echocas-client 2.1.1

Sign up to get free protection for your applications and to get access to all the features.
data/CHANGELOG.txt ADDED
@@ -0,0 +1 @@
1
+ See History.txt
data/History.txt ADDED
@@ -0,0 +1,162 @@
1
+ = RubyCAS-Client Changelog
2
+
3
+ == Version 2.1.0 :: 2009-08-18
4
+
5
+ * New functionality:
6
+ * Added an adapter for the Merb framework. Thanks to Andrew O'Brien and
7
+ Antono Vasiljev.
8
+ * Implemented single-sign-out functionality. The client will now intercept
9
+ single-sign-out requests and deal with them appropriately if the
10
+ :enable_single_sign_out config option is set to true. This is currently
11
+ disabled by default. (Currently this is only implemented for the Rails
12
+ adapter)
13
+ * Added logout method to Rails adapter to simplify the logout process. The
14
+ logout method resets the local Rails session and redirects to the CAS
15
+ logout page.
16
+ * Added login_url method to the Rails filter. This will return the login
17
+ URL for the current controller; useful when you want to show a "Login"
18
+ link in a gatewayed page for an unauthenticated user.
19
+ * Added cas_server_is_up? method to the client, as requested in issue #5.
20
+ * Extra user attributes are now automatically unserialized if the incoming data
21
+ is in YAML format.
22
+
23
+ * Changes to existing functionality:
24
+ * The 'service' parameter in the logout method has been renamed to
25
+ 'destination' to better match the behaviour of other CAS clients. So for
26
+ example, when you call logout_url("http://foo.example"), the method will
27
+ now return "https://cas.example?destination=https%3A%2F%2Ffoo.example"
28
+ instead of the old "https://cas.example?service=https%3A%2F%2Ffoo.example".
29
+ RubyCAS-Server has been modified to deal with this as of version 0.6.0.
30
+ * We now accept HTTP responses from the CAS server with status code 422 since
31
+ RubyCAS-Server 0.7.0+ generates these in response to requests that are
32
+ processable but contain invalid CAS data (for example an invalid service
33
+ ticket).
34
+ * Some behind-the-scenes changes to the way previous authentication info is
35
+ reused by the Rails filter in subsequent requests (see the note below
36
+ in the 2.0.1 release). From the user's and integrator's point of view
37
+ there shouldn't be any obvious difference from 2.0.1.
38
+ * Redirection loop interception: The client now logs a warning message when it
39
+ believes that it is stuck in a redirection loop with the CAS server. If more
40
+ than three of these redirects occur within one second, the client will
41
+ redirect back to the login page with renew=1, forcing the user to try
42
+ authenticating again.
43
+ * Somewhat better handling and logging of errors resulting from CAS server
44
+ connection/response problems.
45
+
46
+ * Bug Fixes:
47
+ * Fixed bug where the the service/destination parameter in the logout url
48
+ would sometimes retain the 'ticket' value. The ticket is now automatically
49
+ stripped from the logout url.
50
+ * The client will no longer attempt to retrieve a PGT for an IOU that had
51
+ already been previously retrieved. [yipdw1]
52
+
53
+ * Misc:
54
+ * Added complete CAS client integration examples for Rails and Merb
55
+ applications under /examples.
56
+
57
+ == Version 2.0.1 :: 2008-02-27
58
+
59
+ * The Rails filter no longer by default redirects to the CAS server on
60
+ every request. This restores the behaviour of RubyCAS-Client 1.x.
61
+ In other words, if a session[:cas_user] value exists, the filter
62
+ will assume that the user is authenticated without going through the
63
+ CAS server. This behaviour can be disabled (so that a CAS re-check is
64
+ done on every request) by setting the 'authenticate_on_every_request'
65
+ option to true. See the "Re-authenticating on every request" section
66
+ in the README.txt for details.
67
+
68
+ == Version 2.0.0 :: 2008-02-14
69
+
70
+ * COMPLETE RE-WRITE OF THE ENTIRE CLIENT FROM THE GROUND UP. Oh yes.
71
+ * Core client has been abstracted out of the Rails adapter. It should now
72
+ be possible to use the client in other frameworks (e.g. Camping).
