Re: How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
Re: How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
- Subject: Re: How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
- From: Jens Alfke <email@hidden>
- Date: Mon, 05 Sep 2016 12:10:26 -0700
> On Sep 5, 2016, at 6:51 AM, Motti Shneor <email@hidden> wrote:
>
> 1. Why don’t Safari, Mail, Photos, and other standard apps trigger such dialog when they clearly use proxy settings (including credentials) to go to the internet? Is this behavior acceptable, and how is it done?
Those apps are signed by Apple, so they’re automatically trusted.
Note that the Keychain permission alert only appears _once_ for any app. You may be seeing it every time you run your code, but that’s because every time you change the code, it makes the app look different to the system. (You can get around this by signing the app; then the signature remains the same between launches.)
> 2. All proxy settings seem to be system-wide. Why do the credentials reside in the active user’s Login keychain, instead of the “System” keychain? Is there at all a way (except for manually editing the keychains) to set-up proxies for ALL users, including credentials?
Have you verified that different users inherit the same proxy settings? If so, I agree that it’s odd that the credentials would be in the Login keychain.
> 3. Could I, at the time of installation of my product, ask once for this access, and have this “trust” saved for my installed daemon? That will be acceptable, as IT install our tool, and have rights for this. If this is possible - where and how could I do it?
I don’t know. It may be related to the way that app helper processes are authenticated, i.e. being signed with related certs. But this isn’t something I’ve ever done.
One other possibility is:
* Installer gets the proxy settings, including getting user permission to access credentials
* Installer saves the settings & credentials into a file only accessible to root
* Daemon reads the settings from that file
> 4. Could I avoid the whole proxy-authentication protocol, and use some OS-X API that would do it for me (in the likes of NSURLSession) Is there some official lower-level API to do this? Otherwise I need to implement all kinds of authentication schemes (kerberos, NTLM, digest etc.), which seems silly on an OS that already knows how to do it? Clearly OS implementation will be superior to mine...
I think NSURLSession is the only API that includes proxy support. For some reason CFStream doesn’t, even though it can do HTTP requests.
—Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden