Uploading images fails using the SSO module

[amessina]

I am able to successfully use the SSO module to authenticate users over and login via HTTP/HTTPS. However, when using authentication, I am not able to upload photos and I get a 401 error.

As soon as I remove SSO, I am able to upload photos again.

In addition, the sso module is "almost ready" to use Kerberos/mod_auth_kerb" if it gets the following to strip the "@DOMAIN.COM" from the username:

diff --git a/modules/sso/helpers/sso_event.php b/modules/sso/helpers/sso_event.php
index 67d81a7..c086f91 100644
--- a/modules/sso/helpers/sso_event.php
+++ b/modules/sso/helpers/sso_event.php
@@ -19,6 +19,8 @@
 class sso_event {
   static function gallery_ready() {
     $sso_username = Input::instance()->server("REMOTE_USER");
+    $stripped = explode('@', $sso_username, -1);
+    $sso_username = $stripped[0];
     $user = Session::instance()->get("user");
     if (empty($user) || $user->name != $sso_username) {
       try {

I did not use the Kerberos version while testing -- just Basic auth.

This is as of:

commit 68b290be514106d1b95e63db72caa14da3e02a67
Author: Tim Almdal <tnalmdal@shaw.ca>
Date:   Fri Jan 22 12:30:53 2010 -0800

[bharat]

I believe that the flash uploader doesn't have the right credentials to piggyback on the SSO connection. I need to investigate that.

Is stripping the domain safe in all cases? I'm not familiar with the implications there.

[amessina]

I am not yet certain if stripping the domain (in the quick/dirty) way I did would work in all cases. It certainly wouldn't work if a site wanted people to use username@… as their username. I was mostly trying the strip-the-kerberos-domain-hack as a test for myself and my site.

As far as the flash uploader--if it doesn't work with SSO, then I am not sure how the SSO module would help. It seems like that your very simple SSO module is perfectly elegant, in that it is so simple, but it doesn't do a user much good if they can log in using a wonderful SSO method, but then can't do anything once they're logged in -- uploading of pictures would be the main thing I would think a user would want since the application is entirely based around how well it does that ;)

However, it seems like some of the options for that could be held in either a configuration file (PHP) in the module itself or perhaps eventually in the GUI.

One other difficulty that has been relieved by other applications like Gallery3 (content management systems, etc.) is that the 1st user, the admin user, is always held in the database so that when switching to another module, at least that one admin user still has access to make changes while getting other things to work. It may be helpful to allow the 1st Gallery3 user "admin" to always be sourced from the database in case another module fails.

Thanks a lot for looking into this.

[bharat]

We'll definitely get the Flash uploader working. I imagine it's a fairly straightforward case of providing the right credentials to the Flash app.

Please open a separate ticket for the other issues you mention so that we can track them separately! (It's hard when there are multiple issues in one ticket). Thanks!

[tnalmdal]

Here is a related link: http://www.uploadify.com/forum/viewtopic.php?f=5&t=43

We already opened a closed a ticket on this: #703. Basically, from my investigation there is an underlying issue with flash and basic authentication.

"From the adobe docs: "During upload, Flash Player does not provide a means for users to enter passwords."

I'll leave it open, but I think we should just close as won't fix. But I'll move the milestone.

[amessina]

Thanks for the additional information. I guess, then, I am not sure what the point of the SSO module is for... Other upload methods?

[bharat]

That link is a red herring. We don't need Basic Auth for this to work. We'll get the flash uploader working with SSO, just hang in there. There are other higher priorities at the moment.

[amessina]

No worries. SSO is a newer module and I'm sure you had something in mind. I just was trying to make sure that I wasn't trying to use it for something for which is wasn't intended by you devs -- even if it can't do what you fully intended yet.

I look forward to the development on this. I'm hoping to use LDAP to store the users and SSO with Kerberos to authenticate them.

[amessina]

Kerberos SSO module for Gallery3

[amessina]

I've just added a patch that creates a new module: krb_sso, which is completely based on your original SSO module.

This modifies the menu to allow a "Kerberos Login", then, using mod_auth_kerb (or whatever Apache authentication you like in the httpd.conf file), the user is logged in over SSL, then redirected to the same location on HTTP (non-SSL), which gets rid of the mucking around with the uploader, etc.

The users should be defined prior to implementing this and one of the users should be an admin.

http://messinet.com/trac/g3/timeline

This patch is in use on my production system.

I'm sure it'll need spiffing up, but I think it's a good start.

[ercan1314]

boyaci badana ustasi
yapı dekorasyon
boya
çati akarma onarim

[bahaokcu]

It's a good start. http://www.oyuncakprensi.com

[dentizm]

This is a great inspiring article.I am pretty much pleased with your good work.mantolama,
dış cephe mantolama,mantolama malzemeleri,yalıtım,ısı yalıtımı,çatı,
çatı tadilatı,izolasyon,mantolama fiyatları,ısı yalıtım malzemeleri, You put really very helpful information. best regards.

[ercan1314]

boyacidekorasyonboya ustasıçati aktarma onarimdis cephedis cephe boya mantolamadis cephe mantolamakople ev tadilatev boyama tadilatçati izolasyoncati tamiriev dekorasyon tadilat

[turand]

thanks.
ateizm,deizm,agnostisizm,panteizm,panenteizm,turan dursun,ateizm.