Changeset 3893

Timestamp:

13/05/08 09:34:07 (13 years ago)

Author:

pjkersha

Message:

Security Single Sign On code separated out of ows_server code stack and put in ndg.security. ows_server can still run single sign on but in alternate modes:

• Single Sign On Service run from within ows_server code stack - all SSO controllers, templates and globals are imported from ndg.security
• ... or ows_server runs as a client to a Single Sign On service running in a separate paster instance. ows_server imports SSO client interface code from ndg.security

ows_server/development.ini:

• added logging config as available with Pylons 0.9.6

ows_server/ndgDiscovery.config: [NDG_SECURITY] settings are now divided into sub sections:

• NDG_SECURITY.ssoClient - for running a client to a Single Sign On service
• NDG_SECURITY.ssoService - for running an integral SSO service
• NDG_SECURITY.wssecurity - digital signature for web service interfaces
• TODO: separate section for Gatekeeper

ows_server/ows_server/models/ndgSecurity.py: get rid of sslPeerCertDN setting to SM client - not needed

ows_server/ows_server/config/environment.py: include templates from ndg.security.server.sso

ows_server/ows_server/config/ndgMiddleware.py: call separate security SSO service/client middleware set-up

ows_server/ows_server/config/routing.py,
ows_server/ows_server/controllers/wayf.py: separate wayf controller

ows_server/ows_server/controllers/login.py: code moved to ndg.security.server.sso.sso.controllers.login ows_server login extends this class
ows_server/ows_server/controllers/logout.py: likewise for logout - inherit from ndg.security.server.sso equivalent

ows_server/ows_server/lib/security_util.py:

• stripFromURI returns str type not unicode
• SecurityConfig? class no longer needed - code transfered to ndg.security

ows_server/ows_server/lib/base.py: remove security handling code and instead inherit from ndg.security.client.ssoclient.ssoclient.base.BaseController?

ows_server/ows_server/public/layout/ndg2.css: fix to header image path

ows_server/ows_server/templates/ndgPage.kid: embed code to base 64 encode return to URL

Location:

TI05-delivery/ows_framework/trunk/ows_server

Files:

• development.ini (modified) (1 diff)
• ndgDiscovery.config (modified) (8 diffs)
• ows_server/config/environment.py (modified) (3 diffs)
• ows_server/config/ndgMiddleware.py (modified) (3 diffs)
• ows_server/config/routing.py (modified) (1 diff)
• ows_server/controllers/login.py (modified) (1 diff)
• ows_server/controllers/logout.py (modified) (1 diff)
• ows_server/controllers/wayf.py (added)
• ows_server/lib/base.py (modified) (4 diffs)
• ows_server/lib/security_util.py (modified) (2 diffs)
• ows_server/models/ndgSecurity.py (modified) (1 diff)
• ows_server/public/layout/ndg2.css (modified) (1 diff)
• ows_server/templates/__init__.py (modified) (1 diff)
• ows_server/templates/ndgPage.kid (modified) (2 diffs)

TI05-delivery/ows_framework/trunk/ows_server/development.ini

@@ -57 +57 @@
 # execute malicious code after an exception is raised.
 #set debug = false
+
+# Logging configuration
+[loggers]
+keys = root, ows_server, ndg
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = INFO
+handlers = console
+
+[logger_ows_server]
+level = DEBUG
+handlers =
+qualname = ows_server
+
+[logger_ndg]
+level = DEBUG
+handlers =
+qualname = ndg
+
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+#level = NOTSET
+level = DEBUG
+formatter = generic
+
+[formatter_generic]
+format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S
+

TI05-delivery/ows_framework/trunk/ows_server/ndgDiscovery.config

@@ -10 +10 @@
 #
 # the following is the server on which this browse/discovery instance runs!
-#server:         http://localhost
+server:         http://localhost
 #server:       http://superglue.badc.rl.ac.uk:8083
 ## This is the proxied server root
-server: http://superglue.badc.rl.ac.uk/ndg-test
+#server: http://superglue.badc.rl.ac.uk/ndg-test
 
 #
 # the following is the server on which the NDG discovery service is running! (Not to be confused with
 # the server on which the NDG discovery web service is running). This can and probably should be the local
-# server (i.e. dont change it!)
+# server (i.e. don't change it!)
 #
 ndgServer:      %(server)s
@@ -24 +24 @@
 # this is the physical file location of the layout directory on this machine 
 # 
-layoutdir:      /usr/local/ows_server_deployment/layout
+layoutdir: 
 #
 # this should never be changed
 #
 ##!NOTE: These are changed to  reflect the proxy prefix
-layout:         /ndg-test/layout/
-icondir:        /ndg-test/layout/icons/
+#layout:         /ndg-test/layout/
+#icondir:        /ndg-test/layout/icons/
+layout:          /layout/
+icondir:         /layout/icons/
+
 #
 mailserver:       xxxoutbox.rl.ac.uk
@@ -51 +54 @@
 [layout]
 ###### user customisable:
-localLink:      http://superglue.badc.rl.ac.uk/ndg-test/
+localLink:      %(ndgServer)s/layout/
 localImage:     %(layout)sndg_logo_circle.gif
 localAlt:       visit badc
 ###### ought to be the end of the customisations
-ndgLink:        http://superglue.badc.rl.ac.uk/ndg-test/
+ndgLink:        http://ndg.nerc.ac.uk/
 ndgImage:       %(layout)sndg_logo_circle.gif
 ndgAlt:         visit ndg
@@ -67 +70 @@
 printer:        %(icondir)sprinter.png
 helpIcon:       %(icondir)shelp.png
-HdrLeftAlt:     %(layout)sNatural Environment Research Council
+HdrLeftAlt:     %(layout)s Natural Environment Research Council
 HdrLeftLogo:    %(layout)sNERC_Logo.gif
 