73
+ * Configuration syntax has completely changed. In other words, your old
74
+ rubycas-client-1.x configuration will no longer work. See the README
75
+ for details.
76
+ * Added support for reading extra attributes from the CAS response (i.e. in
77
+ addition to just the username). However currently this is somewhat useless
78
+ since RubyCAS-Server does not yet provide a method for adding extra
79
+ attributes to the responses it generates.
80
+
81
+ ------------------------------------------------------------------------------
82
+
83
+ == Version 1.1.0 :: 2007-12-21
84
+
85
+ * Fixed serious bug having to do with logouts. You can now end the
86
+ CAS session on the client-side (i.e. force the client to re-authenticate)
87
+ by setting session[:casfilteruser] = nil.
88
+ * Added new GatewayFilter. This is identical to the normal Filter but
89
+ has the gateway option set to true by default. This should make
90
+ using the gateway option easier.
91
+ * The CAS::Filter methods are now properly documented.
92
+ * Simplified guess_service produces better URLs when redirecting to the CAS
93
+ server for authentication and the service URL is not explicitly specified.
94
+ [delagoya]
95
+ * The correct method for overriding the service URL for the client is now
96
+ properly documented. You should use service_url=, as server_name= no longer
97
+ works and instead generates a warning message.
98
+ * logout_url() now takes an additional 'service' parameter. If specified, this
99
+ URL will be passed on to the CAS server as part of the logout URL.
100
+
101
+ == Version 1.0.0 :: 2007-07-26
102
+
103
+ * RubyCAS-Client has matured to the point where it is probably safe to
104
+ take it out of beta and release version 1.0.
105
+ * Non-SSL CAS URLs will now work. This may be useful for demo purposes,
106
+ but certainly shouldn't be used in production. The client automatically
107
+ disables SSL if the CAS URL starts with http (rather than https). [rubywmq]
108
+
109
+ == Version 0.12.0
110
+
111
+ * Prior to redirecting to the CAS login page, the client now stores the
112
+ current service URI in a session variable. This value is used to
113
+ validate the service ticket after the user comes back from the CAS
114
+ server's login page. This should address issues where redirection
115
+ from the CAS server resulted in a slightly different URI from the original
116
+ one used prior to login redirection (for example due to variations in the
117
+ way routing rules are applied by the server).
118
+ * The client now handles malformed CAS server responses more gracefully.
119
+ This makes debugging a malfunctioning CAS server somewhat easier.
120
+ * When receiving a proxy-granting ticket, the cas_proxy_callback_controller
121
+ can now take a parameter called 'pgt' (which is what ought to be used
122
+ according to the published CAS spec) or 'pgtId' (which is what the JA-SIG
123
+ CAS server uses).
124
+ * Logging has been somewhat quieted down. Many messages that were previously
125
+ logged as INFO are now logged as DEBUG.
126
+
127
+ == Version 0.11.0
128
+
129
+ * Added this changelog to advise users of major changes to the library.
130
+ * Large chunks of the library have been re-written. Beware of the possibility
131
+ of new bugs (although the re-write was meant to fix a whole slew of existing
132
+ bugs, so you're almost certainly better off upgrading).
133
+ * service and targetService parameters in requests are now properly URI-encoded,
134
+ so the filter should behave properly when your service has query parameters.
135
+ Thanks sakazuki for pointing out the problem.
136
+ * You can now force the CAS client to re-authenticate itself with the CAS server
137
+ (i.e. override the authentication stored in the session) by providing a new
138
+ service ticket in the URI. In other words, the client will authenticate with
139
+ CAS if: a) you have a 'ticket' parameter in the URI, and there is currently no
140
+ authentication info in the session, or b) you have a 'ticket' parameter in the
141
+ URI and this ticket is different than the ticket that was used to authenticat
142
+ the existing session. This is especially useful when you are using CAS proxying,
143
+ since it allows you to force re-authentication in proxied applications (for
144
+ example, when the user has logged out and a new user has logged in in the parent
145
+ proxy-granting application).
