mirror of https://github.com/MISP/MISP
[new]: [doc] [ApacheSecureAuth] Add minimal docs for ApacheSecureAuth, and a bigger section about using the /users/logout401 endpoint.
parent
ec495da477
commit
da5278d349
|
@ -2897,7 +2897,10 @@ class UsersController extends AppController
|
|||
}
|
||||
}
|
||||
public function logout401() {
|
||||
#To use this, set Plugin.CustomAuth_custom_logout to /users/logout401
|
||||
# You should read the documentation in docs/CONFIG.ApacheSecureAuth.md
|
||||
# before using this endpoint. It is not useful without webserver config
|
||||
# changes.
|
||||
# To use this, set Plugin.CustomAuth_custom_logout to /users/logout401
|
||||
$this->response->statusCode(401);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -9,6 +9,12 @@
|
|||
# we would need a lot of code to rebuild it
|
||||
if (preg_match("/(https?:\/\/)(.*)/", $baseurl, $split_baseurl)):
|
||||
?>
|
||||
// The following call has to be done in the users browser to properly make
|
||||
// Firefox forget HTTP Basic auth credentials. The login with user set to
|
||||
// "logout" will be captured by webserver configuration, and not be sendt
|
||||
// to LDAP, but will invalidate the old, cached login in the browser.
|
||||
// If this is not working, make sure you have configured the webserver
|
||||
// as described in docs/CONFIG.ApacheSecureAuth.md Logout => LDAP => Option 2.
|
||||
let logoutxhr401 = new XMLHttpRequest()
|
||||
logoutxhr401.open("GET", "<?php echo $split_baseurl[1]; ?>logout:@<?php echo $split_baseurl[2]; ?>/users/login")
|
||||
logoutxhr401.send()
|
||||
|
|
|
@ -0,0 +1,74 @@
|
|||
# ApacheSecureAuth
|
||||
<!---
|
||||
Ugly diff hack to render text as red using Github's markdown parser
|
||||
-->
|
||||
```diff
|
||||
- BE AWARE: The ApacheSecureAuth / LDAP login code is a
|
||||
- 3rd party contribution and untested (including security)
|
||||
- by the MISP-project team.
|
||||
```
|
||||
|
||||
However, you are free to enable it and report back to the developers if you run into any issues.
|
||||
|
||||
## Configuration
|
||||
### MISP configuration
|
||||
See the commented sections of [config.default.php](../app/Config/config.default.php) for an example of the MISP configuration variables that the ApacheSecureAuth module requires.
|
||||
|
||||
### Webserver configuration
|
||||
`TODO`
|
||||
|
||||
## Logout
|
||||
### Kerberos
|
||||
If you have configured you webserver to authenticate users using Kerberos/SPNEGO/Negotiate,
|
||||
there is no "log out", other than invalidating the user's Kerberos tickets.
|
||||
You can hide the GUI "Log out" link by setting `Plugin.CustomAuth_disable_logout` to `true`.
|
||||
|
||||
If you just want to log in as another user, you should be able to do this in an ingonito window.
|
||||
Most browser will not allow Kerberos/SPNEGO/Negotiate authentification when in ingognito mode,
|
||||
and i.e. Apache will fall back to having the user input his credentials in a HTTP Basic Auth
|
||||
popup, for then to authenticate the user with AD using these credentials.
|
||||
|
||||
### LDAP
|
||||
If you are capturing the user's credentials using HTTP Basic Auth, it can be difficult to make
|
||||
the browser forget these.
|
||||
There is no common or properly defined way of "logging out" after logging in with HTTP Basic Auth.
|
||||
|
||||
If the user presses the GUI "Log out" link, this can result in a logout-login loop, where the user
|
||||
is logged out, but then immediately loggged back in by means of the browsers cached HTTP Basic Auth
|
||||
credentials. This can be observed when a user presses "Log out", for then to be returned to the
|
||||
events view with two flash messages - one about a successful logout, and one "Welcome back" login-message.
|
||||
|
||||
There are two options to improve the user experience:
|
||||
|
||||
#### Option 1 (simple): Hide GUI "Log Out"
|
||||
As with Kerberos, the admin can hide the GUI "Log out" link by setting `Plugin.CustomAuth_disable_logout` to `true`.
|
||||
This is sufficient for many organizations.
|
||||
|
||||
#### Options 2 (complicated): Trick the browser into forgetting cached HTTP Basic Auth credentials
|
||||
The internal path `/users/logout401` in combination with webserver configuration
|
||||
can trick most browsers into forgetting cached HTTP Basic Auth credentials.
|
||||
|
||||
1. Set `Plugin.CustomAuth_custom_logout` to the internal path `/users/logout401`
|
||||
2. Modify your webserver configuration. Below is an example for Apache2
|
||||
|
||||
````
|
||||
# Only requiring LDAP auth for the /users/login path will improve the user experience.
|
||||
#<Location "/">
|
||||
<Location "/users/login">
|
||||
# This block will catch the Ajax logout from /users/logout401 that is required for
|
||||
# some browsers, i.e. Firefox. 'Basic bG9nb3V0Og==' equals 'Basic logout:' as
|
||||
# used buy the `/users/logout401` endpoint. This will prevent extraneous failed
|
||||
# logins a "logout" user on the LDAP server.
|
||||
<If "-n %{HTTP:Authorization} && %{HTTP:Authorization} == 'Basic bG9nb3V0Og==' ">
|
||||
AuthType Basic
|
||||
AuthName "MISP" # Must be same as in LDAP block
|
||||
AuthUserFile /dev/null
|
||||
Require valid-user
|
||||
</If>
|
||||
AuthType Basic
|
||||
AuthName "MISP"
|
||||
AuthBasicProvider ldap
|
||||
...
|
||||
</Else>
|
||||
</Location>
|
||||
````
|
Loading…
Reference in New Issue