echocas-client 2.1.1
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG.txt +1 -0
- data/History.txt +162 -0
- data/LICENSE.txt +26 -0
- data/Manifest.txt +23 -0
- data/README.rdoc +322 -0
- data/Rakefile +63 -0
- data/init.rb +6 -0
- data/lib/casclient/client.rb +259 -0
- data/lib/casclient/frameworks/merb/strategy.rb +110 -0
- data/lib/casclient/frameworks/rails/cas_proxy_callback_controller.rb +76 -0
- data/lib/casclient/frameworks/rails/filter.rb +372 -0
- data/lib/casclient/responses.rb +191 -0
- data/lib/casclient/tickets.rb +38 -0
- data/lib/casclient/version.rb +9 -0
- data/lib/casclient.rb +89 -0
- data/lib/rubycas-client.rb +5 -0
- data/setup.rb +1585 -0
- metadata +119 -0
data/CHANGELOG.txt
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
See History.txt
|
data/History.txt
ADDED
@@ -0,0 +1,162 @@
|
|
1
|
+
= RubyCAS-Client Changelog
|
2
|
+
|
3
|
+
== Version 2.1.0 :: 2009-08-18
|
4
|
+
|
5
|
+
* New functionality:
|
6
|
+
* Added an adapter for the Merb framework. Thanks to Andrew O'Brien and
|
7
|
+
Antono Vasiljev.
|
8
|
+
* Implemented single-sign-out functionality. The client will now intercept
|
9
|
+
single-sign-out requests and deal with them appropriately if the
|
10
|
+
:enable_single_sign_out config option is set to true. This is currently
|
11
|
+
disabled by default. (Currently this is only implemented for the Rails
|
12
|
+
adapter)
|
13
|
+
* Added logout method to Rails adapter to simplify the logout process. The
|
14
|
+
logout method resets the local Rails session and redirects to the CAS
|
15
|
+
logout page.
|
16
|
+
* Added login_url method to the Rails filter. This will return the login
|
17
|
+
URL for the current controller; useful when you want to show a "Login"
|
18
|
+
link in a gatewayed page for an unauthenticated user.
|
19
|
+
* Added cas_server_is_up? method to the client, as requested in issue #5.
|
20
|
+
* Extra user attributes are now automatically unserialized if the incoming data
|
21
|
+
is in YAML format.
|
22
|
+
|
23
|
+
* Changes to existing functionality:
|
24
|
+
* The 'service' parameter in the logout method has been renamed to
|
25
|
+
'destination' to better match the behaviour of other CAS clients. So for
|
26
|
+
example, when you call logout_url("http://foo.example"), the method will
|
27
|
+
now return "https://cas.example?destination=https%3A%2F%2Ffoo.example"
|
28
|
+
instead of the old "https://cas.example?service=https%3A%2F%2Ffoo.example".
|
29
|
+
RubyCAS-Server has been modified to deal with this as of version 0.6.0.
|
30
|
+
* We now accept HTTP responses from the CAS server with status code 422 since
|
31
|
+
RubyCAS-Server 0.7.0+ generates these in response to requests that are
|
32
|
+
processable but contain invalid CAS data (for example an invalid service
|
33
|
+
ticket).
|
34
|
+
* Some behind-the-scenes changes to the way previous authentication info is
|
35
|
+
reused by the Rails filter in subsequent requests (see the note below
|
36
|
+
in the 2.0.1 release). From the user's and integrator's point of view
|
37
|
+
there shouldn't be any obvious difference from 2.0.1.
|
38
|
+
* Redirection loop interception: The client now logs a warning message when it
|
39
|
+
believes that it is stuck in a redirection loop with the CAS server. If more
|
40
|
+
than three of these redirects occur within one second, the client will
|
41
|
+
redirect back to the login page with renew=1, forcing the user to try
|
42
|
+
authenticating again.
|
43
|
+
* Somewhat better handling and logging of errors resulting from CAS server
|
44
|
+
connection/response problems.
|
45
|
+
|
46
|
+
* Bug Fixes:
|
47
|
+
* Fixed bug where the the service/destination parameter in the logout url
|
48
|
+
would sometimes retain the 'ticket' value. The ticket is now automatically
|
49
|
+
stripped from the logout url.
|
50
|
+
* The client will no longer attempt to retrieve a PGT for an IOU that had
|
51
|
+
already been previously retrieved. [yipdw1]
|
52
|
+
|
53
|
+
* Misc:
|
54
|
+
* Added complete CAS client integration examples for Rails and Merb
|
55
|
+
applications under /examples.
|
56
|
+
|
57
|
+
== Version 2.0.1 :: 2008-02-27
|
58
|
+
|
59
|
+
* The Rails filter no longer by default redirects to the CAS server on
|
60
|
+
every request. This restores the behaviour of RubyCAS-Client 1.x.
