View Issue Details

IDProjectCategoryView StatusLast Update
07182Development [All Projects] Authenticationpublic2013-04-25 00:32
Reportertbelliard Assigned Tosammousa  
PrioritynormalSeveritymajor 
Status closedResolutionfixed 
Product Version 
Target VersionFixed in Version2.05 
Summary07182: Login form displayed despite auth_webserver delegated authentication being used
Description

While using delegated authentication to the webserver, the login form is displayed although a successful authentication is active at webserver level.

After submitting the login form with empty fields, the user is finally successfully authenticated.

Expected behavior: if the webserver has an active authenticated user, LS should not display the login form, but automatically authenticate the user and open the admin panel.

The current behavior cannot be put into production, as it is very misleading for users.

Steps To Reproduce

To reproduce, setup a fresh LS 2.0+ instance on apache 2.2 using mod_auth_cas, protecting Location /index.php/admin. Make sure that CAS authentication works fine, for instance by testing that $_SERVER['PHP_AUTH_USER'] has the expected value (your user name).

Create your user (with the same username as the one using external authentication) using the admin user. Logout.

Change LS config with auth_webserver = true

Access LS admin area. Sign in on your CAS server. You are being redirected to LS, and the login form is displayed.

Additional Information

After digging the code and discussing with sammousa on IRC, the issue seems to be related to the way UserIdentity is initialized. Currently (with the exception of remotecontrol), UserIdentity is only initialized after a POST request (e.g. when the login form is submitted) or is the 'onepass' variable is passed in a GET requests. See application/controllers/admin/authentication.php line 40.

The usual behavior of an external authentication server is to redirect the authenticated user to the initially requested URL, and most of the time this behavior cannot be overridden (and should not).

An easy workaround is to change application/controllers/admin/authentication.php line 40 with the following:

if (Yii::app()->request->getPost('action') || !is_null(Yii::app()->request->getQuery('onepass')) || Yii::app()->getConfig("auth_webserver")==true))

This way, when being redirected for authentication and using auth_webserver, the doLogin code is executed straight away, and everything works fine (note that php sends some warning because some variables are not initialized).

A cleaner implementation could be proposed (this one is a bit brutal but works fine thanks to the way UserIdentity works), for instance testing the presence of a successfully authenticated user already in AdminController::_init.

TagsNo tags attached.

Activities

sammousa

sammousa

2013-01-13 18:03

reporter   ~23627

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=11194

sammousa

sammousa

2013-01-13 18:06

reporter   ~23628

Should be looked into for 2.1 where we should implement a more transparent solution.

Related Changesets

LimeSurvey: master 50bba027

2013-01-13 17:02:40

sammousa

Details Diff
Fixed issue 07182: Login form displayed despite auth_webserver delegated authentication being used Affected Issues
07182
mod - application/controllers/admin/authentication.php Diff File

Issue History

Date Modified Username Field Change
2013-01-13 17:51 tbelliard New Issue
2013-01-13 18:03 sammousa Changeset attached => LimeSurvey master 50bba027
2013-01-13 18:03 sammousa Note Added: 23627
2013-01-13 18:03 sammousa Assigned To => sammousa
2013-01-13 18:03 sammousa Resolution open => fixed
2013-01-13 18:06 sammousa Note Added: 23628
2013-01-13 18:06 sammousa Status new => assigned
2013-01-13 18:06 sammousa Product Version 2.00+ => 2.10
2013-01-13 18:06 sammousa Target Version => 2.10
2013-01-14 00:04 c_schmitz Project Bug reports => Development
2013-04-25 00:32 sammousa Status assigned => closed
2013-04-25 00:32 sammousa Fixed in Version => 2.05