Index: openacs-4/packages/acs-authentication/acs-authentication.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/acs-authentication.info,v
diff -u -r1.43.2.7 -r1.43.2.8
--- openacs-4/packages/acs-authentication/acs-authentication.info 16 Sep 2021 08:27:29 -0000 1.43.2.7
+++ openacs-4/packages/acs-authentication/acs-authentication.info 14 May 2023 11:09:44 -0000 1.43.2.8
@@ -7,7 +7,7 @@
t
t
-
+
Lars Pind
Authentication, account management, and related functionality.
2021-09-15
@@ -16,8 +16,9 @@
GPL version 2
Implements authentication-related security functions for OpenACS, including password, account and session management, bulk account creation etc. Provides a contract based interface for different authentication methods such as PAM or LDAP based authentication.
-
+
+
Index: openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl,v
diff -u -r1.114.2.28 -r1.114.2.29
--- openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl 27 Nov 2022 18:08:15 -0000 1.114.2.28
+++ openacs-4/packages/acs-authentication/tcl/authentication-procs.tcl 14 May 2023 11:09:44 -0000 1.114.2.29
@@ -38,19 +38,32 @@
-account_status $account_status]
if { $user_id != 0 } {
- # user is in fact logged in, return user_id
+ #
+ # The user is in fact logged in, return her user_id.
+ #
return $user_id
}
- set message {}
+ set message ""
+
if {[ad_conn auth_level] eq "expired"} {
+ #
+ # The login has expired.
+ #
set message [_ acs-subsite.lt_Your_login_has_expire]
+ #
+ # If the login was issued from an external_registry, use this
+ # as well for refreshing.
+ #
+ set external_registry [sec_login_get_external_registry]
+ } else {
+ set external_registry ""
}
-
+
#
# The -return switch causes the URL to return to the current page.
#
- set return_url [ad_get_login_url -return]
+ set return_url [ad_get_login_url -return -external_registry $external_registry]
# Long URLs (slightly above 4000 bytes) can kill aolserver-4.0.10, causing
# a restart. They lead to empty Browser-windows with AOLserver 4.5 (but no
@@ -78,25 +91,32 @@
}
ad_proc -public auth::refresh_login {} {
- If there currently is a user associated with this session,
- but the user's authentication is expired, redirect the
- user to refresh his/her login. This allows for users to not be logged in,
- but if the user is logged in, then we require that the authentication is not expired.
+
+ If there currently is a user associated with this session, but the
+ user's authentication is expired, redirect the user to refresh
+ his/her login. This allows for users to not be logged in, but if
+ the user is logged in, then we require that the authentication is
+ not expired.
- @return user_id of user, if the user is logged in and auth_status is not expired, or 0 if the user is not logged in.
- If user's auth_status is expired, this proc will issue a returnredirect and abort the current page.
+ @return user_id of user, if the user is logged in and auth_status
+ is not expired, or 0 if the user is not logged in.
+ If user's auth_status is expired, this proc will issue a
+ returnredirect and abort the current page.
@see ad_script_abort
} {
if { [ad_conn auth_level] ne "expired" } {
return [ad_conn user_id]
}
-
+ #
# The -return switch causes the URL to return to the current page
- ad_returnredirect [ad_get_login_url -return]
+ #
+ ad_returnredirect [ad_get_login_url -return \
+ -external_registry [sec_login_get_external_registry]]
ad_script_abort
}
+
ad_proc -public auth::self_registration {} {
Check AllowSelfRegister parameter and set user message if
self registration not allowed.
Index: openacs-4/packages/acs-tcl/acs-tcl.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/acs-tcl.info,v
diff -u -r1.95.2.61 -r1.95.2.62
--- openacs-4/packages/acs-tcl/acs-tcl.info 3 May 2023 12:35:51 -0000 1.95.2.61
+++ openacs-4/packages/acs-tcl/acs-tcl.info 14 May 2023 11:09:44 -0000 1.95.2.62
@@ -9,7 +9,7 @@
f
t
-
+
OpenACS
The Kernel Tcl API library.
2021-09-15
@@ -18,7 +18,7 @@
GPL version 2
3
-
+
Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -r1.126.2.87 -r1.126.2.88
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 3 May 2023 12:39:11 -0000 1.126.2.87
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 14 May 2023 11:09:44 -0000 1.126.2.88
@@ -39,7 +39,7 @@
# "random" is used to hinder attack the secure hash. Currently the
# random data is ns_time. "peeraddr" is used to avoid session
# hijacking. "er" stands for external_registry and is only
-# non-empty, when an external registry is used.
