View Issue Details

IDProjectCategoryView StatusLast Update
0012458mantisbtapi soappublic2018-03-31 20:05
Reporterzigo73 Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version1.2.3 
Summary0012458: Problem with HTTP_AUTH and Web Services
Description

My MantisBT site is authenticated by Apache using mod_auth_kerb over HTTPS with both SPNEGO and BASIC_AUTH enabled.

I have applied the patch described at http://www.eiben.weite-welt.com/2007/04/mantis_iwa/ to enable SPNEGO authentication.

function mci_check_login() is used for every web services method to check authentication, but it expects username and password being provided for each call, which is not the case for authentication managed by Apache.

I have patched the mci_api.php file this way to make it work:

return user_id if successful, otherwise false.

function mci_check_login( $p_username, $p_password ) {

# Alberto Zigoni: patch for auth_attempt_script_login to work
$t_login_method = config_get( 'login_method' );
if(HTTP_AUTH == $t_login_method) {
    $p_username = auth_prepare_username('');
}
if( mci_is_mantis_offline() ) {
    return false;
}

# if no user name supplied, then attempt to login as anonymous user.
if( is_blank( $p_username )) {
    $t_anon_allowed = config_get( 'allow_anonymous_login' );
    if( OFF == $t_anon_allowed ) {
        return false;
    }

    $p_username = config_get( 'anonymous_account' );

    # do not use password validation.
    $p_password = null;
}

if( false === auth_attempt_script_login( $p_username, $p_password ) ) {
    return false;
}

return auth_get_current_user_id();

}

authentication.api is patched as follows (sso_user_regex is a regex used to strip the '@DOMAIN' suffix from the username in HTTP header):

function auth_prepare_username( $p_username ) {
switch( config_get( 'login_method' ) ) {
case BASIC_AUTH:
$f_username = $_SERVER['REMOTE_USER'];
break;
case HTTP_AUTH:
if( !auth_http_is_logout_pending() ) {
if (isset($_SERVER['REMOTE_USER'])) { # $_SERVER['AUTH_TYPE'] == 'Negotiate' )
preg_match(config_get('sso_user_regex'), $_SERVER['REMOTE_USER'], $user_match);
$f_username = $user_match[1];
}
if( isset( $_SERVER['PHP_AUTH_USER'] ) ) {
$f_username = $_SERVER['PHP_AUTH_USER'];
}
} else {
auth_http_set_logout_pending( false );
auth_http_prompt();

            /* calls exit */
            return;
        }
        break;
    default:
        $f_username = $p_username;
        break;
}
return $f_username;

}

Steps To Reproduce

Access MantisBT via Eclipse 3.6 and mylyn-mantis 3.4.0. (use the latest nightly build, to avoid NullPointerException) and configure task repository to use HTTP Authentication. Patch MantisBT as described above to enable SPNEGO.

Tagspatch
Attached Files
http_auth_web_services_mantisbt1.2.3.patch (3,147 bytes)   
From 028b683b3659090898b333de368ccfd0146d5b65 Mon Sep 17 00:00:00 2001
From: Alberto Zigoni <alberto.zigoni@gmail.com>
Date: Tue, 19 Oct 2010 12:14:33 +0200
Subject: [PATCH] patch for HTTP_AUTH and web services

---
 api/soap/mc_api.php         |   10 +++++++++-
 core/authentication_api.php |   18 ++++++++++++++++--
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/api/soap/mc_api.php b/api/soap/mc_api.php
index bcd8cc4..2d0f999 100644
--- a/api/soap/mc_api.php
+++ b/api/soap/mc_api.php
@@ -36,12 +36,20 @@ function mci_is_mantis_offline() {
 
 # return user_id if successful, otherwise false.
 function mci_check_login( $p_username, $p_password ) {
+
+	# Alberto Zigoni: patch for HTTP authentication 
+	$t_login_method = config_get( 'login_method' );
+	if(HTTP_AUTH == $t_login_method) {
+		$p_username = auth_prepare_username('');
+	}
+	# End patch
+
 	if( mci_is_mantis_offline() ) {
 		return false;
 	}
 
