[Rt-devel] Passing an authenticated user to RT
mike.peachey at jennic.com
Mon Feb 11 06:54:32 EST 2008
Jesse Vincent wrote:
> On Feb 11, 2008, at 5:18 AM, Mike Peachey wrote:
>> he user.
>> So far, I haven't discovered how I should do this. Apache authentication
>> and directly applying WebExternalAuth is not a valid option because
>> Apache would still be prompting for credentials as the website does not
>> use apache authentication, it's custom PHP authentication.
>> Also, the website uses session-cookies to store authentication? Could RT
>> read these somehow, or could we combine the RT cookies with the website
> Can RT get at the php app's cookies? What would the RT need to do to
> validate the user's info from the php side?
I don't see why not. RT is accessed by the same domain (domain/rt) and
then loaded into a frame.
As for what it would need to do, I'm not sure.. there are a number of
possible ways to do it, but none seem sensible or secure or fast.
The website cookie currently stores a hashed loginID and a SessionID,
but it could be coded to put more in the cookie.
> I've previously cooked up something for a client that:
> * used client-side JS to turn a link from another system into an
> HTTP POST to RT with the other system's cookie
> * used LWP and the cookie to do an HTTP GET against the other app.
> * validated the credentials and wrote out an RT session
Because the website is ours to mangle (well, it's externally developed,
but they do what we tell them to) we *should* be able to do it all
For example, we *could* try and get the website super-frame to do a
_POST to RT on load, but whether or not that would work or persist
through in-frame page changes I don't know.
Alternatively, we might be able to get the PHP code to set an apache ENV
variable that RT could read, just like WebExternalAuth does (but obv not
a php variable because of RT running out of Perl - unless I write some
php for RT to execute?), but again I'm not sure how I'd pick that up in
RT, or how persistent the setting would be. AFAIK apache ENV variables
die at the end of the request.
I'm just really not sure where to go with this as there are so many
possible options, none of which are clear-cut on how to do them.
Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
More information about the Rt-devel