@@ -121 +124 @@
 passwordFile: ./passwords.txt
 
-[NDG_SECURITY]
-# Server address for secure connections
+#
+# NDG Security
+#
+
+# Security settings for configuration as a client to a Single Sign On Service
+# i.e. Where Are You From, login and logout operations are handled by a 
+# separate standalone paster instance
+#[NDG_SECURITY.ssoClient]
+## THIS service's address for secure connections - the Single Sign On service
+## returns security parameters to this service along this channel
 #sslServer: https://localhost
-sslServer: https://ndgbeta.badc.rl.ac.uk
+##sslServer: https://ndgbeta.badc.rl.ac.uk
+#
+## THIS service's address for unencrypted connections - when login is complete,
+## the BaseController redirects to an equivalent address under this host name.
+## sslServer and server settings must match for the sharing of cookies.
+#server: http://localhost
+#
+## WAYF running on Single Sign On Service - omit to default to WAYF running on
+## THIS paster instance
+#wayfURI:               https://localhost/sso/wayf
+#
+## Logout URI running on Single Sign On Service - omit to default to WAYF running on
+## THIS paster instance
+#logoutURI:             https://localhost/sso/logout
+
+# Security settings for running a Single Sign On Service from this paster
+# instance.  Either NDG_SECURITY.ssoClient or NDG_SECURITY.ssoService sections
+# should be set but NOT both
+
+# Single Sign On Service Settings
+[NDG_SECURITY.ssoService]
+
+# THIS service's address for secure connections - the Single Sign On service
+# returns security parameters to this service along this channel
+sslServer: https://localhost
+#sslServer: https://ndgbeta.badc.rl.ac.uk
+
+# THIS service's address for unencrypted connections - when login is complete,
+# the BaseController redirects to an equivalent address under this host name.
+# sslServer and server settings must match for the sharing of cookies.
+server: http://localhost
 
 # Redirect SOAP output to a file e.g. open(<somefile>, 'w')
@@ -131 +172 @@
 
 # Service addresses
-#sessionMgrURI: https://localhost:5700/SessionManager
-sessionMgrURI: https://ndgbeta.badc.rl.ac.uk/SessionManager
-#attAuthorityURI: http://localhost:5000/AttributeAuthority
-attAuthorityURI: http://aa.ceda.rl.ac.uk
-
-# WS-Security signature handler
-# This is an application certificate ... (which may be a machine certificate)
-# X.509 certificate sent with outbound signed messages
-wssCertFilePath: ./certs/Junk-cert.pem
-
-# Private key used to sign messages
-# This is an application certificate ... (which may be a machine certificate)
-wssKeyFilePath: ./certs/Junk-key.pem
-
-# Password for private key - comment out if the file is not password protected
-wssKeyPwd: Junk
-
-# Space separated list of CA cert. files to validate certs against when
-# verifying responses
-wssCACertFilePathList: ./certs/cacert.pem
+sessionMgrURI: https://localhost/SessionManager
+#sessionMgrURI: https://ndgbeta.badc.rl.ac.uk/SessionManager
+attAuthorityURI: http://localhost:5000/AttributeAuthority
+#attAuthorityURI: http://aa.ceda.rl.ac.uk
 
 # SSL Connections
@@ -156 +181 @@
 # Space separated list of CA cert. files.  The peer cert.
 # must verify against at least one of these otherwise the connection is 
-# dropped.
-sslCACertFilePathList: ./certs/cacert.pem
-
-# Set an alternate CommonName to match with peer cert for SSL
-# Connections.  If the CN=hostname of the peer then this option 
-# can be commented out
-#sslPeerCertCN: 
+# dropped.  Include CA certs for all the sites trusted
+sslCACertFilePathList: certs/ndg-test-ca.crt
 
 # Gatekeeper Attribute Certificate check
 # Issuer - should match with the issuer element of the users Attribute
 # Certificate submitted in order to gain access
-acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC
-#acIssuer: /CN=Junk/O=NDG/OU=Gabriel
-
-# verification of X.509 cert back to CA
-acCACertFilePathList: ./secpem/cacert.pem
+#acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC
+acIssuer: /CN=Junk/O=NDG/OU=Gabriel
+
+# verification of X.509 cert back to CA.  Currently only the CA of this site
+# is needed because only mapped Attribute Certificates may be accepted.
+acCACertFilePathList: certs/ndg-test-ca.crt
+
+
+# WS-Security signature handler - set a config file with 'wssCfgFilePath'
+# or omit and put the relevant content directly in here under 
+# 'NDG_SECURITY.wssecurity' section
+#wssCfgFilePath: wssecurity.cfg
+
+[NDG_SECURITY.wssecurity]
+
+# Settings for signature of an outbound message ...
+
+# Certificate associated with private key used to sign a message.  The sign 
+# method will add this to the BinarySecurityToken element of the WSSE header.  
+# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.  
+# As an alternative, use 'signingCertChain' parameter
+
+# file path PEM encoded cert 
+signingCertFilePath=certs/clnt.crt
+
+# file path to PEM encoded private key file
+signingPriKeyFilePath=certs/clnt.key
+
+# Password protecting private key.  Leave blank if there is no password.
+signingPriKeyPwd=
+
+# Provide a space separated list of file paths.  CA Certs should be included 
+# for all the sites this installation trusts
+caCertFilePathList=certs/ndg-test-ca.crt
+
+# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
+# signed message.  
+reqBinSecTokValType=X509v3
+
+# Add a timestamp element to an outbound message
+addTimestamp=True
+
+# For WSSE 1.1 - service returns signature confirmation containing signature 
+# value sent by client
+applySignatureConfirmation=False
+
 
 [RELATED]
@@ -187 +248 @@
 formatDefault=DIF
 icon_title: Links to the DISCOVERY RECORD for this dataset
-standalone: True
+#standalone: True
+standalone: False
 
 [OWS_SERVER]

TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/environment.py

@@ -8 +8 @@
 import ows_server.lib.helpers
 from ows_server.config.routing import make_map
+
+# Set-up tools package import for locating NDG Security SSO Service
+import pkg_resources
+
+import logging
+log = logging.getLogger(__name__)
+
 
 def load_environment(global_conf={}, app_conf={}):
@@ -19 +26 @@
              }
 
+    
     # Initialize config with the basic options
     config.init_app(global_conf, app_conf, package='ows_server',
@@ -33 +41 @@
     
