h' in request.params: 
     55            # 'h' corresponds to the setting of a session manager host i.e. 
     56            # the request has come from a completed login from the login  
     57            # service 
     58            log.debug("Setting security session from URL query args ...") 
     59             
     60            # Copy the query arguments into security session keys 
     61            setSecuritySession() 
     62             
     63            session.save() 
     64             
     65            # Re-construct the URL removing the security related arguments 
     66            qs = LoginServiceQuery.stripFromURI() 
     67 
     68            log.debug('Switching from https to http...') 
     69            cc = g.securityCfg.server+urllib.quote(environ.get('PATH_INFO','')) 
     70            if qs: 
     71                cc += "?" + qs 
     72                 
     73            log.debug('URL transport switched to http: "%s"' % cc) 
     74            redirect_to(cc) 
    7875 
    7976         
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/login.kid

    r3652 r3658  
    33    <div py:def="loginForm()" class="loginForm"> 
    44        <form action="$g.securityCfg.getCredentials" method="POST"> 
    5             <input type="hidden" name="r" value="${c.returnTo}"/> 
     5            <input type="hidden" name="r" value="${c.b64encReturnTo}"/> 
    66            <table cellspacing="0" border="0" cellpadding="5"> 
    77                <tr> 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/ndgPage.kid

    r3652 r3658  
    9191    <span py:def="logOut()" class="logOut"> 
    9292        <form action="$g.securityCfg.logout"> 
    93             <input type="hidden" name="r" value="${c.b64encRequestURL}"/> 
     93            <input type="hidden" name="r" value="${c.b64encReturnTo}"/> 
    9494            <input type="submit" value="Logout"/> 
    9595        </form> 
     
    9797     
    9898    <span py:def="logIn()" class="logIn"> 
     99        <?python 
     100        from base64 import urlsafe_b64encode 
     101         
     102        # Base 64 encode to enable passing around in 'r' argument of query 
     103        # string for use with login/logout 
     104        c.returnTo = c.requestURL 
     105        c.b64encReturnTo = urlsafe_b64encode(c.requestURL) 
     106        ?> 
    99107        <form action="$g.securityCfg.wayfuri"> 
    100             <input type="hidden" name="r" value="${c.b64encRequestURL}"/> 
     108            <input type="hidden" name="r" value="${c.b64encReturnTo}"/> 
    101109            <input type="submit" value="Login"/> 
    102110        </form> 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/templates/ndg/security/wayf.kid

    r3652 r3658  
    77        <div class="wayfContent" style="text-indent:5px">         
    88        <h4> Where are you from? </h4> 
     9        <p> You can login in at: 
    910        <?python 
    10                 # Decode the return URL so that it can be displayed to the user. 
    11                 # The URL has previously been encoded from ndgPage.kid 
    12                 from base64 import urlsafe_b64decode, urlsafe_b64encode  
    13                 b64decReturnTo = urlsafe_b64decode(c.returnTo) 
    14                  
    15                 # Ensure login can return to an address over https to  
    16                 # preserve confidentiality of credentials 
    17                 if g.securityCfg.server in b64decReturnTo: 
    18                         b64decReturnTo = b64decReturnTo.replace(g.securityCfg.server, g.securityCfg.sslServer) 
    19                         c.returnTo = urlsafe_b64encode(b64decReturnTo)         
     11        # Sort alphabetically 
     12        providerNames = c.providers.keys() 
     13        providerNames.sort() 
    2014        ?> 
    21         <p> You can login in at  
    22         <ul py:for="h in c.providers"> 
    23             <li> <a href="${c.providers[h]}?r=${c.returnTo}">${h}</a></li> 
     15        <ul py:for="h in providerNames"> 
     16            <li> <a href="${c.providers[h]}?r=${c.b64encReturnTo}">${h}</a></li> 
    2417        </ul></p> 
    2518        <p>Before clicking on these links, please check that the links redirect to a site 
    2619        you trust with your security credentials.</p> 
    2720        <p> How can I tell?  For any of the above, following login you will be  
    28         redirected back to the URL: <a href="${b64decReturnTo}">${b64decReturnTo}</a></p> 
     21        redirected back to the URL: <a href="${c.returnTo}">${c.returnTo}</a></p> 
    2922                </div> 
    3023        <div py:replace="footer()"/> 
Note: See TracChangeset for help on using the changeset viewer.