|
61
|
+
In other words, if a session[:cas_user] value exists, the filter
|
62
|
+
will assume that the user is authenticated without going through the
|
63
|
+
CAS server. This behaviour can be disabled (so that a CAS re-check is
|
64
|
+
done on every request) by setting the 'authenticate_on_every_request'
|
65
|
+
option to true. See the "Re-authenticating on every request" section
|
66
|
+
in the README.txt for details.
|
67
|
+
|
68
|
+
== Version 2.0.0 :: 2008-02-14
|
69
|
+
|
70
|
+
* COMPLETE RE-WRITE OF THE ENTIRE CLIENT FROM THE GROUND UP. Oh yes.
|
71
|
+
* Core client has been abstracted out of the Rails adapter. It should now
|
72
|
+
be possible to use the client in other frameworks (e.g. Camping).
|
73
|
+
* Configuration syntax has completely changed. In other words, your old
|
74
|
+
rubycas-client-1.x configuration will no longer work. See the README
|
75
|
+
for details.
|
76
|
+
* Added support for reading extra attributes from the CAS response (i.e. in
|
77
|
+
addition to just the username). However currently this is somewhat useless
|
78
|
+
since RubyCAS-Server does not yet provide a method for adding extra
|
79
|
+
attributes to the responses it generates.
|
80
|
+
|
81
|
+
------------------------------------------------------------------------------
|
82
|
+
|
83
|
+
== Version 1.1.0 :: 2007-12-21
|
84
|
+
|
85
|
+
* Fixed serious bug having to do with logouts. You can now end the
|
86
|
+
CAS session on the client-side (i.e. force the client to re-authenticate)
|
87
|
+
by setting session[:casfilteruser] = nil.
|
88
|
+
* Added new GatewayFilter. This is identical to the normal Filter but
|
89
|
+
has the gateway option set to true by default. This should make
|
90
|
+
using the gateway option easier.
|
91
|
+
* The CAS::Filter methods are now properly documented.
|
92
|
+
* Simplified guess_service produces better URLs when redirecting to the CAS
|
93
|
+
server for authentication and the service URL is not explicitly specified.
|
94
|
+
[delagoya]
|
95
|
+
* The correct method for overriding the service URL for the client is now
|
96
|
+
properly documented. You should use service_url=, as server_name= no longer
|
97
|
+
works and instead generates a warning message.
|
98
|
+
* logout_url() now takes an additional 'service' parameter. If specified, this
|
99
|
+
URL will be passed on to the CAS server as part of the logout URL.
|
100
|
+
|
101
|
+
== Version 1.0.0 :: 2007-07-26
|
102
|
+
|
103
|
+
* RubyCAS-Client has matured to the point where it is probably safe to
|
104
|
+
take it out of beta and release version 1.0.
|
105
|
+
* Non-SSL CAS URLs will now work. This may be useful for demo purposes,
|
106
|
+
but certainly shouldn't be used in production. The client automatically
|
107
|
+
disables SSL if the CAS URL starts with http (rather than https). [rubywmq]
|
108
|
+
|
109
|
+
== Version 0.12.0
|
110
|
+
|
111
|
+
* Prior to redirecting to the CAS login page, the client now stores the
|
112
|
+
current service URI in a session variable. This value is used to
|
113
|
+
validate the service ticket after the user comes back from the CAS
|
114
|
+
server's login page. This should address issues where redirection
|
115
|
+
from the CAS server resulted in a slightly different URI from the original
|
116
|
+
one used prior to login redirection (for example due to variations in the
|
117
|
+
way routing rules are applied by the server).
|
118
|
+
* The client now handles malformed CAS server responses more gracefully.
|
119
|
+
This makes debugging a malfunctioning CAS server somewhat easier.
|
120
|
+
* When receiving a proxy-granting ticket, the cas_proxy_callback_controller
|
121
|
+
can now take a parameter called 'pgt' (which is what ought to be used
|
122
|
+
according to the published CAS spec) or 'pgtId' (which is what the JA-SIG
|
123
|
+
CAS server uses).
|
124
|
+
* Logging has been somewhat quieted down. Many messages that were previously
|
125
|
+
logged as INFO are now logged as DEBUG.
|
126
|
+
|
127
|
+
== Version 0.11.0
|
128
|
+
|
129
|
+
* Added this changelog to advise users of major changes to the library.
|
130
|
+
* Large chunks of the library have been re-written. Beware of the possibility
|
131
|
+
of new bugs (although the re-write was meant to fix a whole slew of existing
|
132
|
+
bugs, so you're almost certainly better off upgrading).
|
133
|
+
* service and targetService parameters in requests are now properly URI-encoded,
|
134
|
+
so the filter should behave properly when your service has query parameters.
|
135
|
+
Thanks sakazuki for pointing out the problem.
