Incorporate optional Single-Sign-On functionality
|Reported by:||Steffen Hoffmann||Owned by:||Steffen Hoffmann|
|Cc:||boftx@…, macjoost@…, Michael Renzmann, Ryan J Ollos, Erik M. Bray||Trac Release:||0.11|
A configurable authentication cookie path has been the pre-requisite to share authentication cookies between several Trac environments on a single host. I call it "cheap" Single-Sign-On, because IMHO it's not as mature as true SSO solutions based on a dedicated authentication backend like Kerberos.
[trac] auth_cookie_path = /var/www/trac
Until now SharedCookieAuthPlugin has been the only Trac plugin to provide some "magic glue" for utilizing this option. I tested it and had the same issue as some other users. According to my half-educated code studies, this is bound to fail at least in any recent Trac due to the way, Trac core is handling authentication cookies internally (see my comment to #5566 for details).
Sadly the author has been unable to reproduce the issue and later explicitly dropped maintenance for all his plugins. 2 1/2 years have been gone so far without a bug-fix, not to mention an improved plugin version for Trac >= 0.12 without the monkey-patching of
auth.LoginModule done in that plugin. Btw, AcctMgr monkey-patches
auth.LoginModule too, and this may even contribute to the failure, at least in my case, but I've not done any closer investigation into this.
Nevertheless I'm eager to get a working solution, and after some work to resolve cookie-related AcctMgr issues I dropped SharedCookieAuthPlugin and made an attempted inside this plugin. Figure, that by the time we get this into a decent matured state, a decision could still be made on how to proceed with SharedCookieAuthPlugin.