     # Add your own template options config options here, note that all config options will override
-    # any Pylons config options    
+    # any Pylons config options  
+    
+    # Add templates for NDG Security Single Sign On Service making sure to
+    # provide an alias to avoid overwriting the default templates dir  
+    kidopts = {'kid.assume_encoding':'utf-8', 'kid.encoding':'utf-8'}
+    config.add_template_engine('kid', 
+                               'ndg.security.server.sso.sso.templates', 
+                               kidopts,
+                               alias='ndg.security.kid')

TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/ndgMiddleware.py

@@ -2 +2 @@
 from paste.deploy import CONFIG
 from ows_server.models.Utilities import myConfig
-from ows_server.lib.security_util import SecurityConfig
 
+
+class NDGConfigError(Exception):  
+    '''Errors related to reading from ndg config file'''
+     
 class ndgMiddleware:
     
@@ -21 +24 @@
         self.globals.htdocs=cf.get('DEFAULT','htdocs',None)
         self.globals.localLink=cf.get('layout','localLink',None)
-        self.globals.localImage=cf.get('layout','localImage',None)
-        self.globals.localAlt=cf.get('layout','localAlt','Visit Local Site')
-        self.globals.ndgLink=cf.get('layout','ndgLink','http://ndg.nerc.ac.uk')
-        self.globals.ndgImage=cf.get('layout','ndgImage',None)
-        self.globals.ndgAlt=cf.get('layout','ndgAlt','Visit NDG')
+        self.globals.localImage=cf.get('layout','localImage',None)
+        self.globals.localAlt=cf.get('layout','localAlt','Visit Local Site')
+        self.globals.ndgLink=cf.get('layout','ndgLink','http://ndg.nerc.ac.uk')
+        self.globals.ndgImage=cf.get('layout','ndgImage',None)
+        self.globals.ndgAlt=cf.get('layout','ndgAlt','Visit NDG')
         self.globals.stfcLink=cf.get('layout','stfcLink')
         self.globals.stfcImage=cf.get('layout','stfcImage')
@@ -47 +50 @@
         self.globals.server=cf.get('DEFAULT','server','')
 
-        # Security Related
-        self.globals.wayfuri='%s/wayf'%self.globals.server
-
-        # Use secure connection
-        self.globals.sslServer=cf.get('NDG_SECURITY','sslServer','')
-        self.globals.getCredentials='%s/getCredentials'%self.globals.sslServer       
-        self.globals.logout='%s/logout'%self.globals.server
-        self.globals.securityCfg = SecurityConfig(cf)
         
         # for standalone discovery
-        standalone={'True':1,'False':0}[cf.get('DISCOVERY','standalone')]
-        self.globals.standalone= standalone
-         
+        self.globals.standalone=cf.config.getboolean('DISCOVERY','standalone')       
+
         
+        # Security Related
+
+        # Single Sign On settings - check for mode of operation:
+        # 1) act as a client to a separate Single Sign On Service
+        # or
+        # 2) Single Sign On service is integrated into THIS service
+        securityEnabled = not self.globals.standalone
+        isSSOClient = cf.config.has_section('NDG_SECURITY.ssoClient') and \
+            securityEnabled
+            
+        isSSOService = cf.config.has_section('NDG_SECURITY.ssoService') and \
+            securityEnabled
+            
+        if isSSOClient and isSSOService:
+            raise NDGConfigError(\
+                "NDG_SECURITY.ssoClient and NDG_SECURITY.ssoService " + \
+                "sections are present in the NDG Config file: " + \
+                "only one or the other may be set")
+ 
+        if isSSOClient:
+            try:
+                from \
+            ndg.security.client.ssoclient.ssoclient.config.ssoClientMiddleware\
+                    import SSOMiddleware
+            except ImportError, e:
+                # If standalone flag is not present security must be enabled
+                raise NDGConfigError(\
+                    '%s: importing Single Sign On Client SSOMiddleware: %s' % \
+                        (__name__, e))
+                        
+                
+            SSOMiddleware(app, cf.config, g,
+                          defSection='NDG_SECURITY.ssoClient')
+            
+            self.globals.sslServer = g.ndg.security.client.ssoclient.cfg.sslServer
+            self.globals.wayfuri=g.ndg.security.client.ssoclient.cfg.wayfuri
+            self.globals.logout=g.ndg.security.client.ssoclient.cfg.logoutURI
+            
+        elif isSSOService:
+            try:
+                from ndg.security.server.sso.sso.config.ssoServiceMiddleware \
+                    import SSOMiddleware
+            except ImportError, e:
+                # If standalone flag is not present security must be enabled
+                raise NDGConfigError(\
+                    '%s: importing Single Sign On Service SSOMiddleware: %s' %\
+                        (__name__, e))
+                        
+                
+            SSOMiddleware(app, cf.config, g, 
+                          defSection='NDG_SECURITY.ssoService')
+            
+            self.globals.sslServer=g.ndg.security.server.ssoservice.cfg.sslServer
+            self.globals.wayfuri=g.ndg.security.server.ssoservice.cfg.wayfuri
+            self.globals.logout=g.ndg.security.server.ssoservice.cfg.logoutURI
+            self.globals.getCredentials=g.ndg.security.server.ssoservice.cfg.getCredentials
+          
+        #self.globals.securityCfg = SecurityConfig(cf)
         self.config=cf
         

TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/routing.py

@@ -37 +37 @@
     map.connect('login', controller='login')
     map.connect('getCredentials', controller='login', action='getCredentials')
-    map.connect('wayf', controller='login', action='wayf')
+    map.connect('wayf', controller='wayf')
     map.connect('logout', controller='logout')
     map.connect('semantic',controller='discovery', action='semantic')

TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/login.py

@@ -4 +4 @@
 
 from ows_server.lib.base import *
-from ows_server.lib.security_util import setSecuritySession, SecuritySession,\
-                                         LoginServiceQuery
-from ows_common.exception_report import OwsError
-from paste.request import parse_querystring
+
 import logging
 log = logging.getLogger(__name__)
 
