Re: [Bodington-developers] Testing SP : groups-xml-mapper-policy

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

The Guard only protects what you tell it to protect. As there's no suppor=
t
in bod for parallel auth it has to protect the whole site.

However, you could use bod's normal auth trap to throw the user to the
normal login page and take the Athens route of offering a different login
link on the page:

External user login:
www.dev.clan.uhi.ac.uk/site/shibblogin

and get the Guard to protect that url alone.

I call this method a Shunnel (terrible name I know!). Could have named it
a Gwunnel (Guanxi Tunnel, sounds sort of Cornish). Anyway, it means a
Shibboleth Funnel. mvnForum has one. It's an area to send users who want
to auth via shibb. All the shibb functionality in an application is
concentrated in the shunnel (grimace).

Ever seen Wallace and Gromit? A shunnel is the scene in the Wrong Trouser=
s
where the machines dress Wallace. The analogy is Wallace is the user and
the machines are the shunnel. They provide all necessary bits 'n bobs for
the user to enter bod via shibb. Once they're past the shunnel (ouch)
they're just a normal bod user.

All that site/shibblogin does is redirect you to the page you originally
requested.

It's a switch you must flick to get into bod and you prove you're ability
to flick the switch by the attributes the Guard presents on your behalf.

Local users just login as normal, ignoring the "external users login" lin=
k.

So, shunnel++ for me - anyone got a better name?

--=20
Alistair Young
Senior Software Engineer
UHI@Sabhal M=F2r Ostaig
Isle of Skye
Scotland

> Atif Suleman wrote:
>> Matthew Buckett wrote:
>>
>>> Ok, but this isn't a very good solution as you end up saying
>>>
>>> "To read my notes on this go to
>>> http://bodington/opensite/building/floor/ if you are a member of Leed=
s
>>> or someone else with an account on bodington or if you are a member o=
f
>>> the Leeds Shibb federation go to http://bodington/site/building/floor=
/
>>>
>>>
>>>
>> Indeed.
>>
>> Getting past the sp guard to do parallel auth (i.e. internal) is gone =
be
>> a miracle.
>>
>> The problem is the sp guard is protecting the entire bodington i.e.
>> /site/*
>>
>> I could protect a single page in bodington for example
>> /site/bs_template_sp_login.html THEN we can do parallel auth (i.e.
>> internal)
>>
>> The reason why we could do parallel auth is that the guard would be
>> protecting the following url:
>> *  /site/bs_template_sp_login.html
>>
>> The guard would allow all urls under /site/* through but NOT
>> /site/bs_template_sp_login.html
>
> This is how we do WebAuth.
>
>> The single url protection does have drawbacks.............
>
> Apart from having to have the user select the authentication mode, any
> others?
>
>
> --
>   -- Matthew Buckett, VLE Developer
>   -- Learning Technologies Group, Oxford University Computing Services
>   -- Tel: +44 (0)1865 283660 http://www.oucs.ox.ac.uk/ltg/
>
> Using Tomcat but need to do more? Need to support web services, securit=
y?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geron=
imo
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=
=3D121642
> _______________________________________________
> Bodington-developers mailing list
> Bod...@li...
> https://lists.sourceforge.net/lists/listinfo/bodington-developers
>