Folks,
I'm experiencing a very odd issue with a custom plug-in using the authenticate hook. Here at our university we use a Web based single sign on authentication called CAS (http://www.jasig.org/cas). I am trying to write a plug-in to allow CAS to work with Roundcube proxying a connection through imapproxy (http://www.imapproxy.org/).
The normal operation for authentication for IMAP by CAS service is to get a one time use CAS ticket for every authentication. Since RC stores and reuses the initial password CAS cannot work in direction connection to the IMAP server. This is not an issue because when we proxy through imapproxy, it holds open the imap connection by password/username combination.
So everything should be working great and superficially it seems okay, that is until you try and delete an e-mail. It seems that a delete will call the authenticate hook again and grab a new CAS ticket. The new CAS ticket breaks the imapproxy connection identifier because the password is now different. In turn this causes rc to have a "lost imap connection" error.
The way I look at it I have 2 possibilities:
- Figure a way out to only request the CAS ticket once in the plugin.
I'm guessing do a check for existing ticket before requesting.
This is the quick fix, but feels like a "duct tape" solution for what might be a larger issue in extending RC for alternative authentication mechanisms.
- Extend RC so that instead of caching a password, it uses a password
recall function that can has an exec handler for custom plug-ins
$rcmail->auth->getpass() returns a clear text password and has an exec handler for password return. Default it would be an abstraction of the decrypt session password to keep current functionality
The value with option two is it would allow plug-in authors to authenticate to peripheral services like managesieve with out limiting alternative authentication methods.
I've included the current sort of working plugin for anyones interest.
On Thu, 25 Jun 2009 10:22:19 -0230, Robert King robk@mun.ca wrote:
Folks,
I'm experiencing a very odd issue with a custom plug-in using the authenticate hook. Here at our university we use a Web based single
sign
on authentication called CAS (http://www.jasig.org/cas). I am trying to write a plug-in to allow CAS to work with Roundcube proxying a
connection
through imapproxy (http://www.imapproxy.org/).
The normal operation for authentication for IMAP by CAS service is to
get
a one time use CAS ticket for every authentication. Since RC stores and reuses the initial password CAS cannot work in direction connection to
the
IMAP server. This is not an issue because when we proxy through
imapproxy,
it holds open the imap connection by password/username combination.
So everything should be working great and superficially it seems okay, that is until you try and delete an e-mail. It seems that a delete will call the authenticate hook again and grab a new CAS ticket. The new CAS ticket breaks the imapproxy connection identifier because the password is now different. In turn this causes rc to have a "lost imap connection" error.
The way I look at it I have 2 possibilities:
- Figure a way out to only request the CAS ticket once in the plugin.
I'm guessing do a check for existing ticket before requesting.
This is the quick fix, but feels like a "duct tape" solution for what might be a larger issue in extending RC for alternative authentication mechanisms.
- Extend RC so that instead of caching a password, it uses a password
recall function that can has an exec handler for custom plug-ins
$rcmail->auth->getpass() returns a clear text password and has an exec handler for password return. Default it would be an abstraction of the decrypt session password to keep current functionality
The value with option two is it would allow plug-in authors to authenticate to peripheral services like managesieve with out limiting alternative authentication methods.
I've included the current sort of working plugin for anyones interest.
-- Robert King System Administrator Computing & Communications Memorial University
As an update, it seems the issue is different from my original suspicions. The issue only pops up when deleting/moving a file when the preview pane is enabled. The plug-in is still trying to use the same CAS ticket and it is not requesting a new one(as I had thought).
Any ideas from the core developers as to why the preview pane/delete combo would cause a sometimes IMAP server disconnect?
I've included a Wink screen cast of the bug in action for clarity.
As an update, it seems the issue is different from my original suspicions. The issue only pops up when deleting/moving a file when the preview pane is enabled. The plug-in is still trying to use the same CAS ticket and it is not requesting a new one(as I had thought).
Okay I've managed to use the debug_logger plugin to get some more insight. For some reason the $_SESSION['password'] seems to disappear after the move/delete action.
See the attached log+notes for details.
--- 8< --- detachments --- 8< --- The following attachments have been detached and are available for viewing. http://detached.gigo.com/rc/Qy/grsGhNKv/casauth_error_log.txt Only click these links if you trust the sender, as well as this message. --- 8< --- detachments --- 8< ---
List info: http://lists.roundcube.net/dev/
-
Robert King