-from ndg.security.common.AttAuthority import AttAuthorityClient
-from ndg.security.common.SessionMgr import SessionMgrClient, SessionExpired, \
-    AttributeRequestDenied
-from ndg.security.common.m2CryptoSSLUtility import HTTPSConnection, \
-    HostCheck, InvalidCertSignature, InvalidCertDN
-
-
-class LoginController(BaseController):
-    ''' Provides the pylons controller for local login '''
+try:
+    from ndg.security.server.sso.sso.controllers.login \
+        import LoginController as _LoginController
+        
+    class LoginController(_LoginController):
+        '''Provides the pylons controller for Login.  This is a wrapper class.
+        - All functionality is provided from ndg.security.server.sso.sso
+        the NDG Security Single Sign On Service package'''
+            
+except ImportError, e:
+    from warnings import warn
+    warn("Importing LoginController for Single Sign On Service: %s" % e, 
+         RuntimeWarning)
     
-    def __before__(self, action): 
-        """For each action, get 'r' return to URL argument from current URL 
-        query string.  c.returnTo is used in some of the .kid files"""
-        c.returnTo = request.params.get('r', '')
+    class LoginController(BaseController):
+        '''Raise a 404 error for case where Single Sign ON Service is disabled
+        '''    
         
-        # Check return to address - getCredentials should NOT be returned to
-        # with its query args intact
-        b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)
-        scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo)
-        if 'getCredentials' in pathInfo:
-            # Swap to discovery and remove sensitive creds query args
-            #
-            # TODO: re-write to be more robust and modular.  Nb. 
-            # BaseController.__call__ should filter out 'getCredentials'
-            # calls from c.requestURL so this code should never need to be 
-            # executed.
-            filteredReturnTo = urlunsplit((scheme,netloc,'/discovery','',''))
-            c.returnTo = base64.urlsafe_b64encode(filteredReturnTo)
-        
-        # Check return to address - getCredentials should NOT be returned to
-        # with its query args intact
-        log.debug("LoginController.__before__: Decoded c.returnTo = %s" % \
-                                      base64.urlsafe_b64decode(c.returnTo))
-    
-    
-    def index(self):
-        ''' Ok, you really want to login here '''
-        log.debug("LoginController.index ...")   
-
-        if 'ndgSec' not in session: 
-            log.debug('No security session details found - offering login...')
-            return render('login')
-        
-        # Session is set in this domain - check it 
-        try:    
-            smClnt = SessionMgrClient(uri=session['ndgSec']['h'],
-                    sslCACertFilePathList=g.securityCfg.sslCACertFilePathList,
-                    sslPeerCertCN=g.securityCfg.sslPeerCertCN,
-                    signingCertFilePath=g.securityCfg.wssCertFilePath,
-                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,
-                    signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,
-                    caCertFilePathList=g.securityCfg.wssCACertFilePathList,
-                    tracefile=g.securityCfg.tracefile)
-                                
-        except Exception, e:
-            c.xml='Error establishing security context.  Please report ' + \
-                  'the error to your site administrator'
-            log.error("Initialising SessionMgrClient for " + \
-                      "getSessionStatus call: %s" % e)
-            SecuritySession.delete()
-            response.status_code = 400
-            return render('content')
-        
-        # Check session status
-        log.debug('Calling Session Manager "%s" getSessionStatus ' % \
-                  session['ndgSec']['h'] + 'for user "%s" with sid="%s" ...'%\
-                  (session['ndgSec']['u'], session['ndgSec']['sid']))
-        try:
-            bSessOK = smClnt.getSessionStatus(sessID=session['ndgSec']['sid'])
-        except Exception, e:
-            c.xml = "Error checking your session details.  Please re-login"
-            log.error("Session Manager getSessionStatus returned: %s" % e)
-            SecuritySession.delete()
-            response.status_code = 400
-            return render('login')
-   
-        if bSessOK:
-            log.debug("Session found - redirect back to site requesting " + \
-                      "credentials ...")
-            # ... Return across http GET passing security parameters...
-            return self.__doRedirect()
-        else:
-            log.debug("Session wasn't found - removing security details " + \
-                      "from cookie and re-displaying login...")
-            SecuritySession.delete()
-            return render('login')
-
-
-    def getCredentials(self):
-        """Authenticate user and cache user credentials in
-        Session Manager following user login"""
-        log.debug("LoginController.getCredentials ...")   
-
-        try:    
-            smClnt = SessionMgrClient(uri=g.securityCfg.smURI,
-                    sslCACertFilePathList=g.securityCfg.sslCACertFilePathList,
-                    sslPeerCertCN=g.securityCfg.sslPeerCertCN,
-                    signingCertFilePath=g.securityCfg.wssCertFilePath,
-                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,
-                    signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,
-                    caCertFilePathList=g.securityCfg.wssCACertFilePathList,
-                    tracefile=g.securityCfg.tracefile)
-                                
-            username = request.params['username']
-            passphrase = request.params['passphrase']                     
-                                
-        except Exception, e:
-            c.xml='Error establishing security context.  Please report ' + \
-                  'the error to your site administrator'
-            log.error("Login: initialising SessionMgrClient: %s" % e)
-            response.status_code = 400
-            return render('content')
-        
-        # Connect to Session Manager
-        log.debug('Calling Session Manager "%s" connect for user "%s" ...' % \
-                  (g.securityCfg.smURI, username))
-        try:
-            sessID = smClnt.connect(username, passphrase=passphrase)[-1]
-        except Exception, e:
-            c.xml = "Error logging in.  Please check your username/" + \
-                    "pass-phrase and try again."
-            log.error("Session Manager connect returned: %s" % e)
-            response.status_code = 401
-            return render('login')
-        
-        # Cache user attributes in Session Manager
-        log.debug("Calling Session Manager getAttCert for user ")
-        try:
-            # Make request for attribute certificate
-            attCert = smClnt.getAttCert(sessID=sessID, 
-                                        attAuthorityURI=g.securityCfg.aaURI)
-        except SessionExpired, e:
-            log.info("Session expired getting Attribute Certificate: %s" % e)
-            c.xml = "Session has expired, please re-login"
-            response.status_code = 401
-            return render('login')
+        def index(self):
+            ''' Ok, you really want to login here '''
+            log.info("Single Sign On Service is disabled setting 404 error...")
+            abort(404)
             