 	# if no user name supplied, then attempt to login as anonymous user.
-	if( is_blank( $p_username ) ) {
+	if( is_blank( $p_username )) {
 		$t_anon_allowed = config_get( 'allow_anonymous_login' );
 		if( OFF == $t_anon_allowed ) {
 			return false;
diff --git a/core/authentication_api.php b/core/authentication_api.php
index 32961f1..b81a5ea 100644
--- a/core/authentication_api.php
+++ b/core/authentication_api.php
@@ -112,6 +112,16 @@ function auth_prepare_username( $p_username ) {
 			break;
 		case HTTP_AUTH:
 			if( !auth_http_is_logout_pending() ) {
+				/* Patch for HTTP authentication
+				 * Add these two variables in config_inc.php
+				 * $g_login_method = HTTP_AUTH;
+			   	 * $g_sso_user_regex  = '/^(.*)@<YOUR DOMAIN>$/i';
+				*/
+				if (isset($_SERVER['REMOTE_USER'])) {
+					preg_match(config_get('sso_user_regex'), $_SERVER['REMOTE_USER'], $user_match);
+					$f_username = $user_match[1];
+				}
+				/* End patch */
 				if( isset( $_SERVER['PHP_AUTH_USER'] ) ) {
 					$f_username = $_SERVER['PHP_AUTH_USER'];
 				}
@@ -144,6 +154,9 @@ function auth_prepare_password( $p_password ) {
 			break;
 		case HTTP_AUTH:
 			if( !auth_http_is_logout_pending() ) {
+				if (isset($_SERVER['REMOTE_USER'])) { #  $_SERVER['AUTH_TYPE'] == 'Negotiate' )
+				    $f_password = '';
+				}
 
 				/* this will never get hit - see auth_prepare_username */
 				if( isset( $_SERVER['PHP_AUTH_PW'] ) ) {
@@ -226,7 +239,8 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login = false ) {
 	if( !user_is_anonymous( $t_user_id ) ) {
 		# anonymous login didn't work, so check the password
 
-		if( !auth_does_password_match( $t_user_id, $p_password ) ) {
+		# if( !auth_does_password_match( $t_user_id, $p_password ) ) {
+		if ( HTTP_AUTH != $t_login_method && !auth_does_password_match( $t_user_id, $p_password ) ) {
 			user_increment_failed_login_count( $t_user_id );
 			return false;
 		}
@@ -778,7 +792,7 @@ function auth_get_current_user_id() {
 	if( null !== $g_cache_current_user_id ) {
 		return $g_cache_current_user_id;
 	}
-
+	
 	$t_cookie_string = auth_get_current_user_cookie();
 
 	if( $t_result = user_search_cache( 'cookie_string', $t_cookie_string ) ) {
-- 
1.7.3.1

0001-Enable-MantisBT-to-participate-in-SSO-scenarios.patch (3,691 bytes)   
From b767230c7a3135e3e1f0360738d9ecbde60c28df Mon Sep 17 00:00:00 2001
From: Alberto Zigoni <alberto.zigoni@gmail.com>
Date: Tue, 8 Feb 2011 01:50:54 +0200
Subject: [PATCH] Enable MantisBT to participate in SSO scenarios

When MantisBT is part of a larger installation it is not unusual
for logins to be delegated to another service, which in turn sets
an HTTP header with the authentication result. This commit allows
MantisBT to participate in such scenarios.

Signed-off-by: Robert Munteanu <robert.munteanu@gmail.com>
---
 api/soap/mc_api.php         |    6 ++++++
 config_defaults_inc.php     |   16 ++++++++++++++--
 core/authentication_api.php |   11 ++++++++++-
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/api/soap/mc_api.php b/api/soap/mc_api.php
index 2306eb1..cef1ffa 100644
--- a/api/soap/mc_api.php
+++ b/api/soap/mc_api.php
@@ -36,6 +36,12 @@ function mci_is_mantis_offline() {
 
