We have a requirement that all sites must be protected via cosign (weblogin.org) (http://sourceforge.net/projects/cosign/) . Normally the sites are protected at folder level so that all urls fall within a protected status. What I am working on will require both protected and non-protected URls.
In our old version of the site we have two subfolders, one being protected and one not which is ugly. Another method is to specify that a specific file or files is/are not protected with the default that all others are or vice versa. All of these settings are created in web.config.
What I’m trying to figure out is how to work with this in Coldbox. My initial thought was simply to make non protected events http and then have any event that requires authentication kick over to https the rest of the way. The problem is there doesn’t appear to be any way with cosign to set http as non protected and https as protected within a given folder. Everything I’ve seen is based on a folder or filename.
What I’m wondering is if anyone has any ideas one what I might try. I started thinking about handlersExternalLocation, etc. and putting all non protected events/models/etc. out there but that still leaves index.cfm as being both protected and not. Regardless, I think I’m getting pretty far out into left field with that idea.
URL’s are secured via the SecurityService, you would need to write one that wraps your API authenticaion with your cosign login system. The URL’s are secured via the routes rules in ColdBox, which you either cache the login or re-hit to challenge based on your requirements.
Can’t you wrap this in a module, secure what you need with a whitelist/securelist and if it requires authentication go and challenge for that authentication? That is the way of I have done this for Google+, Twitter, Facebook to name a few.
I’m also a little confused by the folder thing. Does the cosign project itself have to be tied to folders, or is that just a how particular implementation work that you were looking at?
Assuming yoy have the ability to ping cosign as-needed on pages that request authentication, there are a number of easy ways to implement that as Andrew mentioned. For instance, a preHandler() method could apply security to all the actions in that handler. Or a preProcess interceptor would run it before every event and use the eventPattern regex or just an if statement of your design to determine if that event needed securing.
The idea behind single sign-on is that you have a central authentication across all your clients, aka oAuth. in what you’re describing, sounds like it is at the server level with NTAuthentication, yes there is ways to hook cosign into that as well. As the web server can’t be controlled like that, you have to then use ColdBox to do this and authenticate via whatever method best suits you.
If you read it again. Notice how you define the server that does the authentication!!
<?
// Copyright (C) 2010 FIT Brno University of Technology
// All Rights Reserved. See LICENSE.
// Petr Lampa <[lampa@fit.vutbr.cz](mailto:lampa@fit.vutbr.cz)>
// $Id: cosign_config.php,v 1.1 2010/03/01 10:32:16 lampa Exp $
// Enable Cosign Authentication
$cosign_cfg['CosignProtected'] = true;
// Hostname of server running cosignd
$cosign_cfg['CosignHostname'] = '[weblogin.umich.edu](http://weblogin.umich.edu)';
// The port on which cosignd listens
$cosign_cfg['CosignPort'] = '6663';
// The name of cosign service cookie
$cosign_cfg['CosignService'] = '';
// The URL to redirect for login
$cosign_cfg['CosignRedirect'] = '[https://weblogin.umich.edu](https://weblogin.umich.edu)';
// Filter DB directory. Must end with trailing slash
$cosign_cfg['CosignFilterDB'] = '/var/cosign/filter/';
// Expiration time of service cookie in seconds
$cosign_cfg['CosignCookieExpireTime'] = 3600*24;
// Debug log file path
$cosign_cfg['CosignFilterLog'] = '/usr/local/apache/logs/filter.log';
// Enable debug log (boolean)
$cosign_cfg['CosignFilterDebug'] = true;
// Version of Cosign protocol
$cosign_cfg['CosignProtocolVersion'] = 3;
// The URL to which a user is redirected to if an error is
// encountered during a POST
$cosign_cfg['CosignPostErrorRedirect'] = $cosign_cfg['CosignRedirect'].'/cosign/post_error.html';
// A list space separated factors that must be satisfied by the user
$cosign_cfg['CosignRequireFactor'] = '';
// Suffix, that is ignored in cosign factors
$cosign_cfg['CosignFactorSuffix'] = '-junk';
// Toggles, whether the value of CosignFactorSuffix is ignored
$cosign_cfg['CosignFactorSuffixIgnore'] = false;
// URL to which the user is redirected after login
$cosign_cfg['CosignSiteEntry'] = '';
// Use only http protocol to redirect back after login
$cosign_cfg['CosignHTTPOnly'] = false;
// Verify browser's IP against cosignd's IP information (no/initial/always)
$cosign_cfg['CosignCheckIP'] = 'initial';
// Subdirectory hash length (0,1,2) for Cosign filter cookie file storage
$cosign_cfg['CosignFilterHashLength'] = 0;
// Toggles whether proxy cookies will be requested from cosignd
$cosign_cfg['CosignGetProxyCookies'] = false;
// Cosign filter proxy DB directory. Must end with trailing slash
// NOT IMPLEMENTED
$cosign_cfg['CosignProxyDB'] = '/var/cosign/proxy/';
/*
** SSL context directives
*/
// PEM encoded certificate and private key
$cosign_cfg['CosignCryptoLocalCert'] = '/path/to/cert&keyfile.pem';
// Passphrase for private key (if private key is protected)
$cosign_cfg['CosignCryptoPassphrase'] = '';
// Require verification of server certificate
$cosign_cfg['CosignCryptoVerifyPeer'] = 1;
// Allow self-signed certificates
$cosign_cfg['CosignCryptoAllowSelfSigned'] = false;
// CA certificate which should be used to verify server certificate
$cosign_cfg['CosignCryptoCAFile'] = '/path/to/CAcertificate.pem';
// CA certificates directory (must be a correctly hashed certificate directory)
$cosign_cfg['CosignCryptoCAPath'] = '/path/to/CAdir';
/*
** Kerberos directives section
*/
// Toggles whether the value of TGT will be requested from cosignd
$cosign_cfg['CosignGetKerberosTickets'] = false;
// Kerberos ticket filter DB directory. Must end with trailing slash
$cosign_cfg['CosignTicketPrefix'] = '/var/cosign/tickets/';
?>
Then you answered your own question, if ColdFusion can’t get access to the file, then it wont get access to the file as you said. So that means you’re now looking at locking it down at the Application Server level itself. So then that comes down to if you’re using IIS or Apache, Tomcat or the likes.