|
136
|
+
* You can now force the CAS client to re-authenticate itself with the CAS server
|
137
|
+
(i.e. override the authentication stored in the session) by providing a new
|
138
|
+
service ticket in the URI. In other words, the client will authenticate with
|
139
|
+
CAS if: a) you have a 'ticket' parameter in the URI, and there is currently no
|
140
|
+
authentication info in the session, or b) you have a 'ticket' parameter in the
|
141
|
+
URI and this ticket is different than the ticket that was used to authenticat
|
142
|
+
the existing session. This is especially useful when you are using CAS proxying,
|
143
|
+
since it allows you to force re-authentication in proxied applications (for
|
144
|
+
example, when the user has logged out and a new user has logged in in the parent
|
145
|
+
proxy-granting application).
|
146
|
+
* If your service URI has a 'ticket' parameter, it will now be automatically
|
147
|
+
removed when passing the service as a parameter in any CAS request. This is
|
148
|
+
done because at least some CAS servers will happily accept a service URI with
|
149
|
+
a 'ticket' parameter, which will result in a URI with multiple 'ticket'
|
150
|
+
parameters once you are redirected back to CAS (and that in turn can result
|
151
|
+
in an endless redirection loop).
|
152
|
+
* Logging has been greatly improved, which should make debugging your CAS
|
153
|
+
installation much easier. Look for the logs under log/cas_client_RAILS_ENV.log
|
154
|
+
* When you install RubyCAS-Client as a Rails plugin, it will now by default
|
155
|
+
use a custom logger. You can change this by explicitly setting your own
|
156
|
+
logger in your environment.rb, or by modifying the plugin's init.rb.
|
157
|
+
* CasProxyCallbackController no longer checks to make sure that the incoming
|
158
|
+
request is secure. The check is impossible since the secure header is not
|
159
|
+
passed on by at least some reverse proxies (like Pound), and if you are using
|
160
|
+
the callback controller then you are almost certainly also using a reverse
|
161
|
+
proxy.
|
162
|
+
* Cleaned up and updated documentation, fixed some example code.
|
data/LICENSE.txt
ADDED
@@ -0,0 +1,26 @@
|
|
1
|
+
Portions of RubyCAS-Client contributed by Matt Zukowski are copyright (c) 2009 Urbacon Ltd.
|
2
|
+
Other portions are copyright of their respective authors.
|
3
|
+
|
4
|
+
The MIT License
|
5
|
+
|
6
|
+
Permission is hereby granted, free of charge, to any person
|
7
|
+
obtaining a copy of this software and associated documentation
|
8
|
+
files (the "Software"), to deal in the Software without
|
9
|
+
restriction, including without limitation the rights to use,
|
10
|
+
copy, modify, merge, publish, distribute, sublicense, and/or sell
|
11
|
+
copies of the Software, and to permit persons to whom the
|
12
|
+
Software is furnished to do so, subject to the following
|
13
|
+
conditions:
|
14
|
+
|
15
|
+
The above copyright notice and this permission notice shall be
|
16
|
+
included in all copies or substantial portions of the Software.
|
17
|
+
|
18
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
19
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
|
20
|
+
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
21
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
|
22
|
+
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
|
23
|
+
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
24
|
+
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
25
|
+
OTHER DEALINGS IN THE SOFTWARE.
|
26
|
+
|
data/Manifest.txt
ADDED
@@ -0,0 +1,23 @@
|
|
1
|
+
CHANGELOG.txt
|
2
|
+
History.txt
|
3
|
+
LICENSE.txt
|
4
|
+
Manifest.txt
|
5
|
+
README.rdoc
|
6
|
+
Rakefile
|
7
|
+
examples/merb/README.textile
|
8
|
+
examples/merb/Rakefile
|
9
|
+
examples/merb/merb.thor
|
10
|
+
examples/merb/merb_auth_cas.rb
|
11
|
+
examples/merb/spec/spec_helper.rb
|
12
|
+
init.rb
|
13
|
+
lib/casclient.rb
|
14
|
+
lib/casclient/client.rb
|
15
|
+
lib/casclient/frameworks/merb/filter.rb
|
16
|
+
lib/casclient/frameworks/merb/strategy.rb
|
17
|
+
lib/casclient/frameworks/rails/cas_proxy_callback_controller.rb
|
18
|
+
lib/casclient/frameworks/rails/filter.rb
|
19
|
+
lib/casclient/responses.rb
|
20
|
+
lib/casclient/tickets.rb
|
21
|
+
lib/casclient/version.rb
|
22
|
+
lib/rubycas-client.rb
|
23
|
+
setup.rb
|
data/README.rdoc
ADDED
@@ -0,0 +1,322 @@
|
|
1
|
+
= RubyCAS-Client
|
2
|
+
|
3
|
+
Author:: Matt Zukowski <matt AT roughest DOT net>; inspired by code by Ola Bini <ola.bini AT ki DOT se> and Matt Walker <mwalker AT tamu DOT edu>
|
4
|
+
Copyright:: Portions contributed by Matt Zukowski are copyright (c) 2009 Urbacon Ltd.
|
5
|
+
Other portions are copyright of their respective authors.
|
6
|
+
License:: MIT License
|
7
|
+
Websites:: http://github.com/gunark/rubycas-client
|
8
|
+
http://code.google.com/p/rubycas-client
|
9
|
+
http://rubyforge.org/projects/rubycas-client
|
10
|
+
|
11
|
+
|
12
|
+
|
13
|
+
=== RubyCAS-Client is a Ruby client library for Yale's Central Authentication Service (CAS) protocol.
|
14
|
+
|
15
|
+
CAS provides a secure single sign on solution for web-based applications. The user logs in to your
|
16
|
+
organization's CAS server, and is automatically authenticated for all other CAS-enabled applications.
|
17
|
+
|
18
|
+
For general information about the open CAS protocol, please have a look at http://www.ja-sig.org/products/cas.
|
19
|
+
|
20
|
+
If your organization does not already have a CAS server, you may be interested in RubyCAS-Client's sister project,
|
21
|
+
RubyCAS-Server[http://code.google.com/p/rubycas-server/].
|
22
|
+
|
23
|
+
The RubyCAS-Client package includes adapters for Rails and Merb, although the client library itself can be
|
24
|
+
adapted for other frameworks (for example an implementation for Camping is available via the Picnic[http://github.com/zuk/picnic/tree/master]
|
25
|
+
library).
|
26
|
+
|
27
|
+
|
28
|
+
== Getting help and reporting problems
|
29
|
+
|
30
|
+
If you need help, try posting to the RubyCAS discussion group at http://groups.google.com/group/rubycas-server.
|
31
|
+
|
32
|
+
To report problems, please use the Google Code issue tracker at http://code.google.com/p/rubycas-client/issues/list.
|
33
|
+
|
34
|
+
API documentation (i.e. the RDocs) are available at http://rubycas-client.rubyforge.org
|
35
|
+
|
36
|
+
|
37
|
+
== Installation
|
38
|
+
|
39
|
+
You can download the latest version of RubyCAS-Client from the project's rubyforge page at
|
40
|
+
http://rubyforge.org/projects/rubycas-client.
|
41
|
+
|
42
|
+
However, if you're using Rails, it's easier to install the CAS client as a plugin:
|
43
|
+
|
44
|
+
cd <your rails app>
|
45
|
+
./script/plugin install http://rubycas-client.googlecode.com/svn/trunk/rubycas-client
|
46
|
+
|
47
|
+
Alternatively, the library is also installable as a RubyGem[http://rubygems.org]:
|
48
|
+
|
49
|
+
gem install rubycas-client
|
50
|
+
|
51
|
+
If your Rails application is under Subversion control, you can also install the plugin as an svn:external, ensuring that
|
52
|
+
you always have the latest bleeding-edge version of RubyCAS-Client:
|
53
|
+
|
54
|
+
./script/plugin install -x http://rubycas-client.googlecode.com/svn/trunk/rubycas-client
|
55
|
+
|
56
|
+
With Rails 2.1 or newer, it is also possible to install the plugin directly from the bleeding-edge git repository:
|
57
|
+
|
58
|
+
./script/plugin install git://github.com/gunark/rubycas-client.git
|
59
|
+
|
60
|
+
== Usage Examples
|
61
|
+
|
62
|
+
If you'd rather jump right in, have a look at the example Rails and Merb applications pre-configured for CAS
|
63
|
+
authentication:
|
64
|
+
|
65
|
+
http://github.com/gunark/rubycas-client/tree/master/examples
|
66
|
+
|
67
|
+
|
68
|
+
Otherwise, continue reading for a step-by-step guide for integrating RubyCAS-Client with Rails:
|
69
|
+
|
70
|
+
|
71
|
+
==== Using RubyCAS-Client in Rails controllers
|
72
|
+
|
73
|
+
<i>Note that from this point on we are assuming that you have a working CAS server up and running!</i>
|
74
|
+
|
75
|
+
After installing RubyCAS-Client as a plugin (see above), add the following to your app's <tt>config/environment.rb</tt>
|
76
|
+
(make sure that you put it at the bottom of the file, *after* the Rails Initializer):
|
77
|
+
|
78
|
+
CASClient::Frameworks::Rails::Filter.configure(
|
79
|
+
:cas_base_url => "https://cas.example.foo/"
|
80
|
+
)
|
81
|
+
|
82
|
+
(Change the <tt>:cas_base_url</tt> value to your CAS server's base URL; also note that many CAS servers are configured
|
83
|
+
with a base URL that looks more like "https://cas.example.foo/cas".)
|
84
|
+
|
85
|
+
Then, in your <tt>app/controllers/application.rb</tt> (or in whichever controller you want to add the CAS filter for):
|
86
|
+
|
87
|
+
before_filter CASClient::Frameworks::Rails::Filter
|
88
|
+
|
89
|
+
That's it. You should now find that you are redirected to your CAS login page whenever you try to access any action
|
90
|
+
in your protected controller. You can of course qualify the <tt>before_filter</tt> as you would with any other ActionController
|
91
|
+
filter. For example:
|
92
|
+
|
93
|
+
before_filter CASClient::Frameworks::Rails::Filter, :except => [ :unprotected_action, :another_unprotected_action ]
|
94
|
+
|
95
|
+
<b>Once the user has been authenticated, their authenticated username is available under <tt>session[:cas_user]</tt>,</b>
|
96
|
+
If you want to do something with this username (for example load a user record from the database), you can append another
|
97
|
+
filter method that checks for this value and does whatever you need it to do.
|
98
|
+
|
99
|
+
<b>Note:</b> If Rails complains about missing constants, try adding this before the CASClient configuration:
|
100
|
+
|
101
|
+
require 'casclient'
|
102
|
+
require 'casclient/frameworks/rails/filter'
|
103
|
+
|
104
|
+
|
105
|
+
==== A more complicated example
|
106
|
+
|
107
|
+
Here is a more complicated configuration showing most of the configuration options along with their default values
|
108
|
+
(this does not show proxy options, which are covered in the next section):
|
109
|
+
|
110
|
+
# enable detailed CAS logging
|
111
|
+
cas_logger = CASClient::Logger.new(RAILS_ROOT+'/log/cas.log')
|
112
|
+
cas_logger.level = Logger::DEBUG
|
113
|
+
|
114
|
+
CASClient::Frameworks::Rails::Filter.configure(
|
115
|
+
:cas_base_url => "https://cas.example.foo/",
|
116
|
+
:login_url => "https://cas.example.foo/login",
|
117
|
+
:logout_url => "https://cas.example.foo/logout",
|
118
|
+
:validate_url => "https://cas.example.foo/proxyValidate",
|
119
|
+
:username_session_key => :cas_user,
|
120
|
+
:extra_attributes_session_key => :cas_extra_attributes,
|
121
|
+
:logger => cas_logger,
|
122
|
+
:enable_single_sign_out => true
|
123
|
+
)
|
124
|
+
|
125
|
+
Note that normally it is not necessary to specify <tt>:login_url</tt>, <tt>:logout_url</tt>, and <tt>:validate_url</tt>.
|
126
|
+
These values are automatically set to standard CAS defaults based on the given <tt>:cas_base_url</tt>.
|
127
|
+
|
128
|
+
The <tt>:username_session_key</tt> value determines the key under which you can find the CAS username in the Rails session hash.
|
129
|
+
|
130
|
+
Any additional info that the CAS server might have supplied about the user during authentication will be found under the
|
131
|
+
<tt>:extra_attributes_session_key</tt> value in the Rails session hash (i.e. given the above configuration, you would find this
|
132
|
+
info under <tt>session[:cas_extra_attributes]</tt>).
|
133
|
+
|
134
|
+
An arbitrary Logger instance can be given as the :logger parameter. In the example above we log all CAS activity to a
|
135
|
+
<tt>log/cas.log</tt> file in your Rails app's directory.
|
136
|
+
|
137
|
+
==== Re-authenticating on every request (i.e. the "single sign-out problem")
|
138
|
+
|
139
|
+
By default, the Rails filter will only authenticate with the CAS server when no session[:cas_user] value exists. Once the user
|
140
|
+
has been authenticated, no further CAS forwarding is done until the user's session is wiped. This saves you
|
141
|
+
the trouble of having to do this check yourself (since in most cases it is not advisable to go through the CAS server
|
142
|
+
on every request -- this is slow and would potentially lead to problems, for example for AJAX requests). However,
|
143
|
+
the disadvantage is that the filter no longer checks to make sure that the user's CAS session is still actually open.
|
144
|
+
In other words it is possible for the user's authentication session to be closed on the CAS server without the
|
145
|
+
client application knowing about it.
|
146
|
+
|
147
|
+
To address this, RubyCAS-Client now supports the new "Single Sign-Out" functionality in CAS 3.1, allowing the server to
|
148
|
+
notify the client application that the CAS session is closed. The client will automatically intercept Single Sign-Out
|
149
|
+
requsts from the CAS server, but in order for this to work you must configure your Rails application as follows:
|
150
|
+
|
151
|
+
1. The Rails session store must be set to ActiveRecord: <tt>config.action_controller.session_store = :active_record_store</tt>
|
152
|
+
2. The server must be able to read and write to RAILS_ROOT/tmp/sessions. If you are in a clustered environment,
|
153
|
+
the contents of this directory must be shared between all server instances.
|
154
|
+
3. Cross-site request forgery protection must be disabled. In your <tt>application.rb</tt>: <tt>self.allow_forgery_protection = false</tt>.
|
155
|
+
(Or rather you may want to disable forgery protection only for actions that are behind the CAS filter.)
|
156
|
+
4. Finally, you must add <tt>:enable_single_sign_out => true</tt> to your CAS client config (a similar option must be
|
157
|
+
enabled on the CAS server, if you're using RubyCAS-Server).