 # return user_id if successful, otherwise false.
 function mci_check_login( $p_username, $p_password ) {
+
+	$t_login_method = config_get( 'login_method' );
+	if(HTTP_AUTH == $t_login_method) {
+		$p_username = auth_prepare_username('');
+	}
+
 	if( mci_is_mantis_offline() ) {
 		return false;
 	}
diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index aab2e35..8061226 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -2639,13 +2639,25 @@ $g_allow_no_category = OFF;
 
 /**
  * login method
- * CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH. You can simply change this at
- * will. MantisBT will try to figure out how the passwords were encrypted.
+ * CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH or HTTP_AUTH. You can simply change
+ * this at will. MantisBT will try to figure out how the passwords were encrypted.
  * @global int $g_login_method
  */
 $g_login_method = MD5;
 
 /**
+ * SSO regular expression for matching users
+ * 
+ * <p>This is only useful when <tt>$g_login_method</tt> is set to <tt>HTTP_AUTH</tt>
+ * as it will extract the username from the HTTP headers.</p>
+ * 
+ * <p>Example value: <tt>'/^(.*)@example.com$/i';</tt></p>
+ * 
+ * @global int $g_sso_user_regex
+ */
+$g_sso_user_regex = '';
+
+/**
  * limit reporters. Set to ON if you wish to limit reporters to only viewing
  * bugs that they report.
  * @global int $g_limit_reporters
diff --git a/core/authentication_api.php b/core/authentication_api.php
index 631fb0c..0dc8c28 100644
--- a/core/authentication_api.php
+++ b/core/authentication_api.php
@@ -146,6 +146,12 @@ function auth_prepare_username( $p_username ) {
 			break;
 		case HTTP_AUTH:
 			if( !auth_http_is_logout_pending() ) {
+				
+			    if (isset($_SERVER['REMOTE_USER'])) {
+					preg_match(config_get('sso_user_regex'), $_SERVER['REMOTE_USER'], $user_match);
+					$f_username = $user_match[1];
+				}
+
 				if( isset( $_SERVER['PHP_AUTH_USER'] ) ) {
 					$f_username = $_SERVER['PHP_AUTH_USER'];
 				}
@@ -178,6 +184,9 @@ function auth_prepare_password( $p_password ) {
 			break;
 		case HTTP_AUTH:
 			if( !auth_http_is_logout_pending() ) {
+				if (isset($_SERVER['REMOTE_USER'])) {
+				    $f_password = '';
+				}
 
 				/* this will never get hit - see auth_prepare_username */
 				if( isset( $_SERVER['PHP_AUTH_PW'] ) ) {
@@ -260,7 +269,7 @@ function auth_attempt_login( $p_username, $p_password, $p_perm_login = false ) {
 	if( !user_is_anonymous( $t_user_id ) ) {
 		# anonymous login didn't work, so check the password
 
-		if( !auth_does_password_match( $t_user_id, $p_password ) ) {
+		if ( HTTP_AUTH != $t_login_method && !auth_does_password_match( $t_user_id, $p_password ) ) {
 			user_increment_failed_login_count( $t_user_id );
 			return false;
 		}
-- 
1.7.1

Relationships

related to 0011084 acknowledged Login Dialog keeps popping up when using HTTP_AUTH 

Activities

rombert

rombert

2010-10-18 16:48

reporter   ~0027075

Thanks for the patch and for the detailed explanation. Can you provide a git patch as outlined at http://docs.mantisbt.org/master/en/developers.html#DEV.CONTRIB.SUBMIT ?

zigo73

zigo73

2010-10-19 06:18

reporter   ~0027083

Here is the patch. It is my first time with Git, I hope I have not messed up with it.

rombert

rombert

2010-10-20 04:47

reporter   ~0027094

The patch looks fine so far. Excellent even, given that it's your first git patch :-)

A couple of comments:

  1. You don't need the patch start/patch end comments, it's clear from the git history who introduced them.
  2. There are some whitespace-only changes, which should be removed..
  3. If you can leave the $g_sso_user_regex configuration out, do that. If you think that it must be added, please add it to config_defaults_inc.php and document it in docbook/Admin_Guide/en-US/Customizing.xml .
rombert

rombert

2010-10-20 17:28

reporter   ~0027103

If you require the g_ sso_user_regex parameter, how about making it something which is globally useful, like (.)(@. )? Don't know top of my head if that really works but I would like to make it as easy as usable out-of-the-box as possible.

zigo73

zigo73

2010-10-20 17:39

reporter   ~0027104

Well, the thing is that only in Kerberos based authentication the user takes the form of username@KERBEROS.REALM. When using other kinds of HTTP authentication (like for example using a db) there is no need to strip off the '@REALM' part.

