gssserver

package

v0.0.0-...-bc05beb Latest Latest Go to latest Published: Nov 28, 2014 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/mikkolehtisalo/revel

Links

Open Source Insights

README ¶

Revel GSSAPI authentication Filter

This module implements kerberos/GSS-API (see RFC417) Filter for Revel.

Kerberos is the preferred SSO method for intranet setups because it is secure, robust, and it performs well. It also offers improved usability (most of the logins are transparent to users) and robust interoperatibility between different platforms (Windows, MacOS X, Linux, BSDs, etc) and different browsers (Chrome, Internet Explorer, Firefox).

Prerequisities

MIT kerberos (or compatible)
A working kerberos setup
- Basic pointers for getting started:
keytab & krb5.conf setup correctly on the server
SPN is HTTP/fqdn@DOMAIN
Browser setup correctly to provide GSSAPI authentication
- Use integrated windows authentication for IE
- network.negotiate-auth.trusted-uris for Firefox
- --auth-server-whitelist for Chrome

Usage

init.go:

import (
    "github.com/mikkolehtisalo/revel/gssserver"
)
    revel.Filters = []revel.Filter{
        gssserver.GSSServerFilter,     // GSSAPI authentication
    }

The authenticated user will be saved to c.Session["username"].

Notes

The session system is used as cache for performance reasons - forcing full authentication for every request would be extremely heavy
The security of the session system is critical, using a server side session storage is strongly recommended
Major authentication errors cause panic - this module does not by default allow for unauthenticated use

Debugging

The following environment variables will make Firefox print out extensive debug log:

export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/tmp/moz.log

The following environment variable will make krb5-libs print out trace log:

export KRB5_TRACE=/tmp/krb.log

Unfortunately KRB5_TRACE gets lost within the Go http server's process model. This is an unfortunate POSIX feature, which makes server side tracing of GSSAPI hard. MIT kerberos has however an API for enabling trace on runtime, example can be found from gss_gssserver/accept_sec_context.

Documentation ¶

Index ¶

Constants
func GSSServerFilter(c *revel.Controller, fc []revel.Filter)

Constants ¶

View Source

const (
	// Used for cache lookups
	AUTH_USER_ID = "AUTH_USER_ID"
)

Variables ¶

This section is empty.

Functions ¶

func GSSServerFilter ¶

func GSSServerFilter(c *revel.Controller, fc []revel.Filter)

Types ¶

This section is empty.

Source Files ¶

View all Source files

gssserver.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL