Webauth IIS Known Problems: Difference between revisions

From RavenWiki
Jump to navigationJump to search
(Copy content of WebAuth IIS known problems page)
 
(Remove UCS FAQ that no longer exists)
Line 18: Line 18:
queries are accessed.
queries are accessed.


2) If a user sets their login option (see [1]) to 'Do not login to
2) If a user sets their login option to 'Do not login to
Raven', either by default of for a particular session, then the Ucam
Raven', either by default of for a particular session, then the Ucam
WebAuth IIS module will authenticate the user for under a second
WebAuth IIS module will authenticate the user for under a second
Line 30: Line 30:
options to some other setting.
options to some other setting.


[1] http://www.cam.ac.uk/cs/docs/faq/n7.html
</pre>
</pre>

Revision as of 14:45, 20 September 2019

2009-05-13

1) The Ucam WebAuth IIS module does not correctly escape '&'
characters when constructing authentication request messages to send
to Raven. This prevents Raven from correctly decoding the request
message, with unpredictable results.

This is only a problem if authentication is triggered in response to
URLs containing '&' - typically URLs containing query
parameters. Subsequent access to URLs containing '&' are
unaffected. In practice this problem is rarely seen because in most
cases authentication is first triggered by 'plain' URLs that don't
include query parameters.

The only obvious work around is to ensure that authentication is
always established, by access to a 'plain' URL, before URLs containing
queries are accessed.

2) If a user sets their login option to 'Do not login to
Raven', either by default of for a particular session, then the Ucam
WebAuth IIS module will authenticate the user for under a second
before requiring them to log in to Raven again. Typical symptoms of
this is that the page triggering authentication and some of its assets
(images, style sheets, etc.) load OK but that other assets are
missing, and that access to any other protected page requires a
further Raven login.

The only work around for this is to ask the user to set their login
options to some other setting.