In fact, your regex (.)(@.) would not even work in case of non kerberos based HTTP authentication:

  • in case of LDAP authentication the username would be something like cn=username,dn=acme,dn=com
  • with NTLM you would have DOMAIN\username

This is the reason behind using a regular expression. Anyway, I have only experimented with mod_auth_kerb so far.

rombert

rombert

2010-10-20 17:57

reporter   ~0027105

Thanks for pointing this out. Then I suggest adding a default regexp like (.*) , and suggesting what good values you have for mod_auth_kerb in the default value documentation and in the reference guide . We can add more documentation later, if available.

zigo73

zigo73

2010-12-27 05:34

reporter   ~0027713

Rombert,

that's fine for me. I am not a PHP developer, I just needed to make things work, so I've done it "quick and dirty".

Let me know if you need more help, I will be glad to help testing this feature in upcoming versions. I think Integrated Windows Authentication is something very interesting to provide as a standard Mantis feature.

rombert

rombert

2010-12-27 05:44

reporter   ~0027714

OK then. Can you please add ( either in the patch, or as an issue comment ) some suggestions regarding the good values for 'sso_user_regex' that you know of?

zigo73

zigo73

2010-12-27 10:32

reporter   ~0027730

I think that for mod_auth_kerb based authentication, a good regular expression is

'/^(.*)@YOUR.KERBEROS.REALM$/i'

To make it simpler, you could define a boolean variable called something like "spnego_strip_off_realm" to decide, in case of SPNEGO authentication, if the realm should be stripped off or not. In this case, you can simply evaluate a substring of the REMOTE_USER env variable.

Anyway, I think the best way to implement this would be as a Mantis plugin.

rombert

rombert

2010-12-27 10:57

reporter   ~0027733

Thanks.

I'm going to focus on getting the patch implemented and documented. We'll see about convenience later.

rombert

rombert

2011-02-08 17:01

reporter   ~0028194

I've added all the core devs here, since this is as far as I can go with my review. I do not know that part of the code well, and will not be able to commit it.

@core devs: I would appreciate if one of you could take it from here, as I've done all I dare for this issue.

dhx

dhx

2011-02-18 21:28

reporter   ~0028256

Agreed with the idea. Just some comments on the patch from 2011-02-07:

  • Documentation inside config_inc.php (and anywhere else for that matter) should not contain SGML tags (<tt>, etc) as the documentation in this context is plaintext.

  • Documentation of new and updated configuration values needs to be placed in the docbook documentation too.

  • Code style for the patch chunk in auth_prepare_username() is not consistent (lack of spacing around parenthesis) with the remainder of the code and the style guidelines for MantisBT.

  • Can we change the name of the new configuration option "sso_user_regex" to something more descriptive such as "http_auth_username_extraction_regex"? This will make the code easier to read for people not accustomed to the concept of SSO and how MantisBT handles it.

Otherwise the patch seems OK from what I can see.

I have changed the target version from 1.2.x to 1.3.x as the stable branch should not be seeing new features - that should be reserved for the development branch.

Well done!

iwan

iwan

2012-11-03 06:47

reporter   ~0033418

Is this issue still alive? I took a look at the nightly build towards 1.3.x, but last night I couldn't see any of the proposed changes in mc_api.php and authentication_api.php

Ofcourse I will adjust my 1.2.x installation using the ziggo73's explanation, tnx! :)

rombert

rombert

2012-11-04 13:39

reporter   ~0034225

I'm going to have a look after the next release.

grangeway

grangeway

2014-06-01 17:33

reporter   ~0040708

Rombert, given our discussion the other day, where do we stand on fixing this sort of thing?

:)

Paul