Home > Archive > Tcl > March 2006 > tcl and windows authentication...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
tcl and windows authentication...
|
|
| Volker Hetzer 2006-03-27, 8:02 am |
| Hi!
I plan to use a tcl application as an interface to an apache webserver.
So, this this app is going to be a starpack and uses the http package.
It will do requests with parameters and will probably get back csv's or
simple xml's.
How do I authenticate this? Our users have logged on to our intranet,
which uses domain (kerberos) authentication I've been told.
What I'd like is for the apache to know which user has made the http
request. It shouldn't be possible to fake this, so simply transmitting
the user name is out of the question.
Is there some windows token or so that the client has to send over?
Is SSL necessary for this?
If yes, can the http package do this?
Lots of Greetings!
Volker
| |
| Eckhard Lehmann 2006-03-27, 7:04 pm |
|
Volker Hetzer wrote:
> How do I authenticate this? Our users have logged on to our intranet,
> which uses domain (kerberos) authentication I've been told.
Probably it uses Active directory, doesn't it?
> What I'd like is for the apache to know which user has made the http
> request. It shouldn't be possible to fake this, so simply transmitting
> the user name is out of the question.
Where should the authentification take place, at the apache server or
in the client? If in the server, you should probably install
mod_auth_kerb or mod_ldap, but I have never done this, and hence have
no idea about it at all.
If you want to authenticate in the client from Tcl, then the ldap
package from tcllib is your friend. I have never used this before as
well - but if you can give some feedback on how it works with active
directory, that would be great ;-)
> Is there some windows token or so that the client has to send over?
> Is SSL necessary for this?
I don't think so...
> If yes, can the http package do this?
No, probably not. For this you need a native ssl implementation like
openssl and the Tls package.
Eckhard
| |
| Volker Hetzer 2006-03-27, 7:04 pm |
| Eckhard Lehmann schrieb:
> Volker Hetzer wrote:
>
> Probably it uses Active directory, doesn't it?
Yes.
>
>
> Where should the authentification take place, at the apache server or
> in the client? If in the server, you should probably install
> mod_auth_kerb or mod_ldap, but I have never done this, and hence have
> no idea about it at all.
It should take place in the server because I'd like to ensure against
someone opening the starpack with vi and modifying it.
> If you want to authenticate in the client from Tcl, then the ldap
> package from tcllib is your friend. I have never used this before as
> well - but if you can give some feedback on how it works with active
> directory, that would be great ;-)
Unfortunately, that wouldn't do. In that cvase I could send the user
name straight along with it from within the application.
>
> No, probably not. For this you need a native ssl implementation like
> openssl and the Tls package.
I feared that. Is it possible to starpack those?
I've read a bit more about this on microsoft.com. The way it looks
like there's a special API where you get the kerberos token from
windows, then do a roundtrip with the active directory and send the
result to the apache, which in turn asks the active directory about
the token. Then apache knows who he's talking to and they probably
have a valid session key.
Lots of Greetings!
Volker
| |
| Michael Schlenker 2006-03-27, 7:04 pm |
| Volker Hetzer schrieb:
> Eckhard Lehmann schrieb:
> Yes.
>
> It should take place in the server because I'd like to ensure against
> someone opening the starpack with vi and modifying it.
>
> Unfortunately, that wouldn't do. In that cvase I could send the user
> name straight along with it from within the application.
>
>
> I feared that. Is it possible to starpack those?
>
> I've read a bit more about this on microsoft.com. The way it looks
> like there's a special API where you get the kerberos token from
> windows, then do a roundtrip with the active directory and send the
> result to the apache, which in turn asks the active directory about
> the token. Then apache knows who he's talking to and they probably
> have a valid session key.
For TLS/SSL see the dqkit announcement today, it includes openssl self
contained...
For the other parts, i don't really know what i'm talking about, so
maybe its totally off track:
For user authentication you can perhaps use something like the SASL
stuff from tcllib in combination with your kerberos tokens. Take a look
at some of the code in the tcllib http module, maybe you can use it as a
start.
You can probably use the tcllib ldap code to talk to an active
directory, i have never done it, but it shouldn't be too hard to do. If
there is a problem with the ldap code which prevents it, contact me to
get it fixed (if you have a clear idea whats broken). Example code for
using tcllib ldap to talk to an active directory would be really nice.
You may be able to get the special tokens via twapis security functions,
but i'm not sure:
http://twapi.sourceforge.net/securi...open_user_token
Michael
| |
| Volker Hetzer 2006-03-27, 7:04 pm |
| Michael Schlenker schrieb:
> Volker Hetzer schrieb:
> For TLS/SSL see the dqkit announcement today, it includes openssl self
> contained...
>
> For the other parts, i don't really know what i'm talking about, so
> maybe its totally off track:
> For user authentication you can perhaps use something like the SASL
> stuff from tcllib in combination with your kerberos tokens. Take a look
> at some of the code in the tcllib http module, maybe you can use it as a
> start.