+# nonempty, when an external registry is used.
#
# ad_user_login/ad_user_login_secure issue_time:
# [ns_time] at the time the user last authenticated
@@ -421,6 +421,23 @@
}
}
+ad_proc sec_login_get_external_registry {} {
+ #
+ # If the login was issued from an external_registry, use this
+ # as well for refreshing.
+ #
+ set external_registry ""
+ if {[ns_conn isconnected]} {
+ set external_registry [dict get [sec_login_read_cookie] external_registry]
+ if {$external_registry ne "" && ![nsf::is object $external_registry]} {
+ ns_log warning "external registry object '$external_registry'" \
+ "used for login of user [ad_conn untrusted_user_id]" \
+ "does not exist. Ignored."
+ set external_registry ""
+ }
+ }
+ return $external_registry
+}
ad_proc -public sec_login_handler {} {
@@ -1290,49 +1307,86 @@
{-authority_id ""}
{-username ""}
-return:boolean
+ {-external_registry ""}
} {
- Returns a URL to the login page of the closest subsite, or the main site, if there's no current connection.
+ Returns a URL to the login page of the closest subsite, or the
+ main site, if there's no current connection.
- @option return If set, will export the current form, so when the registration is complete,
- the user will be returned to the current location. All variables in
- ns_getform (both posts and gets) will be maintained.
+ @option return If set, will export the current form, so when
+ the registration is complete, the user will be returned
+ to the current location. All variables in
+ ns_getform (both posts and gets) will be maintained.
@author Lars Pind (lars@collaboraid.biz)
@author Gustaf Neumann
} {
+ #
+ # Get the login_url 'url' and some more parameters form the
+ # register subsite for this registry.
+ #
set subsite_info [security::get_register_subsite]
foreach var {url require_qualified_return_url host_node_id} {
set $var [dict get $subsite_info $var]
}
- append url "register/"
-
- #
- # Don't add a return_url if you're already under /register,
- # because that will frequently interfere with the normal login
- # procedure.
- #
- if { [ns_conn isconnected] && $return_p && ![string match "register/*" [ad_conn extra_url]] } {
+ if { [ns_conn isconnected]
+ && $return_p
+ } {
#
# In a few cases, we do not need to add a fully qualified
# return url. The secure cases have to be still tested.
#
if { !$require_qualified_return_url
- && ([security::secure_conn_p] || [ad_conn behind_secure_proxy_p] || ![security::RestrictLoginToSSLP])
+ && ([security::secure_conn_p]
+ || [ad_conn behind_secure_proxy_p]
+ || ![security::RestrictLoginToSSLP]
+ )
} {
set return_url [ad_return_url]
} else {
set return_url [ad_return_url -qualified]
}
}
- if {$host_node_id == 0} {
- unset host_node_id
- }
- set url [export_vars -base $url -no_empty {authority_id username return_url host_node_id}]
+ if {$external_registry ne ""} {
+ ns_log notice "the external registry $external_registry is used"
+ #
+ # We get here in cases of a refresh of a login, since we know
+ # that the current user_id is expired, and the user has
+ # registered via an external registry. Therefore, we use
+ # the same external registry for the refresh.
+ #
+ # In general, we have two options: (a) redirect directly to
+ # the external registry login page, or (b) redirect to an
+ # external registry enhanced classical OpenACS login page. We
+ # are here on the (a) path, since potentially, the external
+ # identity managers allows one to continue without even showing a
+ # login page (when it says, the login is still valid).
+ #
+ # The path (b) might be chosen via a future package parameter.
+ #
+ set url [$external_registry login_url -return_url $return_url]
+ } else {
+ append url "register/"
+
+ #
+ # Don't add a return_url if you're already under /register,
+ # because that will frequently interfere with the normal login
+ # procedure.
+ #
+ if { [string match "register/*" [ad_conn extra_url]] } {
+ set return_url ""
+ }
+ if {$host_node_id == 0} {
+ unset host_node_id
+ }
+ set url [export_vars -base $url -no_empty {
+ authority_id username return_url host_node_id
+ }]
+ }
::security::log login_url "ad_get_login_url: final login_url <$url>"
return $url
@@ -1343,9 +1397,10 @@
{-return_url ""}
} {
- Returns a URL to the logout page of the closest subsite, or the main site, if there's no current connection.
+ Returns a URL to the logout page of the closest subsite, or the
+ main site, if there's no current connection.
- @option return If set, will export the current form, so when the logout is complete
+ @option return If set, will export the current form, so when the logout is complete
the user will be returned to the current location. All variables in
ns_getform (both posts and gets) will be maintained.