[Cosign-discuss] SPNEGO support

[Simon W. <sx...@in...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've been adding support for acquiring cosign credentials via SPNEGO,  
which I've got working (patches forthcoming), providing that the  
cosign CGI is accessed through a protected web location which  
correctly sets REMOTE_USER, AUTH_NAME, and KRB5CCNAME

However, this leads to a more thorny problem. What I'd ideally like  
to be able to do is to use Kerberos authentication where it's  
possible, but seamlessly fallback to presenting the 'normal' login  
screen where the user doesn't have credentials, or their browser  
doesn't support the Negotiate authentication type. I'm wondering if  
there's anyone whose done this kind of thing with the kx509 support  
in cosign who might have some pointers.

My current plan is to have the standard cosign.cgi location be  
unprotected, but for the login page that it returns to contain a bit  
of Javascript which does an XMLHttpRequest against a Negotiate  
protected location on the web server. If that fetch succeeds, then it  
will redirect the current page to a Negotiate protected cosign.cgi,  
which should then just give the user a cosign cookie and redirect  
them back to the calling service.

Anyone got any further thoughts?

Simon.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFGZEw0qWndc26pXmcRArbiAJwN/elue8iybWcoyjzyAsoyeawzhgCgkBmf
iJNQtEgq7cSrpIV8prpDY3Y=
=odnc
-----END PGP SIGNATURE-----