rubycas-client 2.2.1 → 2.3.0.rc1

data/examples/rails/script/about

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+$LOAD_PATH.unshift "#{RAILTIES_PATH}/builtin/rails_info"
+require 'commands/about'

data/examples/rails/script/console

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/console'

data/examples/rails/script/server

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/server'

data/lib/casclient/client.rb

@@ -1,8 +1,9 @@
 module CASClient
   # The client brokers all HTTP transactions with the CAS server.
   class Client
-    attr_reader :cas_base_url 
+    attr_reader :cas_base_url, :cas_destination_logout_param_name
     attr_reader :log, :username_session_key, :extra_attributes_session_key
+    attr_reader :ticket_store
     attr_writer :login_url, :validate_url, :proxy_url, :logout_url, :service_url
     attr_accessor :proxy_callback_url, :proxy_retrieval_url
     
@@ -15,7 +16,14 @@ module CASClient
 
       raise ArgumentError, "Missing :cas_base_url parameter!" unless conf[:cas_base_url]
       
+      if conf.has_key?("encode_extra_attributes_as")
+        unless (conf[:encode_extra_attributes_as] == :json || conf[:encode_extra_attributes_as] == :yaml)
+          raise ArgumentError, "Unkown Value for :encode_extra_attributes_as parameter! Allowed options are json or yaml - #{conf[:encode_extra_attributes_as]}"
+        end
+      end
+   
       @cas_base_url      = conf[:cas_base_url].gsub(/\/$/, '')       
+      @cas_destination_logout_param_name = conf[:cas_destination_logout_param_name]
       
       @login_url    = conf[:login_url]
       @logout_url   = conf[:logout_url]
@@ -24,15 +32,23 @@ module CASClient
       @service_url  = conf[:service_url]
       @force_ssl_verification  = conf[:force_ssl_verification]
       @proxy_callback_url  = conf[:proxy_callback_url]
-      @proxy_retrieval_url = conf[:proxy_retrieval_url]
       
       @username_session_key         = conf[:username_session_key] || :cas_user
       @extra_attributes_session_key = conf[:extra_attributes_session_key] || :cas_extra_attributes
+      @ticket_store_class = conf[:ticket_store] || CASClient::Tickets::Storage::LocalDirTicketStore
+      @ticket_store = @ticket_store_class.new conf[:ticket_store_config]
+      raise CASException, "The Ticket Store is not a subclass of AbstractTicketStore, it is a #{@ticket_store_class}" unless @ticket_store.kind_of? CASClient::Tickets::Storage::AbstractTicketStore
       
       @log = CASClient::LoggerWrapper.new
       @log.set_real_logger(conf[:logger]) if conf[:logger]
+      @ticket_store.log = @log
+      @conf_options = conf
     end
     
+    def cas_destination_logout_param_name
+      @cas_destination_logout_param_name || "destination"
+    end
+
     def login_url
       @login_url || (cas_base_url + "/login")
     end
@@ -69,7 +85,7 @@ module CASClient
       if destination_url || follow_url
         uri = URI.parse(url)
         h = uri.query ? query_to_hash(uri.query) : {}
-        h['destination'] = destination_url if destination_url
+        h[cas_destination_logout_param_name] = destination_url if destination_url
         h['url'] = follow_url if follow_url
         uri.query = hash_to_query(h)
         uri.to_s
@@ -87,11 +103,17 @@ module CASClient
       h = uri.query ? query_to_hash(uri.query) : {}
       h['service'] = st.service
       h['ticket'] = st.ticket
-      h['renew'] = 1 if st.renew
+      h['renew'] = "1" if st.renew
       h['pgtUrl'] = proxy_callback_url if proxy_callback_url
       uri.query = hash_to_query(h)
       
-      st.response = request_cas_response(uri, ValidationResponse)
+      response = request_cas_response(uri, ValidationResponse)
+      st.user = response.user
+      st.extra_attributes = response.extra_attributes
+      st.pgt_iou = response.pgt_iou
+      st.success = response.is_success?
+      st.failure_code = response.failure_code
+      st.failure_message = response.failure_message
       
       return st
     end
@@ -133,7 +155,13 @@ module CASClient
       )
       
       res = submit_data_to_cas(login_url, data)
-      CASClient::LoginResponse.new(res)
+      response = CASClient::LoginResponse.new(res)
+
+      if response.is_success?
+        log.info("Login was successful for ticket: #{response.ticket.inspect}.")
+      end
+
+      return response
     end
   
