File: securetoken.html

package info (click to toggle)
lemonldap-ng 1.9.7-3%2Bdeb9u2
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 39,024 kB
  • sloc: perl: 37,552; makefile: 922; sh: 472; sql: 5
file content (154 lines) | stat: -rw-r--r-- 7,078 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
 
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:1.9:securetoken</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,1.9,securetoken"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="securetoken.html"/>
<link rel="contents" href="securetoken.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:1.9';var JSINFO = {"id":"documentation:1.9:securetoken","namespace":"documentation:1.9"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#virtual_host">Virtual host</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#apache">Apache</a></div></li>
<li class="level3"><div class="li"><a href="#nginx">Nginx</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#handler_parameters">Handler parameters</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="secure_token_handler">Secure Token Handler</h1>
<div class="level1">

</div>
<!-- EDIT1 SECTION "Secure Token Handler" [1-36] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">

<p>
The Secure Token Handler is a special Handler that create a token for each request and send it to the protected application. The real user identifier is stored in a Memcached server and the protected application can the request the Memcached server to get user identifier.
</p>

<p>
This mechanism allow to do <abbr title="Single Sign On">SSO</abbr> on application with an unsafe link between Handler and the application, but with a safe link with the Memcached server.
</p>

</div>
<!-- EDIT2 SECTION "Presentation" [37-488] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">

</div>
<!-- EDIT3 SECTION "Configuration" [489-515] -->
<h3 class="sectionedit4" id="virtual_host">Virtual host</h3>
<div class="level3">

</div>

<h4 id="apache">Apache</h4>
<div class="level4">

<p>
Configure the virtual host like other <a href="configvhost.html" class="wikilink1" title="documentation:1.9:configvhost">protected virtual host</a> but use Secure Token Handler instead of default Handler.
</p>
<pre class="code file apache">PerlModule Lemonldap::NG::Handler::Specific::SecureToken
&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">80</span>&gt;
       <span class="kw1">ServerName</span> secure.example.com
&nbsp;
       <span class="co1"># Load SecureToken Handler</span>
       PerlHeaderParserHandler Lemonldap::NG::Handler::Specific::SecureToken
&nbsp;
       ...
&nbsp;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>

</div>

<h4 id="nginx">Nginx</h4>
<div class="level4">
<div class="noteclassic">This module uses Apache2 Filter and is not compatible with Nginx.
</div>
</div>
<!-- EDIT4 SECTION "Virtual host" [516-1068] -->
<h3 class="sectionedit5" id="handler_parameters">Handler parameters</h3>
<div class="level3">

<p>
SecureToken parameters are the following:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Memcached servers</strong>: addresses of Memcached servers, separated with spaces.</div>
</li>
<li class="level1"><div class="li"> <strong>Token expiration</strong>: time in seconds for token expiration (remove from Memcached server).</div>
</li>
<li class="level1"><div class="li"> <strong>Attribute to store</strong>: the session key that will be stored in Memcached.</div>
</li>
<li class="level1"><div class="li"> <strong>Protected URLs</strong>: Regexp of URLs for which the secure token will be sent, separated by spaces</div>
</li>
<li class="level1"><div class="li"> <strong>Header name</strong>: name of the HTTP header carrying the secure token.</div>
</li>
<li class="level1"><div class="li"> <strong>Allow requests in error</strong>: allow a request that has generated an error in token generation to be forwarded to the protected application without secure token (default: yes)</div>
</li>
</ul>
<div class="noteimportant">Due to Handler <abbr title="Application Programming Interface">API</abbr> change in 1.9, you need to set these attributes in <code>lemonldap-ng.ini</code> and not in Manager, for example:
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>handler<span class="br0">&#93;</span></span>
<span class="re1">secureTokenMemcachedServers</span> <span class="sy0">=</span><span class="re2"> 127.0.0.1:11211</span>
<span class="re1">secureTokenExpiration</span> <span class="sy0">=</span><span class="re2"> 60</span>
<span class="re1">secureTokenAttribute</span> <span class="sy0">=</span><span class="re2"> uid</span>
<span class="re1">secureTokenUrls</span> <span class="sy0">=</span><span class="re2"> .*</span>
<span class="re1">secureTokenHeader</span> <span class="sy0">=</span><span class="re2"> Auth-Token</span>
<span class="re1">secureTokenAllowOnError</span> <span class="sy0">=</span><span class="re2"> 1</span></pre>

</div>
</div>
<!-- EDIT5 SECTION "Handler parameters" [1069-] --></div>
</body>
</html>