146
+ * If your service URI has a 'ticket' parameter, it will now be automatically
147
+ removed when passing the service as a parameter in any CAS request. This is
148
+ done because at least some CAS servers will happily accept a service URI with
149
+ a 'ticket' parameter, which will result in a URI with multiple 'ticket'
150
+ parameters once you are redirected back to CAS (and that in turn can result
151
+ in an endless redirection loop).
152
+ * Logging has been greatly improved, which should make debugging your CAS
153
+ installation much easier. Look for the logs under log/cas_client_RAILS_ENV.log
154
+ * When you install RubyCAS-Client as a Rails plugin, it will now by default
155
+ use a custom logger. You can change this by explicitly setting your own
156
+ logger in your environment.rb, or by modifying the plugin's init.rb.
157
+ * CasProxyCallbackController no longer checks to make sure that the incoming
158
+ request is secure. The check is impossible since the secure header is not
159
+ passed on by at least some reverse proxies (like Pound), and if you are using
160
+ the callback controller then you are almost certainly also using a reverse
161
+ proxy.
162
+ * Cleaned up and updated documentation, fixed some example code.
data/LICENSE.txt ADDED
@@ -0,0 +1,26 @@
1
+ Portions of RubyCAS-Client contributed by Matt Zukowski are copyright (c) 2009 Urbacon Ltd.
2
+ Other portions are copyright of their respective authors.
3
+
4
+ The MIT License
5
+
6
+ Permission is hereby granted, free of charge, to any person
7
+ obtaining a copy of this software and associated documentation
8
+ files (the "Software"), to deal in the Software without
9
+ restriction, including without limitation the rights to use,
10
+ copy, modify, merge, publish, distribute, sublicense, and/or sell
11
+ copies of the Software, and to permit persons to whom the
12
+ Software is furnished to do so, subject to the following
13
+ conditions:
14
+
15
+ The above copyright notice and this permission notice shall be
16
+ included in all copies or substantial portions of the Software.
17
+
18
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
19
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
20
+ OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
21
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
22
+ HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
23
+ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
24
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
25
+ OTHER DEALINGS IN THE SOFTWARE.
26
+
data/Manifest.txt ADDED
@@ -0,0 +1,23 @@
1
+ CHANGELOG.txt
2
+ History.txt
3
+ LICENSE.txt
4
+ Manifest.txt
5
+ README.rdoc
6
+ Rakefile
7
+ examples/merb/README.textile
8
+ examples/merb/Rakefile
9
+ examples/merb/merb.thor
10
+ examples/merb/merb_auth_cas.rb
11
+ examples/merb/spec/spec_helper.rb
12
+ init.rb
13
+ lib/casclient.rb
14
+ lib/casclient/client.rb
15
+ lib/casclient/frameworks/merb/filter.rb
16
+ lib/casclient/frameworks/merb/strategy.rb
17
+ lib/casclient/frameworks/rails/cas_proxy_callback_controller.rb
18
+ lib/casclient/frameworks/rails/filter.rb
19
+ lib/casclient/responses.rb
20
+ lib/casclient/tickets.rb
21
+ lib/casclient/version.rb
22
+ lib/rubycas-client.rb
23
+ setup.rb
data/README.rdoc ADDED
@@ -0,0 +1,322 @@
1
+ = RubyCAS-Client
2
+
3
+ Author:: Matt Zukowski <matt AT roughest DOT net>; inspired by code by Ola Bini <ola.bini AT ki DOT se> and Matt Walker <mwalker AT tamu DOT edu>
4
+ Copyright:: Portions contributed by Matt Zukowski are copyright (c) 2009 Urbacon Ltd.
5
+ Other portions are copyright of their respective authors.
6
+ License:: MIT License
7
+ Websites:: http://github.com/gunark/rubycas-client
8
+ http://code.google.com/p/rubycas-client
9
+ http://rubyforge.org/projects/rubycas-client
10
+
11
+
12
+
13
+ === RubyCAS-Client is a Ruby client library for Yale's Central Authentication Service (CAS) protocol.
14
+
15
+ CAS provides a secure single sign on solution for web-based applications. The user logs in to your
16
+ organization's CAS server, and is automatically authenticated for all other CAS-enabled applications.
17
+
18
+ For general information about the open CAS protocol, please have a look at http://www.ja-sig.org/products/cas.
19
+
20
+ If your organization does not already have a CAS server, you may be interested in RubyCAS-Client's sister project,
21
+ RubyCAS-Server[http://code.google.com/p/rubycas-server/].
22
+
23
+ The RubyCAS-Client package includes adapters for Rails and Merb, although the client library itself can be
24
+ adapted for other frameworks (for example an implementation for Camping is available via the Picnic[http://github.com/zuk/picnic/tree/master]
25
+ library).
26
+
27
+
28
+ == Getting help and reporting problems
29
+
30
+ If you need help, try posting to the RubyCAS discussion group at http://groups.google.com/group/rubycas-server.
31
+
32
+ To report problems, please use the Google Code issue tracker at http://code.google.com/p/rubycas-client/issues/list.
33
+
34
+ API documentation (i.e. the RDocs) are available at http://rubycas-client.rubyforge.org
35
+
36
+
37
+ == Installation
38
+
39
+ You can download the latest version of RubyCAS-Client from the project's rubyforge page at
40
+ http://rubyforge.org/projects/rubycas-client.
41
+
42
+ However, if you're using Rails, it's easier to install the CAS client as a plugin:
43
+
44
+ cd <your rails app>
45
+ ./script/plugin install http://rubycas-client.googlecode.com/svn/trunk/rubycas-client
46
+
47
+ Alternatively, the library is also installable as a RubyGem[http://rubygems.org]:
48
+
49
+ gem install rubycas-client
50
+
51
+ If your Rails application is under Subversion control, you can also install the plugin as an svn:external, ensuring that
52
+ you always have the latest bleeding-edge version of RubyCAS-Client:
53
+
54
+ ./script/plugin install -x http://rubycas-client.googlecode.com/svn/trunk/rubycas-client
55
+
56
+ With Rails 2.1 or newer, it is also possible to install the plugin directly from the bleeding-edge git repository:
57
+
58
+ ./script/plugin install git://github.com/gunark/rubycas-client.git
59
+
60
+ == Usage Examples
61
+
62
+ If you'd rather jump right in, have a look at the example Rails and Merb applications pre-configured for CAS
63
+ authentication:
64
+
65
+ http://github.com/gunark/rubycas-client/tree/master/examples
66
+
67
+
68
+ Otherwise, continue reading for a step-by-step guide for integrating RubyCAS-Client with Rails:
69
+
70
+
71
+ ==== Using RubyCAS-Client in Rails controllers
72
+
73
+ <i>Note that from this point on we are assuming that you have a working CAS server up and running!</i>
74
+
75
+ After installing RubyCAS-Client as a plugin (see above), add the following to your app's <tt>config/environment.rb</tt>
76
+ (make sure that you put it at the bottom of the file, *after* the Rails Initializer):
77
+
78
+ CASClient::Frameworks::Rails::Filter.configure(
79
+ :cas_base_url => "https://cas.example.foo/"
80
+ )
81
+
82
+ (Change the <tt>:cas_base_url</tt> value to your CAS server's base URL; also note that many CAS servers are configured
83
+ with a base URL that looks more like "https://cas.example.foo/cas".)
84
+
85
+ Then, in your <tt>app/controllers/application.rb</tt> (or in whichever controller you want to add the CAS filter for):
86
+
87
+ before_filter CASClient::Frameworks::Rails::Filter
88
+
89
+ That's it. You should now find that you are redirected to your CAS login page whenever you try to access any action
90
+ in your protected controller. You can of course qualify the <tt>before_filter</tt> as you would with any other ActionController
91
+ filter. For example:
92
+
93
+ before_filter CASClient::Frameworks::Rails::Filter, :except => [ :unprotected_action, :another_unprotected_action ]
94
+
95
+ <b>Once the user has been authenticated, their authenticated username is available under <tt>session[:cas_user]</tt>,</b>
96
+ If you want to do something with this username (for example load a user record from the database), you can append another
97
+ filter method that checks for this value and does whatever you need it to do.