I think I got it solved. Windows has a special http api, called WinHTTP.
That in turn can be accessed using a COM component called WinHttpRequest.
This component has it all built in and I've just downloaded a very small
jscript from the mickeysoft site where I only had to insert one line of
code for it to authenticate itself against one of our intranet servers.
If the tcom package bears with me on this one someone ought to buy the
activestate guys a beer.
Btw, here is the jscript:
function getText(strURL)
{
var strResult;
try
{
// Create the WinHTTPRequest ActiveX Object.
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// Create an HTTP request.
var temp = WinHttpReq.Open("GET", strURL, false);
////////////////////////////////////////////////////////////////////////
//This is the important bit in case winhttp can't figure out the
//proxy settings (which it normally can't).
WinHttpReq.SetautoLogonPolicy(0);
////////////////////////////////////////////////////////////////////////
// Send the HTTP request.
WinHttpReq.Send();
// Retrieve the response text.
WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText);
strResult = WinHttpReq.ResponseText;
WScript.Echo("Normal");
}
catch (objError)
{
WScript.Echo("Error");
strResult = objError + "\n"
strResult += "WinHTTP returned error: " +
(objError.number & 0xFFFF).toString() + "\n\n";
strResult += objError.description;
}
// Return the response text.
return strResult;
}
WScript.Echo(getText("http://myintranetwebsite.whatever/"));
I haven't got the time for the tcom setup right now but this ought to show
how it's supposed to go.
Lots of Greetings!
Volker
| |
| Michael Schlenker 2006-03-28, 4:06 am |
| Volker Hetzer wrote:
> Michael Schlenker schrieb:
> I think I got it solved. Windows has a special http api, called WinHTTP.
> That in turn can be accessed using a COM component called WinHttpRequest.
> This component has it all built in and I've just downloaded a very small
> jscript from the mickeysoft site where I only had to insert one line of
> code for it to authenticate itself against one of our intranet servers.
> If the tcom package bears with me on this one someone ought to buy the
> activestate guys a beer.
>
> Btw, here is the jscript:
> function getText(strURL)
> {
> var strResult;
> try
> {
> // Create the WinHTTPRequest ActiveX Object.
> var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
> // Create an HTTP request.
> var temp = WinHttpReq.Open("GET", strURL, false);
>
> ////////////////////////////////////////////////////////////////////////
> //This is the important bit in case winhttp can't figure out the
> //proxy settings (which it normally can't).
> WinHttpReq.SetautoLogonPolicy(0);
>
> ////////////////////////////////////////////////////////////////////////
> // Send the HTTP request.
> WinHttpReq.Send();
> // Retrieve the response text.
> WScript.Echo( WinHttpReq.Status + " " + WinHttpReq.StatusText);
> strResult = WinHttpReq.ResponseText;
> WScript.Echo("Normal");
> }
> catch (objError)
> {
> WScript.Echo("Error");
> strResult = objError + "\n"
> strResult += "WinHTTP returned error: " +
> (objError.number & 0xFFFF).toString() + "\n\n";
> strResult += objError.description;
> }
> // Return the response text.
> return strResult;
> }
>
> WScript.Echo(getText("http://myintranetwebsite.whatever/"));
>
> I haven't got the time for the tcom setup right now but this ought to show
> how it's supposed to go.
>
After reading the MSDN page for WinHTTP this seems like a variant to the
NTLM authentication that Pat Thoyts implemented in the SASL package in
tcllib, only for kerberos, so it should be doable in Tcl if you have a
small extension to get at the kerberos tokens.
Michael
| |
| Volker Hetzer 2006-03-30, 7:04 pm |
| Eckhard Lehmann schrieb:
> Volker Hetzer wrote:
>
>
> Sounds very interresting. Could you post a wiki entry when you have
> figured it out completely? I feel that this will be very useful for a
> lot of people...
Works like a charm using the current ActiveTcl-Distribution.
Could you please provide a link to that wiki?
Lots of Greetings!
Volker
| |
| Volker Hetzer 2006-03-30, 7:04 pm |
| Michael Schlenker schrieb:
> After reading the MSDN page for WinHTTP this seems like a variant to the
> NTLM authentication that Pat Thoyts implemented in the SASL package in
> tcllib, only for kerberos, so it should be doable in Tcl if you have a
> small extension to get at the kerberos tokens.
Probably, but to be honest, I'd like to rely as much as possible on
the host system and use tcl as a glue language. Keeps package dependencies
down and also I can tell our IT department that security is managed by
stuff they support anyway.
Lots of Greetings!
Volker
| |
| Volker Hetzer 2006-03-31, 8:02 am |
| Eckhard Lehmann schrieb:
> Volker Hetzer wrote:
>
>
> Sounds very interresting. Could you post a wiki entry when you have
> figured it out completely? I feel that this will be very useful for a
> lot of people...
Did so.
http://wiki.tcl.tk/15685
Lots of Greetings!
Volker
|
|
|
|
|