|
158
|
+
|
159
|
+
The best way to debug single-sign out functionality is to configure your CAS client with logging (see above) and then watch the
|
160
|
+
log to ensure that single-sign out requests from the server are being processed correctly.
|
161
|
+
|
162
|
+
|
163
|
+
Alternatively, it is possible to disable authentication persistence in the client by setting the <tt>:authenticate_on_every_request</tt>
|
164
|
+
configuration option to true as, in the example in the previous section. However, this is not recommended as it will almost
|
165
|
+
certainly have a deleterious impact on performance and can interfere with certain HTTP transactions (AJAX requests, for example).
|
166
|
+
|
167
|
+
|
168
|
+
==== Defining a 'logout' action
|
169
|
+
|
170
|
+
Your Rails application's controller(s) will probably have some sort of logout function. Here you can do any necessary local
|
171
|
+
cleanup, and then call <tt>CASClient::Frameworks::Rails::Filter.logout(controller)</tt>. For example:
|
172
|
+
|
173
|
+
class ApplicationController < ActionController::Base
|
174
|
+
|
175
|
+
# ...
|
176
|
+
|
177
|
+
def logout
|
178
|
+
# optionally do some local cleanup here
|
179
|
+
# ...
|
180
|
+
|
181
|
+
CASClient::Frameworks::Rails::Filter.logout(self)
|
182
|
+
end
|
183
|
+
end
|
184
|
+
|
185
|
+
By default, the logout method will clear the local Rails session, do some local CAS cleanup, and redirect to the CAS
|
186
|
+
logout page. Additionally, the <tt>request.referer</tt> value from the <tt>controller</tt> instance is passed to the
|
187
|
+
CAS server as a 'destination' parameter. This allows RubyCAS server to provide a follow-up login page allowing
|
188
|
+
the user to log back in to the service they just logged out from using a different username and password. Other
|
189
|
+
CAS server implemenations may use this 'destination' parameter in different ways.
|
190
|
+
|
191
|
+
==== Gatewayed (i.e. optional) authentication
|
192
|
+
|
193
|
+
"Gatewaying" essentially allows for optional CAS authentication. Users who already have a pre-existing CAS SSO session
|
194
|
+
will be automatically authenticated for the gatewayed service, while those who do not will be allowed to access the service
|
195
|
+
without authentication. This is useful for example when you want to show some additional private content on a homepage to
|
196
|
+
authenticated users, but also want anonymous users to be able to access the page without first logging in.
|
197
|
+
|
198
|
+
To allow users to access a page without authenticatin, simply use <tt>CASClient::Frameworks::Rails::GatewayFilter</tt>
|
199
|
+
in place of <tt>CASClient::Frameworks::Rails::Filter</tt> in your controller. For example, you may want to require
|
200
|
+
CAS authentication for all actions in a controller except the index action:
|
201
|
+
|
202
|
+
class ExampleController < ApplicationController
|
203
|
+
before_filter CASClient::Frameworks::Rails::GatewayFilter, :only => :index
|
204
|
+
before_filter CASClient::Frameworks::Rails::Filter, :except => :index
|
205
|
+
|
206
|
+
# ...
|
207
|
+
end
|
208
|
+
|
209
|
+
To provide a login URL for unauthenticated users:
|
210
|
+
|
211
|
+
<%= link_to("Login", CASClient::Frameworks::Rails::Filter.login_url(controller)) %>
|
212
|
+
|
213
|
+
==== How to act as a CAS proxy
|
214
|
+
|
215
|
+
CAS 2.0 has a built-in mechanism that allows a CAS-authenticated application to pass on its authentication to other applications.
|
216
|
+
An example where this is useful might be a portal site, where the user logs in to a central website and then gets forwarded to
|
217
|
+
various other sites that run independently of the portal system (but are always accessed via the portal). The exact mechanism
|
218
|
+
behind this is rather complicated so I won't go over it here. If you wish to learn more about CAS proxying, a great walkthrough
|
219
|
+
is available at http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough.
|
220
|
+
|
221
|
+
RubyCAS-Client fully supports proxying, so a CAS-protected Rails application can act as a CAS proxy.
|
222
|
+
|
223
|
+
Additionally, RubyCAS-Client comes with a controller that can act as a CAS proxy callback receiver. This is necessary because
|
224
|
+
when your application requests to act as a CAS proxy, the CAS server must contact your application to deposit the proxy-granting-ticket
|
225
|
+
(PGT). Note that in this case the CAS server CONTACTS YOU, rather than you contacting the CAS server (as in all other CAS operations).