98
+
99
+ <b>Note:</b> If Rails complains about missing constants, try adding this before the CASClient configuration:
100
+
101
+ require 'casclient'
102
+ require 'casclient/frameworks/rails/filter'
103
+
104
+
105
+ ==== A more complicated example
106
+
107
+ Here is a more complicated configuration showing most of the configuration options along with their default values
108
+ (this does not show proxy options, which are covered in the next section):
109
+
110
+ # enable detailed CAS logging
111
+ cas_logger = CASClient::Logger.new(RAILS_ROOT+'/log/cas.log')
112
+ cas_logger.level = Logger::DEBUG
113
+
114
+ CASClient::Frameworks::Rails::Filter.configure(
115
+ :cas_base_url => "https://cas.example.foo/",
116
+ :login_url => "https://cas.example.foo/login",
117
+ :logout_url => "https://cas.example.foo/logout",
118
+ :validate_url => "https://cas.example.foo/proxyValidate",
119
+ :username_session_key => :cas_user,
120
+ :extra_attributes_session_key => :cas_extra_attributes,
121
+ :logger => cas_logger,
122
+ :enable_single_sign_out => true
123
+ )
124
+
125
+ Note that normally it is not necessary to specify <tt>:login_url</tt>, <tt>:logout_url</tt>, and <tt>:validate_url</tt>.
126
+ These values are automatically set to standard CAS defaults based on the given <tt>:cas_base_url</tt>.
127
+
128
+ The <tt>:username_session_key</tt> value determines the key under which you can find the CAS username in the Rails session hash.
129
+
130
+ Any additional info that the CAS server might have supplied about the user during authentication will be found under the
131
+ <tt>:extra_attributes_session_key</tt> value in the Rails session hash (i.e. given the above configuration, you would find this
132
+ info under <tt>session[:cas_extra_attributes]</tt>).
133
+
134
+ An arbitrary Logger instance can be given as the :logger parameter. In the example above we log all CAS activity to a
135
+ <tt>log/cas.log</tt> file in your Rails app's directory.
136
+
137
+ ==== Re-authenticating on every request (i.e. the "single sign-out problem")
138
+
139
+ By default, the Rails filter will only authenticate with the CAS server when no session[:cas_user] value exists. Once the user
140
+ has been authenticated, no further CAS forwarding is done until the user's session is wiped. This saves you
141
+ the trouble of having to do this check yourself (since in most cases it is not advisable to go through the CAS server
142
+ on every request -- this is slow and would potentially lead to problems, for example for AJAX requests). However,
143
+ the disadvantage is that the filter no longer checks to make sure that the user's CAS session is still actually open.
144
+ In other words it is possible for the user's authentication session to be closed on the CAS server without the
145
+ client application knowing about it.
146
+
147
+ To address this, RubyCAS-Client now supports the new "Single Sign-Out" functionality in CAS 3.1, allowing the server to
148
+ notify the client application that the CAS session is closed. The client will automatically intercept Single Sign-Out
149
+ requsts from the CAS server, but in order for this to work you must configure your Rails application as follows:
150
+
151
+ 1. The Rails session store must be set to ActiveRecord: <tt>config.action_controller.session_store = :active_record_store</tt>
152
+ 2. The server must be able to read and write to RAILS_ROOT/tmp/sessions. If you are in a clustered environment,
153
+ the contents of this directory must be shared between all server instances.
154
+ 3. Cross-site request forgery protection must be disabled. In your <tt>application.rb</tt>: <tt>self.allow_forgery_protection = false</tt>.
155
+ (Or rather you may want to disable forgery protection only for actions that are behind the CAS filter.)
156
+ 4. Finally, you must add <tt>:enable_single_sign_out => true</tt> to your CAS client config (a similar option must be
157
+ enabled on the CAS server, if you're using RubyCAS-Server).
158
+
159
+ The best way to debug single-sign out functionality is to configure your CAS client with logging (see above) and then watch the
160
+ log to ensure that single-sign out requests from the server are being processed correctly.
161
+
162
+
163
+ Alternatively, it is possible to disable authentication persistence in the client by setting the <tt>:authenticate_on_every_request</tt>
164
+ configuration option to true as, in the example in the previous section. However, this is not recommended as it will almost
165
+ certainly have a deleterious impact on performance and can interfere with certain HTTP transactions (AJAX requests, for example).