     # Requests a login ticket from the CAS server for use in a login request;
@@ -166,37 +194,22 @@ module CASClient
       h['targetService'] = target_service
       uri.query = hash_to_query(h)
       
-      pr = request_cas_response(uri, ProxyResponse)
+      response = request_cas_response(uri, ProxyResponse)
       
-      pt = ProxyTicket.new(pr.proxy_ticket, target_service)
-      pt.response = pr
+      pt = ProxyTicket.new(response.proxy_ticket, target_service)
+      pt.success = response.is_success?
+      pt.failure_code = response.failure_code
+      pt.failure_message = response.failure_message
       
       return pt
     end
     
     def retrieve_proxy_granting_ticket(pgt_iou)
-      uri = URI.parse(proxy_retrieval_url)
-      uri.query = (uri.query ? uri.query + "&" : "") + "pgtIou=#{CGI.escape(pgt_iou)}"
-      retrieve_url = uri.to_s
-      
-      log.debug "Retrieving PGT for PGT IOU #{pgt_iou.inspect} from #{retrieve_url.inspect}"
-      
-#      https = Net::HTTP.new(uri.host, uri.port)
-#      https.use_ssl = (uri.scheme == 'https')
-#      res = https.post(uri.path, ';')
-      uri = URI.parse(uri) unless uri.kind_of? URI
-      https = Net::HTTP.new(uri.host, uri.port)
-      https.use_ssl = (uri.scheme == 'https')
-      https.verify_mode = (@force_ssl_verification ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE)
-      
-      res = https.start do |conn|
-        conn.get("#{uri.path}?#{uri.query}")
-      end
-      
-      
-      raise CASException, res.body unless res.kind_of? Net::HTTPSuccess
-      
-      ProxyGrantingTicket.new(res.body.strip, pgt_iou)
+      pgt = @ticket_store.retrieve_pgt(pgt_iou)
+
+      raise CASException, "Couldn't find pgt for pgt_iou #{pgt_iou}" unless pgt
+
+      ProxyGrantingTicket.new(pgt, pgt_iou)
     end
     
     def add_service_to_login_url(service_url)
@@ -208,7 +221,7 @@ module CASClient
     private
     # Fetches a CAS response of the given type from the given URI.
     # Type should be either ValidationResponse or ProxyResponse.
-    def request_cas_response(uri, type)
+    def request_cas_response(uri, type, options={})
       log.debug "Requesting CAS response for URI #{uri}"
       
       uri = URI.parse(uri) unless uri.kind_of? URI
@@ -234,8 +247,8 @@ module CASClient
         log.error "CAS server responded with an error! (#{raw_res.inspect})"
         raise "The CAS authentication server at #{uri} responded with an error (#{raw_res.inspect})!"
       end
-      
-      type.new(raw_res.body)
+     
+      type.new(raw_res.body, @conf_options)
     end
     
     # Submits some data to the given URI and returns a Net::HTTPResponse.
@@ -257,9 +270,9 @@ module CASClient
       pairs = []
       hash.each do |k, vals|
         vals = [vals] unless vals.kind_of? Array
-        vals.each {|v| pairs << "#{CGI.escape(k)}=#{CGI.escape(v)}"}
+        vals.each {|v| pairs << (v.nil? ? CGI.escape(k) : "#{CGI.escape(k)}=#{CGI.escape(v)}")}
       end
       pairs.join("&")
     end
   end
-end
+end

data/lib/casclient/frameworks/rails/cas_proxy_callback_controller.rb

@@ -1,5 +1,3 @@
-require 'pstore'
-
 # Rails controller that responds to proxy generating ticket callbacks from the CAS server and allows
 # for retrieval of those PGTs.
 class CasProxyCallbackController < ActionController::Base
@@ -24,46 +22,14 @@ class CasProxyCallbackController < ActionController::Base
     render :text => "Okay, the server is up, but please specify a pgtIou and pgtId." and return unless pgtIou and pgtId
     
     # TODO: pstore contents should probably be encrypted...
-    pstore = open_pstore
-    
-    pstore.transaction do
-      pstore[pgtIou] = pgtId
-    end
     
+    casclient = CASClient::Frameworks::Rails::Filter.client
+
+    casclient.ticket_store.save_pgt_iou(pgtIou, pgtId)
+
     render :text => "PGT received. Thank you!" and return
   end
   