|
226
|
+
|
227
|
+
Confused? Don't worry, you don't really have to understand this to use it. To enable your Rails app to act as a CAS proxy,
|
228
|
+
all you need to do is this:
|
229
|
+
|
230
|
+
In your <tt>config/environment.rb</tt>:
|
231
|
+
|
232
|
+
# enable detailed CAS logging for easier troubleshooting
|
233
|
+
cas_logger = CASClient::Logger.new(RAILS_ROOT+'/log/cas.log')
|
234
|
+
cas_logger.level = Logger::DEBUG
|
235
|
+
|
236
|
+
CASClient::Frameworks::Rails::Filter.configure(
|
237
|
+
:cas_base_url => "https://cas.example.foo/",
|
238
|
+
:proxy_retrieval_url => "https://cas-proxy-callback.example.foo/cas_proxy_callback/retrieve_pgt",
|
239
|
+
:proxy_callback_url => "https://cas-proxy-callback.example.foo/cas_proxy_callback/receive_pgt",
|
240
|
+
:logger => cas_logger
|
241
|
+
)
|
242
|
+
|
243
|
+
In <tt>config/routes.rb</tt> make sure that you have a route that will allow requests to /cas_proxy_callback/:action to be routed to the
|
244
|
+
CasProxyCallbackController. This should work as-is with the standard Rails routes setup, but if you have disabled the default
|
245
|
+
route, you should add the following:
|
246
|
+
|
247
|
+
map.cas_proxy_callback 'cas_proxy_callback/:action', :controller => 'cas_proxy_callback'
|
248
|
+
|
249
|
+
Now here's a big giant caveat: <b>your CAS callback application and your CAS proxy application must run on separate Rails servers</b>.
|
250
|
+
In other words, if you want a Rails app to act as a CAS ticket-granting proxy, the cas_proxy_callback controller
|
251
|
+
must run on a different server. This is because Rails does not properly support handling of concurrent requests. The CAS proxy mechanism
|
252
|
+
acts in such a way that if your proxy application and your callback controller were on the same server
|
253
|
+
you would end up with a deadlock (the CAS server would be waiting for its callback to be accepted by your Rails server,
|
254
|
+
but your Rails server wouldn't respond to the CAS server's callback until the CAS server responded back first).
|
255
|
+
|
256
|
+
The simplest workaround is this:
|
257
|
+
|
258
|
+
1. Create an empty rails app (i.e. something like <tt>rails cas_proxy_callback</tt>)
|
259
|
+
2. Make sure that you have the CAS plugin installed. If you installed it as a gem, you don't have to do anything since
|
260
|
+
it is already installed. If you want to install as a plugin, see the instructions in the "Installing" section above.
|
261
|
+
3. Make sure that the server is up and running, and configure your proxy_callback_url and proxy_retrieval_url to point
|
262
|
+
to the new server as described above (or rather, make Pound point to the new server, if that's how you're handling https).
|
263
|
+
|
264
|
+
That's it. The proxy_callback_controller doesn't require any additional configuration. It doesn't access the database
|
265
|
+
or anything of that sort.
|
266
|
+
|
267
|
+
Once your user logs in to CAS via your application, you can do the following to obtain a service ticket that can then be used
|
268
|
+
to authenticate another application:
|
269
|
+
|
270
|
+
service_uri = "http://some-other-application.example.foo"
|
271
|
+
proxy_granting_ticket = session[:cas_pgt]
|
272
|
+
proxy_ticket = CASClient::Frameworks::Rails::Filter.client.request_proxy_ticket(service_uri, proxy_granting_ticket)
|
273
|
+
|
274
|
+
<tt>proxy_ticket</tt> should now contain a valid proxy ticket. You can use it to authenticate other services by sending it together with
|
275
|
+
the service URI as parameters to your target application:
|
276
|
+
|
277
|
+
http://some-other-application.example.foo?service=#{CGI::escape(proxy_ticket.service)}&ticket=#{proxy_ticket.ticket}
|
278
|
+
|
279
|
+
This is of course assuming that http://some-other-application.example.foo is also protected by the CAS filter.
|
280
|
+
Note that you should always URI-encode your service parameter inside URIs!
|
281
|
+
|
282
|
+
Note that #request_proxy_ticket returns a CASClient::ProxyTicket object, which is why we need to call #ticket on it
|
283
|
+
to retrieve the actual service ticket string.
|
284
|
+
|
285
|
+
===== Additional proxying notes and caveats
|
286
|
+
|
287
|
+
<b>The proxy url must be an https address.</b> Otherwise CAS will refuse to communicate with it. This means that if you are using
|
288
|
+
the bundled cas_proxy_callback controller, you will have to host your application on an https-enabled server. This can be a bit
|
289
|
+
tricky with Rails. WEBrick's SSL support is difficult to configure, and Mongrel doesn't support SSL at all. One workaround is to
|
290
|
+
use a reverse proxy like Pound[http://www.apsis.ch/pound/], which will accept https connections and locally re-route them
|
291
|
+
to your Rails application. Also, note that <i>self-signed SSL certificates likely won't work</i>. You will probably need to use
|
292
|
+
a real certificate purchased from a trusted CA authority (there are ways around this, but good luck :)
|
293
|
+
|
294
|
+
|
295
|
+
== SSL Support
|
296
|
+
|
297
|
+
Make sure you have the Ruby OpenSSL library installed. Otherwise you may get errors like:
|
298
|
+
|
299
|
+
no such file to load -- net/https
|
300
|
+
|
301
|
+
To install the library on an Debian/Ubuntu system:
|
302
|
+
|
303
|
+
sudo apt-get install libopenssl-ruby
|
304
|
+
|
305
|
+
For other platforms you'll have to figure it out yourself.