166
+
167
+
168
+ ==== Defining a 'logout' action
169
+
170
+ Your Rails application's controller(s) will probably have some sort of logout function. Here you can do any necessary local
171
+ cleanup, and then call <tt>CASClient::Frameworks::Rails::Filter.logout(controller)</tt>. For example:
172
+
173
+ class ApplicationController < ActionController::Base
174
+
175
+ # ...
176
+
177
+ def logout
178
+ # optionally do some local cleanup here
179
+ # ...
180
+
181
+ CASClient::Frameworks::Rails::Filter.logout(self)
182
+ end
183
+ end
184
+
185
+ By default, the logout method will clear the local Rails session, do some local CAS cleanup, and redirect to the CAS
186
+ logout page. Additionally, the <tt>request.referer</tt> value from the <tt>controller</tt> instance is passed to the
187
+ CAS server as a 'destination' parameter. This allows RubyCAS server to provide a follow-up login page allowing
188
+ the user to log back in to the service they just logged out from using a different username and password. Other
189
+ CAS server implemenations may use this 'destination' parameter in different ways.
190
+
191
+ ==== Gatewayed (i.e. optional) authentication
192
+
193
+ "Gatewaying" essentially allows for optional CAS authentication. Users who already have a pre-existing CAS SSO session
194
+ will be automatically authenticated for the gatewayed service, while those who do not will be allowed to access the service
195
+ without authentication. This is useful for example when you want to show some additional private content on a homepage to
196
+ authenticated users, but also want anonymous users to be able to access the page without first logging in.
197
+
198
+ To allow users to access a page without authenticatin, simply use <tt>CASClient::Frameworks::Rails::GatewayFilter</tt>
199
+ in place of <tt>CASClient::Frameworks::Rails::Filter</tt> in your controller. For example, you may want to require
200
+ CAS authentication for all actions in a controller except the index action:
201
+
202
+ class ExampleController < ApplicationController
203
+ before_filter CASClient::Frameworks::Rails::GatewayFilter, :only => :index
204
+ before_filter CASClient::Frameworks::Rails::Filter, :except => :index
205
+
206
+ # ...
207
+ end
208
+
209
+ To provide a login URL for unauthenticated users:
210
+
211
+ <%= link_to("Login", CASClient::Frameworks::Rails::Filter.login_url(controller)) %>
212
+
213
+ ==== How to act as a CAS proxy
214
+
215
+ CAS 2.0 has a built-in mechanism that allows a CAS-authenticated application to pass on its authentication to other applications.
216
+ An example where this is useful might be a portal site, where the user logs in to a central website and then gets forwarded to
217
+ various other sites that run independently of the portal system (but are always accessed via the portal). The exact mechanism
218
+ behind this is rather complicated so I won't go over it here. If you wish to learn more about CAS proxying, a great walkthrough
219
+ is available at http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough.
220
+
221
+ RubyCAS-Client fully supports proxying, so a CAS-protected Rails application can act as a CAS proxy.
222
+
223
+ Additionally, RubyCAS-Client comes with a controller that can act as a CAS proxy callback receiver. This is necessary because
224
+ when your application requests to act as a CAS proxy, the CAS server must contact your application to deposit the proxy-granting-ticket
225
+ (PGT). Note that in this case the CAS server CONTACTS YOU, rather than you contacting the CAS server (as in all other CAS operations).
226
+
227
+ Confused? Don't worry, you don't really have to understand this to use it. To enable your Rails app to act as a CAS proxy,
228
+ all you need to do is this:
229
+
230
+ In your <tt>config/environment.rb</tt>:
231
+
232
+ # enable detailed CAS logging for easier troubleshooting
233
+ cas_logger = CASClient::Logger.new(RAILS_ROOT+'/log/cas.log')
234
+ cas_logger.level = Logger::DEBUG
235
+
236
+ CASClient::Frameworks::Rails::Filter.configure(
237
+ :cas_base_url => "https://cas.example.foo/",
238
+ :proxy_retrieval_url => "https://cas-proxy-callback.example.foo/cas_proxy_callback/retrieve_pgt",
239
+ :proxy_callback_url => "https://cas-proxy-callback.example.foo/cas_proxy_callback/receive_pgt",
240
+ :logger => cas_logger
241
+ )
242
+
243
+ In <tt>config/routes.rb</tt> make sure that you have a route that will allow requests to /cas_proxy_callback/:action to be routed to the
244
+ CasProxyCallbackController. This should work as-is with the standard Rails routes setup, but if you have disabled the default
245
+ route, you should add the following:
246
+
247
+ map.cas_proxy_callback 'cas_proxy_callback/:action', :controller => 'cas_proxy_callback'
248
+
249
+ Now here's a big giant caveat: <b>your CAS callback application and your CAS proxy application must run on separate Rails servers</b>.
