blob: 0ead9fe10291616b99f688b193ac340417c83e81 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
Start server in a separate shell session.
$ FLASK_APP=session_app.py FLASK_DEBUG=1 flask run --host 0.0.0.0
Reset any cookies and kerberos tickets.
$ kdestroy -A
$ rm ~/cookiejar.txt
Try visiting protected page without authorization.
$ curl -L http://d2-03a.ipa.example.com:5000/protected -b ~/cookiejar.txt -c ~/cookiejar.txt
requires session
Get kerberos ticket and then visit kerberos login url.
$ kinit ${USER}
$ klist
Ticket cache: FILE:/tmp/krb5cc_960600001_Hjgmv7lby2
Default principal: bgstack15@IPA.EXAMPLE.COM
Valid starting Expires Service principal
06/20/21 16:04:10 06/21/21 16:04:07 krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.COM
06/20/21 16:04:15 06/21/21 16:04:07 HTTP/d2-03a.ipa.example.com@IPA.EXAMPLE.COM
$ curl -L http://d2-03a.ipa.example.com:5000/login/kerberos --negotiate -u ':' -b ~/cookiejar.txt -c ~/cookiejar.txt
<meta http-equiv="Refresh" content="1; url=/protected/">success with kerberos
Visit protected page now that we have a session.
$ cat ~/cookiejar.txt
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
d2-03a.ipa.example.com FALSE / FALSE 0 user "bgstack15@IPA.EXAMPLE.COM"
d2-03a.ipa.example.com FALSE / FALSE 0 type kerberos
d2-03a.ipa.example.com FALSE / FALSE 0 timestamp 2021-06-20T20:06:15Z
#HttpOnly_d2-03a.ipa.example.com FALSE / FALSE 1624219691 session eyJfcGVybWFuZW50Ijp0cnVlLCJlbmRfdGltZSI6IjIwMjEtMDYtMjBUMjA6MDY6MTVaIiwidXNlciI6ImJnaXJ0b25ASVBBLlNNSVRIMTIyLkNPTSJ9.YM-fsw.ZeI4ec-d7D64IEJ9Ab4RfpXfLt4
$ curl -L http://d2-03a.ipa.example.com:5000/protected -b ~/cookiejar.txt -c ~/cookiejar.txt
<html>
<title>View Session Cookie</title>
Username: bgstack15@IPA.EXAMPLE.COM<br/>
Session expires: 2021-06-20T20:06:15Z<br/>
Logged in through: kerberos
</html>
For submitting to the form, pass in form data using fields `username`, `password`, and optionally `logintype` which can be defined within the application. An included option is `ldap`. Kerberos auth through the form is not supported.
curl -L -X POST http://d2-03a:5000/login/ --data 'username=bgstack15&password=qwerty' -b ~/cookiejar.txt -c ~/cookiejar.txt
Basic auth can be provided as a POST to /login/basic/.
$ curl -X POST -L http://d2-03a:5000/login/basic/ -b ~/cookiejar.txt -c ~/cookiejar.txt --user 'bgstack15'
Enter host password for user 'bgstack15':
<meta http-equiv="Refresh" content="1; url=/protected/">success with ldap
$ curl -X POST -L http://d2-03a:5000/login/basic/ -b ~/cookiejar.txt -c ~/cookiejar.txt --header "Authorization: Basic $( printf '%s' "${username}:${pw}" | base64 )"
<meta http-equiv="Refresh" content="1; url=/protected/">success with ldap
|