-        except AttributeRequestDenied, e:
-            log.error("Login: attribute Certificate request denied: %s" % e)
-            c.xml = "No authorisation roles are available for your " + \
-                    "account.  Please check with your site administrator."
-            response.status_code = 401
-            return render('login')
-            
-        except Exception, e:
-            log.error("Login: attribute Certificate request: %s" % e)
-            c.xml = "An internal error occured.  Please report this to " + \
-                    "your site administrator."
-            response.status_code = 400
-            return render('login')
-
-        log.debug('Completing login...')
-        
-        # Make security session details
-        setSecuritySession(h=g.securityCfg.smURI,
-                           u=username,
-                           org=attCert.issuerName,
-                           roles=attCert.roles,
-                           sid=sessID)
-        session.save()
-
-        log.info("user %s logged in with roles %s" % (session['ndgSec']['u'],
-                                                  session['ndgSec']['roles']))
-        return self.__doRedirect()
-            
-            
-    def wayf(self):
-        ''' NDG equivalent to Shibboleth WAYF '''
-        log.debug("LoginController.wayf ...")   
-
-        # May be better as a 'g' global set-up at start-up?
-        #
-        # tracefile could be removed for production use
-        aaClnt = AttAuthorityClient(uri=g.securityCfg.aaURI,
-                    signingCertFilePath=g.securityCfg.wssCertFilePath,
-                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,
-                    signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,
-                    caCertFilePathList=g.securityCfg.wssCACertFilePathList,
-                    tracefile=g.securityCfg.tracefile)
-
-        # Get list of login uris for trusted sites including THIS one
-        log.debug("Calling Attribute Authority getTrustedHostInfo and " + \
-                  "getHostInfo for wayf")
-
-        hosts = aaClnt.getAllHostsInfo()    
-        c.providers=dict([(k, v['loginURI']) for k, v in hosts.items()])
-        
-        session.save()
-        
-        return render('wayf')
-        
-        
-    def __doRedirect(self):
-        """Pass security creds back to requestor so that they can make
-        a cookie.  If the requestor is in the same domain as the login then
-        this is not necessary."""
-        
-        # and now go back to whence we had come
-        if c.returnTo!='':
-            # is there a keyword on redirect_to that can make this https? See:
-            # http://pylonshq.com/project/pylonshq/browser/Pylons/trunk/pylons/decorators/secure.py#L69
-
-            # Only add token if return URI is in a different domain
-            thisHostname = request.host.split(':')[0]
-            
-            # Decode return to address
-            cc = base64.urlsafe_b64decode(c.returnTo)
-            log.debug('Login redirect to [%s]' % cc)
-
-            returnToHostname = urlsplit(cc)[1]
-#            returnToHostname = 'localhost'
-#            if thisHostname not in returnToHostname:
-            if True:
-                # Returning to a different domain - copy the security session
-                # details into the URL query string
-                if '?' in cc:
-                    cc+='&%s' % LoginServiceQuery()
-                else:
-                    cc+='?%s' % LoginServiceQuery()
-            
-            # Check return-to address by examining peer cert
-            log.debug("Checking return-to URL for valid SSL peer cert. ...")
-            
-            # Look-up list of Cert DNs for trusted requestors
-            aaClnt = AttAuthorityClient(uri=g.securityCfg.aaURI,
-                    signingCertFilePath=g.securityCfg.wssCertFilePath,
-                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,
-                    signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,
-                    caCertFilePathList=g.securityCfg.wssCACertFilePathList,
-                    tracefile=g.securityCfg.tracefile)
-            
-            HostInfo = aaClnt.getAllHostsInfo()
-            requestServerDN = [val['loginRequestServerDN'] \
-                               for val in HostInfo.values()]
-            log.debug("Expecting DN for SSL peer one of: %s"%requestServerDN)
-            hostCheck=HostCheck(acceptedDNs=requestServerDN,
-                    caCertFilePathList=g.securityCfg.sslCACertFilePathList)            
-            testConnection = HTTPSConnection(returnToHostname, 
-                                             None, 
-                                             postConnectionCheck=hostCheck)
-
-            log.debug('Testing connection to "%s"' % returnToHostname)
-            try:
-                try:
-                    testConnection.connect()
-                except (InvalidCertSignature, InvalidCertDN), e:
-                    log.error("Login: requestor SSL certificate: %s" % e)
-                    c.xml = """Request to redirect back to %s with your 
-credentials refused: there is a problem with the SSL certificate of this site.
-  Please report this to your site administrator.""" % returnToHostname
-                    response.status_code = 400
-                    return render('login')
-            finally:    
-                testConnection.close()
-
-            log.debug("SSL peer cert. is OK - redirecting to [%s] ..." % cc)
-            h.redirect_to(cc)
-        else:
-            c.xml='<p> Logged in </p>'
-            return render('content')

TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/logout.py

@@ -1 +1 @@
 from ows_server.lib.base import *
-from ows_server.lib.security_util import SecuritySession
 import logging
 log = logging.getLogger(__name__)
 
-from paste.request import parse_querystring
-import sys # include in case tracefile is set to sys.stderr 
-import base64 # decode the return to address
-from urlparse import urlsplit, urlunsplit
+try:
+    from ndg.security.server.sso.sso.controllers.logout import LogoutController as\
+        _LogoutController
+        
+    class LogoutController(_LogoutController):
+        '''Provides the pylons controller for logout.  This is a wrapper class.
+        - All functionality is provided from ndg.security.server.sso.sso the 
+        NDG Security Single Sign On Service package'''
+            
+except ImportError, e:
+    from warnings import warn
+    warn("Importing LogoutController for Single Sign On Service: %s" % e, 
+         RuntimeWarning)
+    
+    # Default to base version to avoid an exception if 'Logout' is invoked        
+    class LogoutController(BaseController):
+        '''Raise a 404 error for case where Single Sign ON Service is disabled
+        '''        
+        def index(self):
+            log.info("Single Sign On Service is disabled setting 404 error...")
+            abort(404)
 
