Apache Perl CGI脚本sso故障和环境变量

时间:2018-11-13 11:13:01

标签: apache perl environment-variables cgi

我迷失了方向,花费了数小时和数天的研究之后,我不知道还能问些什么。

我正在尝试将与Apache一起运行的Perl(OTRS)编写的应用程序集成到我的所有代理中。在客户机和OTRS服务器之间,有一个Tivoli Access Manager,并且在上面配置了一个结点。当客户端打开启用OTRS WAM的资源时,TAM服务器通过从Kerberos票证中获取用户ID来执行已经执行的SSO,并检查给定用户是否可以访问联结(如果他/她是TAM)设置一个名为iv-user的变量。在请求的HTTP标头中,并将其传递到应用程序OTRS。

当我打开网址http://myserver/otrs/index.pl时,我可以看到Apache在HTTP标头中收到了iv-user变量(我已经在Apache中配置了mod_log_forensic):

iv-user variable in the HTTP request

当我现在使用我的用户名和密码登录并访问系统的信息部分时,我可以看到该变量基本上是“重写?”到HTTP_IV_USER

iv_user to HTTP_IV_USER

最后,当我调用URL CGI脚本时,根据我的理解,“重写”是CGI的常见现象  https://tools.ietf.org/html/rfc3875

“The server SHOULD set meta-variables specific to the protocol and
   scheme for the request.  Interpretation of protocol-specific
   variables depends on the protocol version in SERVER_PROTOCOL.  The
   server MAY set a meta-variable with the name of the scheme to a
   non-NULL value if the scheme is not the same as the protocol.  The
   presence of such a variable indicates to a script which scheme is
   used by the request.

   Meta-variables with names beginning with "HTTP_" contain values read
   from the client request header fields, if the protocol used is HTTP.
   The HTTP header field name is converted to upper case, has all
   occurrences of "-" replaced with "_" and has "HTTP_" prepended to
   give the meta-variable name.  The header data can be presented as
   sent by the client, or can be rewritten in ways which do not change
   its semantics.  If multiple header fields with the same field-name
   are received then the server MUST rewrite them as a single value
   having the same semantics.  Similarly, a header field that spans
   multiple lines MUST be merged onto a single line.  The server MUST,
   if necessary, change the representation of the data (for example, the
   character set) to be appropriate for a CGI meta-variable.”

现在,我在OTRS(基本上是一行)中启用SSO,因为OTRS依赖于用户已经进行了预身份验证,并且正在寻找REMOTE_USER变量以将SSO转换为OTRS:

 HTTPBasicAuth for Agents
If you want to implement a "single sign on" solution for all your agents, you can use HTTP basic authentication (for all your systems) and the HTTPBasicAuth module for OTRS (see Example below). 
Example 4.14. Authenticate Agents using HTTPBasic
# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';

# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENV{REMOTE_USER})
$Self->{LoginURL} = 'http://host.example.com/not-authorised-for-otrs.html';
$Self->{LogoutURL} = 'http://host.example.com/thanks-for-using-otrs.html';

因为我不想弄乱生产环境,所以我已经配置了自己的测试环境并模拟了我使用Modify Headers for Google Chrome设置标题的TAM服务器。
当我将标头中Modify Headers中的变量直接设置为HTTP_IV_USER而不是iv_user并从HTTP_IV_USER中获取值并将其设置为Apache {{ 1}}我可以成功进行SSO。

但是问题是Apache接收到的变量为iv_user。如果在“ Chrome浏览器SSO的修改标题”中以这种方式进行设置,则会失败,并显示错误消息REMOTE_USER。所以看起来我的SetEnvIf没有被触发。

我可以按照以下步骤直接在OTRS代码中添加SetEnvIf HTTP_IV_USER "(.*)$" REMOTE_USER=$1变量,但不要认为这是处理它的一种优雅方法:

change in HTTPBasicAuth.pm

长话短说,这是我的问题:

  1. Apache是​​否从HTTP标头(ser: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: x.x.x.x))中找到的变量中创建变量HTTP_IV_USER
  2. 如果是,是否可以使用HTTP_IV_USER指令执行此操作?
  3. 如果是,这是我唯一的猜测,由于iv_user,我的SetEnvIf指令不起作用。 http://httpd.apache.org/docs/2.4/env.html#using

我希望我的问题很清楚并且可以理解,并且我知道有热情的人愿意分享他们的知识和专业知识:)

在此先感谢您,并致以最诚挚的问候!

0 个答案:

没有答案