diff --git a/ldap_authentication/LdapAuthenticationConf.class.php b/ldap_authentication/LdapAuthenticationConf.class.php
index 6c12779..0df682d 100644
--- a/ldap_authentication/LdapAuthenticationConf.class.php
+++ b/ldap_authentication/LdapAuthenticationConf.class.php
@@ -30,6 +30,7 @@ class LdapAuthenticationConf {
public $seamlessLogin = FALSE;
public $ldapImplementation = FALSE;
public $cookieExpire = LDAP_AUTHENTICATION_COOKIE_EXPIRE;
+ public $ssoExcludedPaths = NULL;
public $apiPrefs = array();
@@ -63,6 +64,7 @@ class LdapAuthenticationConf {
'seamlessLogin',
'ldapImplementation',
'cookieExpire',
+ 'ssoExcludedPaths',
);
/** are any ldap servers that are enabled associated with ldap authentication **/
diff --git a/ldap_authentication/LdapAuthenticationConfAdmin.class.php b/ldap_authentication/LdapAuthenticationConfAdmin.class.php
index 97072e2..6853fc3 100644
--- a/ldap_authentication/LdapAuthenticationConfAdmin.class.php
+++ b/ldap_authentication/LdapAuthenticationConfAdmin.class.php
@@ -105,6 +105,13 @@ class LdapAuthenticationConfAdmin extends LdapAuthenticationConf {
l(t('README.txt'), drupal_get_path('module', 'ldap_sso') . '/README.txt')))
. '
';
+ $values['ssoExcludedPathsDescription'] = '' .
+ t("Which paths will not check for SSO? cron.php is common example. Specify pages by using their paths. Enter one path per line. The '*' character is a wildcard.
+ Example paths are %blog for the blog page and %blog-wildcard for every personal blog. %front is the front page.",
+ array('%blog' => 'blog', '%blog-wildcard' => 'blog/*', '%front' => ''));
+ '
';
+
+
$values['ssoRemoteUserStripDomainNameDescription'] = t('Useful when the ' .
'WWW server provides authentication in the form of user@realm and you ' .
'want to have both SSO and regular forms based authentication ' .
@@ -166,6 +173,7 @@ class LdapAuthenticationConfAdmin extends LdapAuthenticationConf {
*/
public $ssoEnabledDescription;
+ public $ssoExcludedPaths;
public $ssoRemoteUserStripDomainNameDescription;
public $ldapImplementationOptions;
public $cookieExpirePeriod;
@@ -440,6 +448,14 @@ class LdapAuthenticationConfAdmin extends LdapAuthenticationConf {
'#disabled' => (boolean)(!$this->ssoEnabled),
);
+ $form['sso']['ssoExcludedPaths'] = array(
+ '#type' => 'textarea',
+ '#title' => t('SSO Excluded Paths'),
+ '#description' => t($this->ssoExcludedPathsDescription),
+ '#default_value' => $this->arrayToLines($this->ssoExcludedPaths),
+ '#disabled' => (boolean)(!$this->ssoEnabled),
+ );
+
$form['submit'] = array(
'#type' => 'submit',
'#value' => 'Save',
@@ -492,6 +508,7 @@ class LdapAuthenticationConfAdmin extends LdapAuthenticationConf {
$this->sids = $values['authenticationServers'];
$this->allowOnlyIfTextInDn = $this->linesToArray($values['allowOnlyIfTextInDn']);
$this->excludeIfTextInDn = $this->linesToArray($values['excludeIfTextInDn']);
+ $this->ssoExcludedPaths = $this->linesToArray($values['ssoExcludedPaths']);
$this->allowTestPhp = $values['allowTestPhp'];
$this->loginUIUsernameTxt = ($values['loginUIUsernameTxt']) ? (string)$values['loginUIUsernameTxt'] : NULL;
$this->loginUIPasswordTxt = ($values['loginUIPasswordTxt']) ? (string)$values['loginUIPasswordTxt'] : NULL;
@@ -505,6 +522,7 @@ class LdapAuthenticationConfAdmin extends LdapAuthenticationConf {
$this->seamlessLogin = ($values['seamlessLogin']) ? (int)$values['seamlessLogin'] : NULL;
$this->cookieExpire = ($values['cookieExpire']) ? (int)$values['cookieExpire'] : NULL;
$this->ldapImplementation = ($values['ldapImplementation']) ? (string)$values['ldapImplementation'] : NULL;
+ $this->ssoExcludedPaths = $this->linesToArray(drupal_strtolower($values['ssoExcludedPaths']));
}
public function drupalFormSubmit($values) {
diff --git a/ldap_sso/ldap_sso.module b/ldap_sso/ldap_sso.module
index 887b23e..7d80a41 100644
--- a/ldap_sso/ldap_sso.module
+++ b/ldap_sso/ldap_sso.module
@@ -46,6 +46,9 @@ function ldap_sso_user_logout($account) {
*/
function ldap_sso_boot() {
if (!drupal_is_cli() && $GLOBALS['user']->uid == 0) {
+ if (ldap_sso_path_excluded_from_sso()) {
+ return;
+ }
if (!(isset($_COOKIE['seamless_login'])) || $_COOKIE['seamless_login'] == 'auto login') {
if ((arg(0) == 'user' && !(is_numeric(arg(1)))) || arg(0) == 'logout' ) {
return;
@@ -58,14 +61,17 @@ function ldap_sso_boot() {
}
require_once(DRUPAL_ROOT . '/includes/common.inc');
require_once(DRUPAL_ROOT . '/includes/path.inc');
- $ldap_authentication_conf = variable_get('ldap_authentication_conf', array());
+
if (isset($ldap_authentication_conf['seamlessLogin']) && $ldap_authentication_conf['seamlessLogin'] == 1 && ($login_attempted != 'true')) {
setcookie("seamless_login_attempted", 'true', time() + (int)$ldap_authentication_conf['cookieExpire'], base_path(), "");
$_SESSION['seamless_login_attempted'] = $login_attempted;
// removed with http://drupal.org/node/1485118 patch
//$ldap_sso_q = (!isset($_GET['q']) || $_GET['q'] == '') ? 'user' : $_GET['q'];
//drupal_goto('user/login/sso', array('query' => array('destination' => rawurlencode($ldap_sso_q))));
- drupal_bootstrap(DRUPAL_BOOTSTRAP_LANGUAGE);
+ drupal_bootstrap(DRUPAL_BOOTSTRAP_LANGUAGE);
+ if (ldap_sso_path_excluded_from_sso()) { // check this again after additional bootstrap
+ return;
+ }
drupal_goto('user/login/sso', array('query' => drupal_get_destination()));
}
else {
@@ -76,6 +82,49 @@ function ldap_sso_boot() {
}
}
+function ldap_sso_path_excluded_from_sso($path = FALSE) {
+
+ $result = FALSE;
+ if ($path) {
+ // don't derive
+ }
+ elseif ($_SERVER['URL'] == '/index.php') {
+ $path = $_GET['q'];
+ }
+ else {
+ $path = ltrim($_SERVER['URL'], '/'); // cron.php, etc.
+ }
+
+ $ldap_authentication_conf = variable_get('ldap_authentication_conf', array());
+ if ($ldap_authentication_conf['ssoExcludedPaths']) {
+ $patterns = join("\r\n", $ldap_authentication_conf['ssoExcludedPaths']);
+ if ($patterns) {
+ if (function_exists('drupal_get_path_alias')) {
+ $path = drupal_get_path_alias($path);
+ }
+ $path = (function_exists('drupal_strtolower')) ? drupal_strtolower($path) : strtolower($path);
+
+ $to_replace = array(
+ '/(\r\n?|\n)/', // newlines
+ '/\\\\\*/', // asterisks
+ '/(^|\|)\\\\($|\|)/' //
+ );
+ $replacements = array(
+ '|',
+ '.*',
+ '\1' . preg_quote(variable_get('site_frontpage', 'node'), '/') . '\2'
+ );
+ $patterns_quoted = preg_quote($patterns, '/');
+ $regex = '/^(' . preg_replace($to_replace, $replacements, $patterns_quoted) . ')$/';
+ $result = (bool)preg_match($regex, $path);
+ // die("match=$result,
patterns=$patterns ,
regex=$regex
q=". $path);
+ }
+ }
+
+ return $result;
+
+}
+
/**
* A proxy function for the actual authentication routine. This is in place
* so various implementations of grabbing NTLM credentials can be used and