|
306
|
+
|
307
|
+
== Testing
|
308
|
+
|
309
|
+
In some cases, especially those using Cucumber or other tools that simply can't work with
|
310
|
+
CAS, it may be necessary to work around CAS instead.
|
311
|
+
|
312
|
+
In your test or Cucumber step definition, simply fake out CAS.
|
313
|
+
|
314
|
+
CASClient::Frameworks::Rails::Filter.fake("homer")
|
315
|
+
|
316
|
+
This functionality was present in the original version of this plugin.
|
317
|
+
The value of the username is stored in session[:cas_user] (or the user specified field) and session[:casfilteruser] for backwards-compatibility.
|
318
|
+
|
319
|
+
== License
|
320
|
+
|
321
|
+
RubyCAS-Client is licensed for use under the terms of the MIT License.
|
322
|
+
See the LICENSE.txt file bundled with the official RubyCAS-Client distribution for details.
|
data/Rakefile
ADDED
@@ -0,0 +1,63 @@
|
|
1
|
+
require 'rubygems'
|
2
|
+
require 'rake'
|
3
|
+
require 'rake/clean'
|
4
|
+
require 'rake/testtask'
|
5
|
+
require 'rake/packagetask'
|
6
|
+
require 'rake/gempackagetask'
|
7
|
+
require 'rake/rdoctask'
|
8
|
+
require 'rake/contrib/rubyforgepublisher'
|
9
|
+
require 'fileutils'
|
10
|
+
require 'hoe'
|
11
|
+
include FileUtils
|
12
|
+
require File.join(File.dirname(__FILE__), 'lib', 'casclient', 'version')
|
13
|
+
|
14
|
+
AUTHOR = ["Matt Zukowski", "Matt Walker"] # can also be an array of Authors
|
15
|
+
EMAIL = "matt at roughest dot net"
|
16
|
+
DESCRIPTION = "Client library for the Central Authentication Service (CAS) protocol."
|
17
|
+
GEM_NAME = "rubycas-client" # what ppl will type to install your gem
|
18
|
+
RUBYFORGE_PROJECT = "rubycas-client" # The unix name for your project
|
19
|
+
HOMEPATH = "http://#{RUBYFORGE_PROJECT}.rubyforge.org"
|
20
|
+
|
21
|
+
ENV['NODOT'] = '1'
|
22
|
+
|
23
|
+
NAME = "rubycas-client"
|
24
|
+
REV = nil
|
25
|
+
#REV = `svn info`[/Revision: (\d+)/, 1] rescue nil
|
26
|
+
VERS = ENV['VERSION'] || (CASClient::VERSION::STRING + (REV ? ".#{REV}" : ""))
|
27
|
+
CLEAN.include ['**/.*.sw?', '*.gem', '.config']
|
28
|
+
RDOC_OPTS = ['--quiet', '--title', "rubycas-client documentation",
|
29
|
+
"--opname", "index.html",
|
30
|
+
"--line-numbers",
|
31
|
+
"--main", "README",
|
32
|
+
"--inline-source"]
|
33
|
+
|
34
|
+
class Hoe
|
35
|
+
def extra_deps
|
36
|
+
@extra_deps.reject { |x| Array(x).first == 'hoe' }
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
# Generate all the Rake tasks
|
41
|
+
# Run 'rake -T' to see list of generated tasks (from gem root directory)
|
42
|
+
hoe = Hoe.new(GEM_NAME, VERS) do |p|
|
43
|
+
p.author = AUTHOR
|
44
|
+
p.description = DESCRIPTION
|
45
|
+
p.email = EMAIL
|
46
|
+
p.summary = DESCRIPTION
|
47
|
+
p.url = HOMEPATH
|
48
|
+
p.rubyforge_name = RUBYFORGE_PROJECT if RUBYFORGE_PROJECT
|
49
|
+
p.test_globs = ["test/**/*_test.rb"]
|
50
|
+
p.clean_globs = CLEAN #An array of file patterns to delete on clean.
|
51
|
+
|
52
|
+
# == Optional
|
53
|
+
#p.changes - A description of the release's latest changes.
|
54
|
+
#p.extra_deps - An array of rubygem dependencies.
|
55
|
+
#p.spec_extras - A hash of extra values to set in the gemspec.
|
56
|
+
p.extra_deps = ['activesupport']
|
57
|
+
end
|
58
|
+
|
59
|
+
desc 'Build and install rubycas-client'
|
60
|
+
task :install do
|
61
|
+
system "gem build rubycas-client.gemspec"
|
62
|
+
system "sudo gem install rubycas-client-#{VERS}.gem"
|
63
|
+
end
|