CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: blocking friend accounts?

On Wed, 4 Aug 2004, Jim Zajkowski wrote:

> How can I configure the cosign filter to block access from non-UMICH
> principals?  That is, I want to deny access to friend users.

This is an authorization decision.  The cosign filter itself
handles only authentication.  But the cosign filter does set
the REMOTE_USER environment variable, and any "local" user
will not have an '@' character in their name, while any
friend user will (friend usernames are email addresses).

So if you're doing this in Perl, PHP, Java, etc., just say
something like:

    if ($ENV{'REMOTE_USER'} =~ /@/)
        print "Status: 403 Forbidden\n";
        print "Content: text/html\n\n";
        print "<html><head><title>403 Forbidden</title></head>\n";
        print "<body><h1>Error</h1>\n";
        print "<p>Sorry, you are not authorized to access this page.</p>\n";
        print "</body></html>\n";

If you're not serving active content, here's something you
can add to httpd.conf or .htaccess to deny friends access:

    SetEnvIf Remote_User ".*@.*" friend
    AuthType CoSign
    Require valid-user
    Deny from env=friend

This solution was designed by Wes Craig, I'm just posting
it here.

                Mark Montague
                LS&A Information Technology

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010