-  # Retreives a proxy granting ticket, sends it to output, and deletes the pgt from session storage.
-  # Note that this action should ALWAYS be called via https, otherwise you have a gaping security hole --
-  # in fact, the action will not work if the request is not made via SSL or is not local (we allow for local
-  # non-SSL requests since this allows for the use of reverse HTTPS proxies like Pound).
-  def retrieve_pgt
-    #render_error "You can only retrieve PGTs via HTTPS or local connections." and return unless
-    #  request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
-    
-    pgtIou = params['pgtIou']
-    
-    render_error "No pgtIou specified. Cannot retreive the pgtId." and return unless pgtIou
-  
-    pstore = open_pstore
-  
-    pgt = nil
-    pstore.transaction do
-      pgt = pstore[pgtIou]
-    end
-    
-    if not pgt
-      render_error "Invalid pgtIou specified. Perhaps this pgt has already been retrieved?" and return
-    end
-    
-    render :text => pgt
-    
-    # TODO: need to periodically clean the storage, otherwise it will just keep growing
-    pstore.transaction do
-      pstore.delete pgtIou
-    end
-  end
-  
   private
     def render_error(msg)
       # Note that the error messages are mostly just for debugging, since the CAS server never reads them.
@@ -71,6 +37,6 @@ class CasProxyCallbackController < ActionController::Base
     end
     
     def open_pstore
-      PStore.new("#{RAILS_ROOT}/tmp/cas_pgt.pstore")
+      PStore.new("#{::Rails.root}/tmp/cas_pgt.pstore")
     end
 end

data/lib/casclient/frameworks/rails/filter.rb

@@ -2,14 +2,14 @@ module CASClient
   module Frameworks
     module Rails
       class Filter
-        cattr_reader :config, :log, :client
+        cattr_reader :config, :log, :client, :fake_user, :fake_extra_attribues
         
         # These are initialized when you call configure.
         @@config = nil
         @@client = nil
         @@log = nil
         @@fake_user = nil
-        
+        @@fake_extra_attributes = nil
         
         class << self
           def filter(controller)
@@ -18,11 +18,12 @@ module CASClient
             if @@fake_user
               controller.session[client.username_session_key] = @@fake_user
               controller.session[:casfilteruser] = @@fake_user
+              controller.session[client.extra_attributes_session_key] = @@fake_extra_attributes if @@fake_extra_attributes
               return true
             end
             
-            
             last_st = controller.session[:cas_last_valid_ticket]
+            last_st_service = controller.session[:cas_last_valid_ticket_service]
             
             if single_sign_out(controller)
               controller.send(:render, :text => "CAS Single-Sign-Out request intercepted.")
@@ -31,17 +32,14 @@ module CASClient
 
             st = read_ticket(controller)
             
-            is_new_session = true
-            
             if st && last_st && 
-                last_st.ticket == st.ticket && 
-                last_st.service == st.service
+                last_st == st.ticket && 
+                last_st_service == st.service
               # warn() rather than info() because we really shouldn't be re-validating the same ticket. 
               # The only situation where this is acceptable is if the user manually does a refresh and 
               # the same ticket happens to be in the URL.
               log.warn("Re-using previously validated ticket since the ticket id and service are the same.")
-              st = last_st
-              is_new_session = false
+              return true
             elsif last_st &&
                 !config[:authenticate_on_every_request] && 
                 controller.session[client.username_session_key]
@@ -53,44 +51,42 @@ module CASClient
               # the :authenticate_on_every_request config option to true. However, this is not desirable since
               # it will almost certainly break POST request, AJAX calls, etc.
               log.debug "Existing local CAS session detected for #{controller.session[client.username_session_key].inspect}. "+
-                "Previous ticket #{last_st.ticket.inspect} will be re-used."
-              st = last_st
-              is_new_session = false
+                "Previous ticket #{last_st.inspect} will be re-used."
+              return true
             end
             
             if st
               client.validate_service_ticket(st) unless st.has_been_validated?
-              vr = st.response
               
               if st.is_valid?
-                if is_new_session
-                  log.info("Ticket #{st.ticket.inspect} for service #{st.service.inspect} belonging to user #{vr.user.inspect} is VALID.")
-                  controller.session[client.username_session_key] = vr.user.dup
-                  controller.session[client.extra_attributes_session_key] = HashWithIndifferentAccess.new(vr.extra_attributes)
+                #if is_new_session
+                  log.info("Ticket #{st.ticket.inspect} for service #{st.service.inspect} belonging to user #{st.user.inspect} is VALID.")
+                  controller.session[client.username_session_key] = st.user.dup
+                  controller.session[client.extra_attributes_session_key] = HashWithIndifferentAccess.new(st.extra_attributes) if st.extra_attributes
                   
