Giter Club home page Giter Club logo

rack-auth-krb's Introduction

rack-auth-krb

Kerberos/GSSAPI authentication (Basic and Negotiate) rack middleware.

Actually this middleware should (hopefully) work for standard Rack application and as a Goliath middleware.

Dependencies

Kerberos should be installed and configured on the server.

If you do want to share the authentication through your application, you'll need to have a Rack::Session middleware inserted before you in the loop.

Rack applications

require 'rack/auth/krb/basic_and_nego'

infinity = Proc.new {|env| [200, {"Content-Type" => "text/html"}, ["Hello #{env['REMOTE_USER']}"]]}

use Rack::Session::Cookie
use Rack::Logger, ::Logger::DEBUG
use Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab'

map '/' do
  run infinity
end

Goliath applications

require 'rack/session/cookie'
require 'goliath'
require 'goliath/rack/auth/krb/basic_and_nego'

class DumpHeaders < Goliath::API
  # Must be placed *before* BasicAndNego if we want it to use sessions !
  use Rack::Session::Cookie
  use Goliath::Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab'

  def on_headers(env, headers)
    env.logger.info 'received headers: ' + headers.inspect
  end

  def response(env)
    [200, {}, "Hello #{env['REMOTE_USER']}"]
  end
end

Enable authentication only for a subset of paths

You can specify a list of paths for the ones you only want the authentication process to be enabled.

use Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab', "http@hostname", ["/", "/oauth/authorize"]

or

use Goliath::Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab', "http@hostname", ["/", "/oauth/authorize"]

rack-auth-krb's People

Contributors

sleeper avatar ares avatar mbridard avatar

Stargazers

Randy Dickinson avatar Angus H. avatar Simon Dusauchoit avatar Isobe Kazuhiko avatar David Collom avatar Dyson Simmons avatar MiRacLe avatar Don Wei avatar Ted Pennings avatar Nicolas Zermati avatar Derek D Owens avatar Conail Stewart avatar Amit Kumar Das avatar Geun Bae Ken Lee avatar Julien Leroy avatar Julien Etienne avatar Dmitry Vasilets avatar avatar Luca G. Soave avatar

Watchers

avatar James Cloos avatar avatar

Forkers

danielfarrell bridou ares justinwalz ermacaz ytmknd t-8ch wied03

rack-auth-krb's Issues

Release on rubygems

The current code has been stable for me. It's at least a 0.1 release, but really feels more like a 0.8 or so. Wanna increment the version and release to rubygems.org?

Vulnerable to Zanarotti attack

As the MIT Kerberos docs say

Whenever a program grants access to a resource (such as a local login session on a desktop computer) based on a user successfully getting initial Kerberos credentials, it must verify those credentials against a secure shared secret (e.g., a host keytab) to ensure that the user credentials actually originate from a legitimate KDC. Failure to perform this verification is a critical vulnerability, because a malicious user can execute the “Zanarotti attack”: the user constructs a fake response that appears to come from the legitimate KDC, but whose contents come from an attacker-controlled KDC.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.