-from ndg.security.common.SessionMgr import SessionMgrClient
-
-
-class LogoutController(BaseController):
-    '''Provides the pylons controller for logging out and killing the cookies
-    '''
-    
-    def __before__(self):
-        """Get return to URL"""
-        c.returnTo = request.params.get('r', '')
-        
-        # Check return to address - getCredentials should NOT be returned to
-        # with its query args intact
-        b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)
-        scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo)
-        if 'getCredentials' in pathInfo:
-            # Swap to discovery and remove sensitive creds query args
-            #
-            # TODO: re-write to be more robust and modular.  Nb. 
-            # BaseController.__call__ should filter out 'getCredentials'
-            # calls from c.requestURL so this code should never need to be 
-            # executed.
-            filteredReturnTo = urlunsplit((scheme,netloc,'/discovery','',''))
-            c.returnTo = base64.urlsafe_b64encode(filteredReturnTo)
-
-    
-    def index(self):
-        ''' Ok, you really want to logout here '''
-
-        if 'ndgSec' not in session:
-            # There's no handle to a security session
-            log.error("logout called but no 'ndgSec' key in session object")
-            return self.__redirect()
-        
-        # Fixed URI to be equal to the session's security settings 'h' param!
-        # This contains the location of the Session Manager where the users
-        # session is held.
-        #
-        # Removed sslPeerCertCN setting here - the session manager could at 
-        # any of a number of different trusted sites where the user logged in
-        # from.  There's no way of predicting an alternate SSL cert Common
-        # Name through the config file settings
-        #
-        # P J Kershaw 21/11/2007
-        try:
-            smClnt = SessionMgrClient(uri=session['ndgSec']['h'],
-                    sslCACertFilePathList=g.securityCfg.sslCACertFilePathList,
-                    signingCertFilePath=g.securityCfg.wssCertFilePath,
-                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,
-                    signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,
-                    caCertFilePathList=g.securityCfg.wssCACertFilePathList,
-                    tracefile=g.securityCfg.tracefile)       
-        except Exception, e:
-            log.error("logout - creating Session Manager client: %s" % e)
-            return self.__cleanupAndRedirect()  
-        
-        # Disconnect from Session Manager
-        log.info('Calling Session Manager "%s" disconnect for logout...' % \
-                 g.securityCfg.smURI)
-        try:
-            smClnt.disconnect(sessID=session['ndgSec']['sid'])
-        except Exception, e:
-            log.error("Error with Session Manager logout: %s" % e)
-            # don't exit here - instead proceed to delete session and 
-            # redirect ...
-
-        return self.__cleanupAndRedirect()
-
-
-    def __cleanupAndRedirect(self):
-        """Remove security session and call _redirect"""
-        try:
-            # easy to kill our cookie
-            SecuritySession.delete()
-            if 'ndgCleared' in session: del session['ndgCleared']
-            session.save()
-            
-        except Exception, e:   
-            log.error("logout - clearing security session: %s" % e)
-
-        return self.__redirect()
-    
-    
-    def __redirect(self):
-        """Handle redirect back to previous page"""
-        if c.returnTo:
-            # Decode the return to address
-            try:
-                b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)
-            except Exception, e:
-                log.error("logout - decoding return URL: %s" % e) 
-                return render('content')
-            
-            # and now go back to whence we had come
-            h.redirect_to(b64decReturnTo)
-        else:
-            return render('content')
+#from ows_server.lib.security_util import SecuritySession
+#import logging
+#log = logging.getLogger(__name__)
+#
+#from paste.request import parse_querystring
+#import sys # include in case tracefile is set to sys.stderr 
+#import base64 # decode the return to address
+#from urlparse import urlsplit, urlunsplit
+#
+#from ndg.security.common.SessionMgr import SessionMgrClient
+#
+#
+#class LogoutController(BaseController):
+#    '''Provides the pylons controller for logging out and killing the cookies
+#    '''
+#    
+#    def __before__(self):
+#        """Get return to URL"""
+#        c.returnTo = request.params.get('r', '')
+#        
+#        # Check return to address - getCredentials should NOT be returned to
+#        # with its query args intact
+#        b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)
+#        scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo)
+#        if 'getCredentials' in pathInfo:
+#            # Swap to discovery and remove sensitive creds query args
+#            #
+#            # TODO: re-write to be more robust and modular.  Nb. 
+#            # BaseController.__call__ should filter out 'getCredentials'
+#            # calls from c.requestURL so this code should never need to be 
+#            # executed.
+#            filteredReturnTo = urlunsplit((scheme,netloc,'/discovery','',''))
+#            c.returnTo = base64.urlsafe_b64encode(filteredReturnTo)
+#
+#    
+#    def index(self):
+#        ''' Ok, you really want to logout here '''
+#
+#        if 'ndgSec' not in session:
+#            # There's no handle to a security session
+#            log.error("logout called but no 'ndgSec' key in session object")
+#            return self.__redirect()
+#        
+#        # Fixed URI to be equal to the session's security settings 'h' param!
+#        # This contains the location of the Session Manager where the users
+#        # session is held.
+#        #
+#        # Removed sslPeerCertCN setting here - the session manager could at 
+#        # any of a number of different trusted sites where the user logged in
+#        # from.  There's no way of predicting an alternate SSL cert Common
+#        # Name through the config file settings
+#        #
+#        # P J Kershaw 21/11/2007
+#        try:
+#            smClnt = SessionMgrClient(uri=session['ndgSec']['h'],
+#                    sslCACertFilePathList=g.securityCfg.sslCACertFilePathList,
+#                    signingCertFilePath=g.securityCfg.wssCertFilePath,
+#                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,
+#                    signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,
+#                    caCertFilePathList=g.securityCfg.wssCACertFilePathList,
+#                    tracefile=g.securityCfg.tracefile)       
+#        except Exception, e:
+#            log.error("logout - creating Session Manager client: %s" % e)
+#            return self.__cleanupAndRedirect()  
+#        
+#        # Disconnect from Session Manager
+#        log.info('Calling Session Manager "%s" disconnect for logout...' % \
+#                 g.securityCfg.smURI)
+#        try:
+#            smClnt.disconnect(sessID=session['ndgSec']['sid'])
+#        except Exception, e:
+#            log.error("Error with Session Manager logout: %s" % e)
+#            # don't exit here - instead proceed to delete session and 
+#            # redirect ...
+#
+#        return self.__cleanupAndRedirect()
+#
+#
+#    def __cleanupAndRedirect(self):
+#        """Remove security session and call _redirect"""
+#        try:
+#            # easy to kill our cookie
+#            SecuritySession.delete()
+#            if 'ndgCleared' in session: del session['ndgCleared']
+#            session.save()
+#            
+#        except Exception, e:   
+#            log.error("logout - clearing security session: %s" % e)
+#
+#        return self.__redirect()
+#    
+#    
+#    def __redirect(self):
+#        """Handle redirect back to previous page"""
+#        if c.returnTo:
+#            # Decode the return to address
+#            try:
+#                b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)
+#            except Exception, e:
+#                log.error("logout - decoding return URL: %s" % e) 
+#                return render('content')
+#            
+#            # and now go back to whence we had come
+#            h.redirect_to(b64decReturnTo)
+#        else:
+#            return render('content')

TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/base.py

@@ -25 +25 @@
 import ows_common.xml
 
+# NDG Security import enables Single Sign On capability but note this is not
+# required for a standalone discovery service deployment
+try:
+    from ndg.security.client.ssoclient.ssoclient.lib.base import \
+        BaseController as _BaseController
+except ImportError, e:
+    from warnings import warn
+    warn('%s: ndg.security.client unavailable - ' % __name__ + \
+         'Single Sign on functionality disabled: %s' % e,
+         RuntimeWarning)
 
+    # Extend BaseController from WSGIController instead
+    _BaseController = WSGIController
+
+ 
 try:
     from xml.etree import ElementTree as ET
@@ -37 +51 @@
 EXCEPTION_TYPE = request.environ['ndgConfig'].get('OWS_SERVER', 'exception_type', 'ogc').lower()
 
-class BaseController(WSGIController):
+class BaseController(_BaseController):
     
     def __call__(self, environ, start_response):        
@@ -44 +58 @@
         # the action or route vars here
 
-        logger.debug("BaseController.__call__ ...")
-        
-        # construct URL picking up setting of server name from config to 
-        # avoid exposing absolute URL hidden behind mod_proxy see #857 
-        # Also, avoid returning to getCredentials and potentially exposing
-        # username/pass-phrase on URL.
-        # TODO: rework getCredentials get-out for more modular solution
-        pathInfo = urllib.quote(environ.get('PATH_INFO', '')) 
-        if 'getCredentials' in pathInfo:
-            logger.debug(\
-                "Reverting request URL from getCredentials to discovery...")
-            c.requestURL = g.server + '/discovery'       
-        else:
-            c.requestURL = g.server + pathInfo
-            query='&'.join(["%s=%s"%item for item in request.params.items()])
-            if query:
-                c.requestURL += '?' + query
-        
-        # Base 64 encode to enable passing around in 'r' argument of query
-        # string for use with login/logout
-        c.b64encRequestURL = urlsafe_b64encode(c.requestURL)
-
-        if 'h' in request.params:
-            # 'h' corresponds to the setting of a session manager host i.e.
-            # the request has come from a completed login from the login 
-            # service
-            logger.debug("Setting security session from URL query args ...")
-            
-            # Copy the query arguments into security session keys
-            setSecuritySession()
-            
-            session.save()
-            
-            # Re-construct the URL removing the security related arguments
-            qs = LoginServiceQuery.stripFromURI()
-
-            logger.debug('Switching from https to http...')
-            cc = g.server + urllib.quote(environ.get('PATH_INFO',''))
-            if qs:
-                cc += "?" + qs
-                
-            logger.debug('URL transport switched to http: "%s"' % cc)
-            h.redirect_to(cc)
-
+        logger.debug("BaseController.__call__ ...")        
                 
         #organise the information needed by pagetabs ... 
@@ -101 +72 @@
         if 'viewItems' in session: c.pageTabs.append(('View', h.url_for(controller='viewItems',action='index')))
         
-        return WSGIController.__call__(self, environ, start_response)
+        return _BaseController.__call__(self, environ, start_response)
     
 class OwsController(BaseController):

TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/security_util.py

@@ -124 +124 @@
         @return: URL query string with security args removed"""
         keys = params or cls.keys
-        return cls.argSep.join(['%s=%s' % (i, request.params[i]) \
-                                for i in request.params if i not in keys])
+        return str(cls.argSep.join(['%s=%s' % (i, request.params[i]) \
+                                for i in request.params if i not in keys]))
 
