ad_sign (public)

 ad_sign [ -secret secret ] [ -token_id token_id ] [ -max_age max_age ] \
    [ -binding binding ] value

Defined in packages/acs-tcl/tcl/security-procs.tcl

Returns a digital signature of the value. Negative token_ids are reserved for secrets external to the ACS digital signature mechanism. If a token_id is specified, a secret must also be specified.

Switches:
-secret
(optional)
allows the caller to specify a known secret external to the random secret management mechanism.
-token_id
(optional)
allows the caller to specify a token_id which is then ignored so don't use it.
-max_age
(optional)
specifies the length of time the signature is valid in seconds. The default is forever.
-binding
(defaults to "0") (optional)
allows the caller to bind a signature to a user/session. A value of 0 (default) means no additional binding. When the value is "-1" only the user who created the signature can obtain the value again. When the value is "-2" only the user with the same csrf token can obtain the value again. The permissible values might be extended in the future.
Parameters:
value - the value to be signed.

Partial Call Graph (max 5 caller/called nodes):
%3 test_auth_password_recover auth_password_recover (test acs-authentication) ad_sign ad_sign test_auth_password_recover->ad_sign test_sync_http_get_document sync_http_get_document (test acs-authentication) test_sync_http_get_document->ad_sign ad_conn ad_conn (public) ad_sign->ad_conn sec_get_random_cached_token_id sec_get_random_cached_token_id (public) ad_sign->sec_get_random_cached_token_id sec_get_token sec_get_token (public) ad_sign->sec_get_token security::csrf::new security::csrf::new (public) ad_sign->security::csrf::new acs_mail_lite::unique_id_create acs_mail_lite::unique_id_create (private) acs_mail_lite::unique_id_create->ad_sign ad_form ad_form (public) ad_form->ad_sign ad_set_signed_cookie ad_set_signed_cookie (public) ad_set_signed_cookie->ad_sign export_vars_sign export_vars_sign (private) export_vars_sign->ad_sign security::parameter::signed security::parameter::signed (public) security::parameter::signed->ad_sign

Testcases:
auth_password_recover, sync_http_get_document
Source code:
    if {$token_id eq ""} {
        # pick a random token_id
        set token_id [sec_get_random_cached_token_id]
    }

    if { $secret eq "" } {
        set secret_token [sec_get_token $token_id]
    } else {
        set secret_token $secret
    }


    ns_log Debug "Security: Getting token_id $token_id, value $secret_token"

    if { $max_age eq "" } {
        set expire_time 0
    } else {
        set expire_time [expr {$max_age + [ns_time]}]
    }

    switch $binding {
        -1 {
            set binding_value [ad_conn user_id]
            append token_id :$binding
        }
        -2 {
            set binding_value [::security::csrf::new]
            append token_id :$binding
        }
        0 {
            set binding_value ""
        }
        default {error "invalid binding"}
    }

    set hash [ns_sha1 "$value$token_id$expire_time$secret_token$binding_value"]
    set signature [list $token_id $expire_time $hash]

    return $signature
Generic XQL file:
packages/acs-tcl/tcl/security-procs.xql

PostgreSQL XQL file:
packages/acs-tcl/tcl/security-procs-postgresql.xql

Oracle XQL file:
packages/acs-tcl/tcl/security-procs-oracle.xql

[ hide source ] | [ make this the default ]
Show another procedure: