Webauth IIS Known Problems: Difference between revisions

2009-05-13

1) The Ucam WebAuth IIS module does not correctly escape '&'
characters when constructing authentication request messages to send
to Raven. This prevents Raven from correctly decoding the request
message, with unpredictable results.

This is only a problem if authentication is triggered in response to
URLs containing '&' - typically URLs containing query
parameters. Subsequent access to URLs containing '&' are
unaffected. In practice this problem is rarely seen because in most
cases authentication is first triggered by 'plain' URLs that don't
include query parameters.

The only obvious work around is to ensure that authentication is
always established, by access to a 'plain' URL, before URLs containing
queries are accessed.

2) If a user sets their login option (see [1]) to 'Do not login to
Raven', either by default of for a particular session, then the Ucam
WebAuth IIS module will authenticate the user for under a second
before requiring them to log in to Raven again. Typical symptoms of
this is that the page triggering authentication and some of its assets
(images, style sheets, etc.) load OK but that other assets are
missing, and that access to any other protected page requires a
further Raven login.

The only work around for this is to ask the user to set their login
options to some other setting.

[1]https://help.uis.cam.ac.uk/service/accounts-passwords/it-staff/raven/raven-faqs/n7