     @classmethod
@@ -182 +182 @@
 import sys
 
-class SecurityConfigError(Exception):
-    """Handle errors from parsing security config items"""
-       
-class SecurityConfig(object):
-    """Get Security related parameters from the Pylons NDG config file"""
-
-    def __init__(self, cfg=None):
-        '''Get PKI settings for Attribute Authority and Session Manager from
-        the configuration file
-        
-        @type param: pylons config file object
-        @param cfg: reference to NDG configuration file.  If omitted defaults
-        to request.environ['ndgConfig']'''
-        
-        if cfg is None:
-            cfg = request.environ['ndgConfig']
-
-        tracefileExpr = cfg.get('NDG_SECURITY', 'tracefile')
-        if tracefileExpr:
-            self.tracefile = eval(tracefileExpr)
-
-        self.smURI = cfg.get('NDG_SECURITY', 'sessionMgrURI')        
-        self.aaURI = cfg.get('NDG_SECURITY', 'attAuthorityURI')
-        
-        # ... for SSL connections to security web services
-        try:
-            self.sslCACertFilePathList = \
-            cfg.get('NDG_SECURITY', 'sslCACertFilePathList').split()
-                
-        except AttributeError:
-            raise SecurityConfigError, \
-                        'No "sslCACertFilePathList" security setting'
-
-        self.sslPeerCertCN = cfg.get('NDG_SECURITY', 'sslPeerCertCN')
-
-        # ...and for WS-Security digital signature
-        self.wssCertFilePath = cfg.get('NDG_SECURITY', 'wssCertFilePath')
-        self.wssPriKeyFilePath = cfg.get('NDG_SECURITY', 'wssKeyFilePath')
-        self.wssPriKeyPwd = cfg.get('NDG_SECURITY', 'wssKeyPwd')
-
-        try:
-            self.wssCACertFilePathList = \
-                cfg.get('NDG_SECURITY', 'wssCACertFilePathList').split()
-                
-        except AttributeError:
-            raise SecurityConfigError, \
-                                'No "wssCACertFilePathList" security setting'
-
-        # Gatekeeper params
-        
-        # Attribute Certificate Issuer
-        self.acIssuer = cfg.get('NDG_SECURITY', 'acIssuer')
-        
-        # verification of X.509 cert back to CA
-        try:
-            self.acCACertFilePathList = cfg.get('NDG_SECURITY', 
-                                            'acCACertFilePathList').split()          
-        except AttributeError:
-            raise SecurityConfigError, \
-                                'No "acCACertFilePathList" security setting'
-
-             
-    def __repr__(self):
-        return '\n'.join(["%s=%s" % (k,v) for k,v in self.__dict__.items() \
-                if k[:2] != "__"])
+# Replaced by ndg.security package equivalent
+#class SecurityConfigError(Exception):
+#    """Handle errors from parsing security config items"""
+#       
+#class SecurityConfig(object):
+#    """Get Security related parameters from the Pylons NDG config file"""
+#
+#    def __init__(self, cfg=None):
+#        '''Get PKI settings for Attribute Authority and Session Manager from
+#        the configuration file
+#        
+#        @type param: pylons config file object
+#        @param cfg: reference to NDG configuration file.  If omitted defaults
+#        to request.environ['ndgConfig']'''
+#        
+#        if cfg is None:
+#            cfg = request.environ['ndgConfig']
+#
+#        tracefileExpr = cfg.get('NDG_SECURITY', 'tracefile')
+#        if tracefileExpr:
+#            self.tracefile = eval(tracefileExpr)
+#
+#        self.smURI = cfg.get('NDG_SECURITY', 'sessionMgrURI')        
+#        self.aaURI = cfg.get('NDG_SECURITY', 'attAuthorityURI')
+#        
+#        # ... for SSL connections to security web services
+#        try:
+#            self.sslCACertFilePathList = \
+#            cfg.get('NDG_SECURITY', 'sslCACertFilePathList').split()
+#                
+#        except AttributeError:
+#            raise SecurityConfigError, \
+#                        'No "sslCACertFilePathList" security setting'
+#
+#        self.sslPeerCertCN = cfg.get('NDG_SECURITY', 'sslPeerCertCN')
+#
+#        # ...and for WS-Security digital signature
+#        self.wssCertFilePath = cfg.get('NDG_SECURITY', 'wssCertFilePath')
+#        self.wssPriKeyFilePath = cfg.get('NDG_SECURITY', 'wssKeyFilePath')
+#        self.wssPriKeyPwd = cfg.get('NDG_SECURITY', 'wssKeyPwd')
+#
+#        try:
+#            self.wssCACertFilePathList = \
+#                cfg.get('NDG_SECURITY', 'wssCACertFilePathList').split()
+#                
+#        except AttributeError:
+#            raise SecurityConfigError, \
+#                                'No "wssCACertFilePathList" security setting'
+#
+#        # Gatekeeper params
+#        
+#        # Attribute Certificate Issuer
+#        self.acIssuer = cfg.get('NDG_SECURITY', 'acIssuer')
+#        
+#        # verification of X.509 cert back to CA
+#        try:
+#            self.acCACertFilePathList = cfg.get('NDG_SECURITY', 
+#                                            'acCACertFilePathList').split()          
+#        except AttributeError:
+#            raise SecurityConfigError, \
+#                                'No "acCACertFilePathList" security setting'
+#
+#             
+#    def __repr__(self):
+#        return '\n'.join(["%s=%s" % (k,v) for k,v in self.__dict__.items() \
+#                if k[:2] != "__"])

TI05-delivery/ows_framework/trunk/ows_server/ows_server/models/ndgSecurity.py

@@ -145 +145 @@
         self.smClnt = SessionMgrClient(uri=self.securityTokens['h'],
                     sslCACertFilePathList=g.securityCfg.sslCACertFilePathList,
-                    sslPeerCertCN=g.securityCfg.sslPeerCertCN,
+#                    sslPeerCertCN=g.securityCfg.sslPeerCertCN,
                     signingCertFilePath=g.securityCfg.wssCertFilePath,
                     signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,

TI05-delivery/ows_framework/trunk/ows_server/ows_server/public/layout/ndg2.css

@@ -31 +31 @@
  border: solid #333333;
  border-width: 0 0 2px 0;
- background-image:url(/ndg-test/layout/header_image.jpg);background-position:right;background-repeat:repeat-x;}
+ background-image:url(/layout/header_image.jpg);background-position:right;background-repeat:repeat-x;}
 
 #logo{

TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/__init__.py

@@ +1 @@
+

TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/ndgPage.kid

@@ -133 +133 @@
     </span>
     
-    <!-- Login and out buttons -->    
+    <!-- Login and out buttons -->  
     <span py:def="logOut()" class="logOut">
+            <?python
+            from base64 import urlsafe_b64encode
+            
+            # Base 64 encode to enable passing around in 'r' argument of query
+            # string for use with login/logout
+            c.returnTo = c.requestURL
+            c.b64encReturnTo = urlsafe_b64encode(c.requestURL)
+            ?>
         <form action="$g.logout">
-            <input type="hidden" name="r" value="${c.b64encRequestURL}"/>
+            <input type="hidden" name="r" value="${c.b64encReturnTo}"/>
             <input type="submit" value="Logout"/>
         </form>
@@ -142 +150 @@
     
     <span py:def="logIn()" class="logIn">
+            <?python
+            from base64 import urlsafe_b64encode
+            
+            # Base 64 encode to enable passing around in 'r' argument of query
+            # string for use with login/logout
+            c.returnTo = c.requestURL
+            c.b64encReturnTo = urlsafe_b64encode(c.requestURL)
+            ?>
         <form action="$g.wayfuri">
-            <input type="hidden" name="r" value="${c.b64encRequestURL}"/>
+            <input type="hidden" name="r" value="${c.b64encReturnTo}"/>
             <input type="submit" value="Login"/>
         </form>