[30129] in Kerberos
Re: SSO
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Jul 18 13:02:22 2008
To: kerberos@mit.edu
In-Reply-To: <5183a7480807180511o1a21b4c2k9a9a91639b28d951@mail.gmail.com>
(Sharad Desai's message of "Fri\, 18 Jul 2008 08\:11\:01 -0400")
From: Russ Allbery <rra@stanford.edu>
Date: Fri, 18 Jul 2008 10:01:06 -0700
Message-ID: <87ljzzgm99.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Sharad Desai" <ssdesai1@gmail.com> writes:
>> The only fly in the ointment here is that none of the WebSSO solutions
>> currently available can handle authenticating POST requests, where the
>> user hasn't previously authenticated to the service, due to their
>> requirement for redirects. For us, this was a small price to pay.
>
> I apologize, but can you elaborate on this?
WebSSO systems handle unauthenticated users by redirecting them to a
central login server as a response to an attempt to access a protected
resource. The HTTP protocol, however, does not permit returning a
redirect as the result of a POST, nor is there any good way to stash the
data that comes along with a POST while bouncing the user through the
login server without application support for the SSO system (which is
contrary to a primary goal: ability to drop WebSSO in front of any
arbitrary web application without modifying the application).
As a result, when using a WebSSO, you have to ensure that the user has
authenticated at some point in the page flow before they do a POST. You
can't authenticate them at the time of the POST; you need to have existing
credentials to use at that point.
This usually isn't much of a problem since it's considered best practice
for most applications using POST to force the user to authenticate prior
to the POST anyway (otherwise, some cross-site attacks and deceptive
tricks are easier to perform).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