-                  if vr.extra_attributes
-                    log.debug("Extra user attributes provided along with ticket #{st.ticket.inspect}: #{vr.extra_attributes.inspect}.")
+                  if st.extra_attributes
+                    log.debug("Extra user attributes provided along with ticket #{st.ticket.inspect}: #{st.extra_attributes.inspect}.")
                   end
                   
                   # RubyCAS-Client 1.x used :casfilteruser as it's username session key,
                   # so we need to set this here to ensure compatibility with configurations
                   # built around the old client.
-                  controller.session[:casfilteruser] = vr.user
+                  controller.session[:casfilteruser] = st.user
                   
                   if config[:enable_single_sign_out]
-                    f = store_service_session_lookup(st, controller.request.session_options[:id] || controller.session.session_id)
-                    log.debug("Wrote service session lookup file to #{f.inspect} with session id #{controller.request.session_options[:id] || controller.session.session_id.inspect}.")
+                    client.ticket_store.store_service_session_lookup(st, controller)
                   end
-                end
+                #end
               
                 # Store the ticket in the session to avoid re-validating the same service
                 # ticket with the CAS server.
-                controller.session[:cas_last_valid_ticket] = st
+                controller.session[:cas_last_valid_ticket] = st.ticket
+                controller.session[:cas_last_valid_ticket_service] = st.service
                 
-                if vr.pgt_iou
-                  unless controller.session[:cas_pgt] && controller.session[:cas_pgt].ticket && controller.session[:cas_pgt].iou == vr.pgt_iou
+                if st.pgt_iou
+                  unless controller.session[:cas_pgt] && controller.session[:cas_pgt].ticket && controller.session[:cas_pgt].iou == st.pgt_iou
                     log.info("Receipt has a proxy-granting ticket IOU. Attempting to retrieve the proxy-granting ticket...")
-                    pgt = client.retrieve_proxy_granting_ticket(vr.pgt_iou)
+                    pgt = client.retrieve_proxy_granting_ticket(st.pgt_iou)
 
                     if pgt
                       log.debug("Got PGT #{pgt.ticket.inspect} for PGT IOU #{pgt.iou.inspect}. This will be stored in the session.")
@@ -98,18 +94,16 @@ module CASClient
                       # For backwards compatibility with RubyCAS-Client 1.x configurations...
                       controller.session[:casfilterpgt] = pgt
                     else
-                      log.error("Failed to retrieve a PGT for PGT IOU #{vr.pgt_iou}!")
+                      log.error("Failed to retrieve a PGT for PGT IOU #{st.pgt_iou}!")
                     end
                   else
-                    log.info("PGT is present in session and PGT IOU #{vr.pgt_iou} matches the saved PGT IOU.  Not retrieving new PGT.")
+                    log.info("PGT is present in session and PGT IOU #{st.pgt_iou} matches the saved PGT IOU.  Not retrieving new PGT.")
                   end
-
                 end
-                
                 return true
               else
-                log.warn("Ticket #{st.ticket.inspect} failed validation -- #{vr.failure_code}: #{vr.failure_message}")
-                unauthorized!(controller, vr)
+                log.warn("Ticket #{st.ticket.inspect} failed validation -- #{st.failure_code}: #{st.failure_message}")
+                unauthorized!(controller, st)
                 return false
               end
             else # no service ticket was present in the request
@@ -121,6 +115,7 @@ module CASClient
 
                 if use_gatewaying?
                   log.info "This CAS client is configured to use gatewaying, so we will permit the user to continue without authentication."
+                  controller.session[client.username_session_key] = nil
                   return true
                 else
                   log.warn "The CAS client is NOT configured to allow gatewaying, yet this request was gatewayed. Something is not right!"
@@ -138,7 +133,7 @@ module CASClient
           
           def configure(config)
             @@config = config
-            @@config[:logger] = RAILS_DEFAULT_LOGGER unless @@config[:logger]
+            @@config[:logger] = ::Rails.logger unless @@config[:logger]
             @@client = CASClient::Client.new(config)
             @@log = client.log
           end
@@ -147,8 +142,11 @@ module CASClient
           # with cucumber and other tools.
           # use like 
           #  CASClient::Frameworks::Rails::Filter.fake("homer")
-          def fake(username)
+          # you can also fake extra attributes by including a second parameter
+          #  CASClient::Frameworks::Rails::Filter.fake("homer", {:roles => ['dad', 'husband']})
+          def fake(username, extra_attributes = nil)
             @@fake_user = username
+            @@fake_extra_attributes = extra_attributes
           end
           
