View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|07182||Development||[All Projects] Authentication||public||2013-01-13 17:51||2013-04-25 00:32|
|Target Version||Fixed in Version||2.05|
|Summary||07182: Login form displayed despite auth_webserver delegated authentication being used|
While using delegated authentication to the webserver, the login form is displayed although a successful authentication is active at webserver level.
After submitting the login form with empty fields, the user is finally successfully authenticated.
Expected behavior: if the webserver has an active authenticated user, LS should not display the login form, but automatically authenticate the user and open the admin panel.
The current behavior cannot be put into production, as it is very misleading for users.
|Steps To Reproduce|
To reproduce, setup a fresh LS 2.0+ instance on apache 2.2 using mod_auth_cas, protecting Location /index.php/admin. Make sure that CAS authentication works fine, for instance by testing that $_SERVER['PHP_AUTH_USER'] has the expected value (your user name).
Create your user (with the same username as the one using external authentication) using the admin user. Logout.
Change LS config with auth_webserver = true
Access LS admin area. Sign in on your CAS server. You are being redirected to LS, and the login form is displayed.
After digging the code and discussing with sammousa on IRC, the issue seems to be related to the way UserIdentity is initialized. Currently (with the exception of remotecontrol), UserIdentity is only initialized after a POST request (e.g. when the login form is submitted) or is the 'onepass' variable is passed in a GET requests. See application/controllers/admin/authentication.php line 40.
The usual behavior of an external authentication server is to redirect the authenticated user to the initially requested URL, and most of the time this behavior cannot be overridden (and should not).
An easy workaround is to change application/controllers/admin/authentication.php line 40 with the following:
if (Yii::app()->request->getPost('action') || !is_null(Yii::app()->request->getQuery('onepass')) || Yii::app()->getConfig("auth_webserver")==true))
This way, when being redirected for authentication and using auth_webserver, the doLogin code is executed straight away, and everything works fine (note that php sends some warning because some variables are not initialized).
A cleaner implementation could be proposed (this one is a bit brutal but works fine thanks to the way UserIdentity works), for instance testing the presence of a successfully authenticated user already in AdminController::_init.
|Tags||No tags attached.|
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=11194
Should be looked into for 2.1 where we should implement a more transparent solution.
|2013-01-13 17:51||tbelliard||New Issue|
|2013-01-13 18:03||sammousa||Changeset attached||=> LimeSurvey master 50bba027|
|2013-01-13 18:03||sammousa||Note Added: 23627|
|2013-01-13 18:03||sammousa||Assigned To||=> sammousa|
|2013-01-13 18:03||sammousa||Resolution||open => fixed|
|2013-01-13 18:06||sammousa||Note Added: 23628|
|2013-01-13 18:06||sammousa||Status||new => assigned|
|2013-01-13 18:06||sammousa||Product Version||2.00+ => 2.10|
|2013-01-13 18:06||sammousa||Target Version||=> 2.10|
|2013-01-14 00:04||c_schmitz||Project||Bug reports => Development|
|2013-04-25 00:32||sammousa||Status||assigned => closed|
|2013-04-25 00:32||sammousa||Fixed in Version||=> 2.05|