250
+ In other words, if you want a Rails app to act as a CAS ticket-granting proxy, the cas_proxy_callback controller
251
+ must run on a different server. This is because Rails does not properly support handling of concurrent requests. The CAS proxy mechanism
252
+ acts in such a way that if your proxy application and your callback controller were on the same server
253
+ you would end up with a deadlock (the CAS server would be waiting for its callback to be accepted by your Rails server,
254
+ but your Rails server wouldn't respond to the CAS server's callback until the CAS server responded back first).
255
+
256
+ The simplest workaround is this:
257
+
258
+ 1. Create an empty rails app (i.e. something like <tt>rails cas_proxy_callback</tt>)
259
+ 2. Make sure that you have the CAS plugin installed. If you installed it as a gem, you don't have to do anything since
260
+ it is already installed. If you want to install as a plugin, see the instructions in the "Installing" section above.
261
+ 3. Make sure that the server is up and running, and configure your proxy_callback_url and proxy_retrieval_url to point
262
+ to the new server as described above (or rather, make Pound point to the new server, if that's how you're handling https).
263
+
264
+ That's it. The proxy_callback_controller doesn't require any additional configuration. It doesn't access the database
265
+ or anything of that sort.
266
+
267
+ Once your user logs in to CAS via your application, you can do the following to obtain a service ticket that can then be used
268
+ to authenticate another application:
269
+
270
+ service_uri = "http://some-other-application.example.foo"
271
+ proxy_granting_ticket = session[:cas_pgt]
272
+ proxy_ticket = CASClient::Frameworks::Rails::Filter.client.request_proxy_ticket(service_uri, proxy_granting_ticket)
273
+
274
+ <tt>proxy_ticket</tt> should now contain a valid proxy ticket. You can use it to authenticate other services by sending it together with
275
+ the service URI as parameters to your target application:
276
+
277
+ http://some-other-application.example.foo?service=#{CGI::escape(proxy_ticket.service)}&ticket=#{proxy_ticket.ticket}
278
+
279
+ This is of course assuming that http://some-other-application.example.foo is also protected by the CAS filter.
280
+ Note that you should always URI-encode your service parameter inside URIs!
281
+
282
+ Note that #request_proxy_ticket returns a CASClient::ProxyTicket object, which is why we need to call #ticket on it
283
+ to retrieve the actual service ticket string.
284
+
285
+ ===== Additional proxying notes and caveats
286
+
287
+ <b>The proxy url must be an https address.</b> Otherwise CAS will refuse to communicate with it. This means that if you are using
288
+ the bundled cas_proxy_callback controller, you will have to host your application on an https-enabled server. This can be a bit
289
+ tricky with Rails. WEBrick's SSL support is difficult to configure, and Mongrel doesn't support SSL at all. One workaround is to
290
+ use a reverse proxy like Pound[http://www.apsis.ch/pound/], which will accept https connections and locally re-route them
291
+ to your Rails application. Also, note that <i>self-signed SSL certificates likely won't work</i>. You will probably need to use
292
+ a real certificate purchased from a trusted CA authority (there are ways around this, but good luck :)
293
+
294
+
295
+ == SSL Support
296
+
297
+ Make sure you have the Ruby OpenSSL library installed. Otherwise you may get errors like:
298
+
299
+ no such file to load -- net/https
300
+
301
+ To install the library on an Debian/Ubuntu system:
302
+
303
+ sudo apt-get install libopenssl-ruby
304
+
305
+ For other platforms you'll have to figure it out yourself.
