perfSONAR User Q&A and Other Discussion

[Mark Foster <>]

I created a hacky sort of way of dealing this a while back; basically, I 
stuff the verbiage in the template(s) that are used to build the page.
Some recent changes (on the GUI) side had me rework the script.  When I 
shared my approach with him, George augmented it by putting in a (script) 
popup.

It's probably pretty NASA specific, but if others on the list are interested, 
I'd be happy to share the approach.

If you want to see an example of what it looks like, check
ps-arc-meter.nren.nasa.gov

-- Mark

On 3/4/2016 2:04 PM, Aaron Brown wrote:
> You could probably hack something similar using redirect rules. If the 
> request isn't authenticated and isn't coming from a page listing the notice 
> and consent banner, it redirects to that page, and that page just has the 
> warning and a redirect link back to the original authentication requiring 
> page which would now pop up the basicauth stuff.
>
> Cheers,
> Aaron
>
> On Mar 4, 2016, at 3:23 PM, Mark Feit 
> <
>  
> <mailto:>>
>  wrote:
>
> >  
> > <mailto:>
> >  on behalf of Daniel Doyle writes:
> >
> >
> >     It sounds like what you’re describing is maybe a “message of the day” 
> > type thing, which could be a feature request for the UI in the future. Is 
> > that accurate?
> >
> >
> > It’s more like a pre-login message, the equivalent of /etc/issue on Unix 
> > systems.  A number of government agencies require that before a user attempts 
> > to log into any system, they see a notice and consent banner that says they 
> > understand the system is owned by the government and consent to a whole raft 
> > of things by using it.  This must happen before /any/ attempt to log in, not 
> > just those that come through the front door.
> >
> > DoD’s standard message is two fairly long paragraphs and is over 1KB in 
> > length; I don’t imagine NASA’s is much shorter.  Since perfSONAR uses  HTTP 
> > Basic Authentication, the only way to get the message shown is to stuff it 
> > into the realm, which is what George tried.  None of the major browsers 
> > render a message that long in their login dialogs, so the message gets 
> > partially delivered, which doesn’t meet the rule.  (I’ve bumped into this 
> > myself in the past, and it’s a thorn in a lot of sides.)
> >
> > To make perfSONAR able to do this sort of thing correctly, we’d have to bring 
> > authentication into the toolkit instead of delegating it to Apache.  That 
> > woulds give us the control over the login page that we’d need to display a 
> > message of arbitrary length.
> >
> > —Mark