Article delegate-en/2727 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A2722@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: How force hosts to authenticate
11 Aug 2004 16:24:44 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


On 08/09/04(17:33) you "Salvatore Tarallo \(starallo\)" <starallo@cisco..> wrote
in <_A2722@delegate-en.ML_>
 |07/08 17:05:55.96 [5244] 0+0: ext[11]
 |AUTHORIZER=-list{guest:guest}:http,https:!*.microsoft.com,!*.cisco.com,!
 |*.windowsupdate.com:*
 |07/08 17:05:55.96 [5244] 0+0: ext[12]
 |AUTHORIZER=-list{guest:guest}:http,https:!*.repubblica.it:*
 |
 |I'd assume that the first line would prevent an authorization for all
 |cisco domain but that doesn't seem to be the case.
 |
 |07/08 17:06:04.18 [2600] 1+1: REQUEST = GET
 |http://www.cisco.com/swa/i/logo.gif HTTP/1.1^M
 |07/08 17:06:04.25 [2600] 1+1/1: HCKA:[1] closed -- a:proxy
 |authentication required
 |
 |Are you saying that the delegate doesn't stop the parsing at the first
 |match ?

No, but DeleGate continues searching until it find the first match.
In your case, your destination host "cisco.com" does NOT match the first
AUTHORIZER, so DeleGate tried the next one, then it matched.

 |Does this also imply that any AUTHORIZER line with a
 |conectionmap by default to all sites for the protocols specified except
 |for the excluded ones ?
 |For example, what would be the expected behaviour of delegate with the
 |two AUTHORIZER parameters specified above ?

Any destination host except negated in the lists of first AUTHORIZER uses
it.  Hosts negated in the first tries the second one.

What is special in your example is that those AUTHORZIERs have only
negation lists, with the same AuthServer and protList.  Imagine more
general situation where you have multiple AUTHORIZER (or PERMIT, CMAP,
and so on) including non-negation and/or with diffirent AuthServer
and protList like this:

  AUTHORIZER=auth1:prot1:dst1:src1
  AUTHORIZER=auth2:prot2:dst2:src2

When a destination host is not applied in the first one, is there any
reason to ignore the matching with tne next one?


So my question is why you need to split a list of hosts into multiple
AUTHORIZER.  If those are in a single list, you will not see such problem.
If the list is too long to edit or maintain, then it can be splitted
into multiple lines using HOSTLIST like this.

  AUTHORIZER=-list{guest:guest}:http,https:!noauthHosts
  HOSTLIST=noauthHosts:!*.microsoft.com,!*.cisco.com,!*.windowsupdate.com
  HOSTLIST=noauthHosts:+,!*.repubblica.it:*

Also there is an pseudo authorizer "-any" which accepts any
authentication information.  It can be used as follows:

  AUTHORIZER=-any:*.microsoft.com,*.cisco.com,*.windowsupdate.com
  AUTHORIZER=-any:*.repubblica.it
  AUTHORIZER=-list{guest:guest}

But maybe what you need is to through passing to specified hosts without
asking any Autentication.  It can be realiased by changing the code
of DeleGate as enclosed.

Cheers,
Yutaka
--
  D G   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

*** dist/delegate8.9.6-pre13/src/http.c	Sat Aug  7 03:27:49 2004
--- src/http.c	Thu Aug 12 01:14:27 2004
***************
*** 6529,6535 ****
  		else	set_realsite(Conn,"tcprelay",host,port);
  	}
  
! 	if( CTX_auth(Conn,NULL,NULL) ) /* with AUTHORIZER */
  	if( ClientAuthUser[0] == 0 )
  	{
  		if( doauth(Conn,tc) < 0 )
--- 6529,6535 ----
  		else	set_realsite(Conn,"tcprelay",host,port);
  	}
  
! 	if( CTX_auth(Conn,NULL,NULL) <= 0 ) /* with AUTHORIZER not -any */
  	if( ClientAuthUser[0] == 0 )
  	{
  		if( doauth(Conn,tc) < 0 )

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V