306
+
307
+ == Testing
308
+
309
+ In some cases, especially those using Cucumber or other tools that simply can't work with
310
+ CAS, it may be necessary to work around CAS instead.
311
+
312
+ In your test or Cucumber step definition, simply fake out CAS.
313
+
314
+ CASClient::Frameworks::Rails::Filter.fake("homer")
315
+
316
+ This functionality was present in the original version of this plugin.
317
+ The value of the username is stored in session[:cas_user] (or the user specified field) and session[:casfilteruser] for backwards-compatibility.
318
+
319
+ == License
320
+
321
+ RubyCAS-Client is licensed for use under the terms of the MIT License.
322
+ See the LICENSE.txt file bundled with the official RubyCAS-Client distribution for details.
data/Rakefile ADDED
@@ -0,0 +1,63 @@
1
+ require 'rubygems'
2
+ require 'rake'
3
+ require 'rake/clean'
4
+ require 'rake/testtask'
5
+ require 'rake/packagetask'
6
+ require 'rake/gempackagetask'
7
+ require 'rake/rdoctask'
8
+ require 'rake/contrib/rubyforgepublisher'
9
+ require 'fileutils'
10
+ require 'hoe'
11
+ include FileUtils
12
+ require File.join(File.dirname(__FILE__), 'lib', 'casclient', 'version')
13
+
14
+ AUTHOR = ["Matt Zukowski", "Matt Walker"] # can also be an array of Authors
15
+ EMAIL = "matt at roughest dot net"
16
+ DESCRIPTION = "Client library for the Central Authentication Service (CAS) protocol."
17
+ GEM_NAME = "rubycas-client" # what ppl will type to install your gem
18
+ RUBYFORGE_PROJECT = "rubycas-client" # The unix name for your project
19
+ HOMEPATH = "http://#{RUBYFORGE_PROJECT}.rubyforge.org"
20
+
21
+ ENV['NODOT'] = '1'
22
+
23
+ NAME = "rubycas-client"
24
+ REV = nil
25
+ #REV = `svn info`[/Revision: (\d+)/, 1] rescue nil
26
+ VERS = ENV['VERSION'] || (CASClient::VERSION::STRING + (REV ? ".#{REV}" : ""))
27
+ CLEAN.include ['**/.*.sw?', '*.gem', '.config']
28
+ RDOC_OPTS = ['--quiet', '--title', "rubycas-client documentation",
29
+ "--opname", "index.html",
30
+ "--line-numbers",
31
+ "--main", "README",
32
+ "--inline-source"]
33
+
34
+ class Hoe
35
+ def extra_deps
36
+ @extra_deps.reject { |x| Array(x).first == 'hoe' }
37
+ end
38
+ end
39
+
40
+ # Generate all the Rake tasks
41
+ # Run 'rake -T' to see list of generated tasks (from gem root directory)
42
+ hoe = Hoe.new(GEM_NAME, VERS) do |p|
43
+ p.author = AUTHOR
44
+ p.description = DESCRIPTION
45
+ p.email = EMAIL
46
+ p.summary = DESCRIPTION
47
+ p.url = HOMEPATH
48
+ p.rubyforge_name = RUBYFORGE_PROJECT if RUBYFORGE_PROJECT
49
+ p.test_globs = ["test/**/*_test.rb"]
50
+ p.clean_globs = CLEAN #An array of file patterns to delete on clean.
51
+
52
+ # == Optional
53
+ #p.changes - A description of the release's latest changes.
54
+ #p.extra_deps - An array of rubygem dependencies.
55
+ #p.spec_extras - A hash of extra values to set in the gemspec.
56
+ p.extra_deps = ['activesupport']
57
+ end
58
+
59
+ desc 'Build and install rubycas-client'
60
+ task :install do
61
+ system "gem build rubycas-client.gemspec"
62
+ system "sudo gem install rubycas-client-#{VERS}.gem"
63
+ end
data/init.rb ADDED
@@ -0,0 +1,6 @@
1
+ # This file makes it possible to install RubyCAS-Client as a Rails plugin.
2
+
3
+ $: << File.expand_path(File.dirname(__FILE__))+'/lib'
4
+
5
+ require 'casclient'
6
+ require 'casclient/frameworks/rails/filter'