CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cosign on a Sub Directory Only

Okay, so here's the scoop.

Traditionally, AuthType mechanisms have been used with Apache and different authentication methods. So that's where we started with Cosign. Alas, without a significant amount of re-writing, the nesting of Cosign on and off ( there's no "AuthType none" to speak of ) proved to be a failure. This is why we bumped cosign back a notch in the module request/response loop ( it's at phase 3, when most mods are in phase 4 ). This allows us to nest CosignProteced Off/On, which is necessary for some of our more complex set ups here at Umich. For instance, we do have cosign off for an image ( so it can load w/ or w/o cosign ) but on for the page in question.

Keeping this in mind, I don't think we see any reason not to allow CosignProtected Off/On in .htaccess ( people would basically just shoot themselves in their own feet ).

Unless I hear shouts of terror, we'll be implementing this in our next release :)


On Jul 20, 2004, at 5:52 PM, Mark Montague wrote:

On Tue, 20 Jul 2004, johanna bromberg craig wrote:

This was originally a security thought, but I'm not sure our reasons
are valid anymore. I think our original logic was not wanting users to
turn off/on Cosign if an admin had made it on/off for a whole server,
but that might be spurious. Other members of the core cosign team feel
free to speak up and correct me if there was a more pressing issue and
I've just forgotten it. ;)

I wasn't involved in those discussions, but unless there is a reason to have a CosignProtected directive, I'd be more comfortable turning cosign on/off with the AuthType directive. If the server admin doesn't want users doing this, then they specify "AllowOverride -AuthConfig". This _does_ mean that the user can't use the "require" directive in their .htaccess files anymore, though, which is undesirable. Right now does CosignProtected trump AuthType in all cases? If so, I guess this would be a valid reason for keeping CosignProtected around but not usable in .htaccess files.

                Mark Montague
                LS&A Information Technology


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010