           def use_gatewaying?
@@ -164,6 +162,41 @@ module CASClient
             log.debug("Generated login url: #{url}")
             return url
           end
+
+          # allow controllers to reuse the existing config to auto-login to
+          # the service
+          # 
+          # Use this from within a controller. Pass the controller, the
+          # login-credentials and the path that you want the user
+          # resdirected to on success.
+          #
+          # When writing a login-action you must check the return-value of
+          # the response to see if it failed!
+          #
+          # If it worked - you need to redirect the user to the service -
+          # path, because that has the ticket that will *actually* log them
+          # into your system
+          #
+          # example:
+          # def autologin
+          #   resp = CASClient::Frameworks::Rails::Filter.login_to_service(self, credentials, dashboard_url)
+          #   if resp.is_faiulure?
+          #     flash[:error] = 'Login failed'
+          #     render :action => 'login'
+          #   else
+          #     return redirect_to(@resp.service_redirect_url)
+          #   end
+          # end
+          def login_to_service(controller, credentials, return_path)
+            resp = @@client.login_to_service(credentials, return_path)
+            if resp.is_failure?
+              log.info("Validation failed for service #{return_path.inspect} reason: '#{resp.failure_message}'")
+            else
+              log.info("Ticket #{resp.ticket.inspect} for service #{return_path.inspect} is VALID.")
+            end
+            
+            resp
+          end
           
           # Clears the given controller's local Rails session, does some local 
           # CAS cleanup, and redirects to the CAS logout page. Additionally, the
@@ -179,17 +212,25 @@ module CASClient
           def logout(controller, service = nil)
             referer = service || controller.request.referer
             st = controller.session[:cas_last_valid_ticket]
-            delete_service_session_lookup(st) if st
+            @@client.ticket_store.cleanup_service_session_lookup(st) if st
             controller.send(:reset_session)
             controller.send(:redirect_to, client.logout_url(referer))
           end
           
           def unauthorized!(controller, vr = nil)
-            if controller.params[:format] == "xml"
+            format = controller.request.format.to_sym
+            format = (format == :js ? :json : format)
+            case format
+            when :xml, :json
               if vr
-                controller.send(:render, :xml => "<errors><error>#{vr.failure_message}</error></errors>", :status => 401)
+                case format
+                when :xml
+                  controller.send(:render, :xml => { :error => vr.failure_message }.to_xml(:root => 'errors'), :status => :unauthorized)
+                when :json
+                  controller.send(:render, :json => { :errors => { :error => vr.failure_message }}, :status => :unauthorized)
+                end
               else
-                controller.send(:head, 401)
+                controller.send(:head, :unauthorized)
               end
             else
               redirect_to_cas_for_authentication(controller)
@@ -238,8 +279,10 @@ module CASClient
             
             if controller.request.post? &&
                 controller.params['logoutRequest'] &&
-                controller.params['logoutRequest'] =~
-                  %r{^<samlp:LogoutRequest.*?<samlp:SessionIndex>(.*)</samlp:SessionIndex>}m
+                #This next line checks the logoutRequest value for both its regular and URI.escape'd form. I couldn't get
+                #it to work without URI.escaping it from rubycas server's side, this way it will work either way.
+                [controller.params['logoutRequest'],URI.unescape(controller.params['logoutRequest'])].find{|xml| xml =~
+                    %r{^<samlp:LogoutRequest.*?<samlp:SessionIndex>(.*)</samlp:SessionIndex>}m}
               # TODO: Maybe check that the request came from the registered CAS server? Although this might be
               #       pointless since it's easily spoofable...
               si = $~[1]
@@ -250,38 +293,8 @@ module CASClient
               end
               
               log.debug "Intercepted single-sign-out request for CAS session #{si.inspect}."
-              
-              begin
-                required_sess_store = ActiveRecord::SessionStore
-                current_sess_store  = ActionController::Base.session_store
-              rescue NameError
-                # for older versions of Rails (prior to 2.3)
-                required_sess_store = CGI::Session::ActiveRecordStore
-                current_sess_store  = ActionController::Base.session_options[:database_manager]
-              end
 
-
-              if current_sess_store == required_sess_store
-                session_id = read_service_session_lookup(si)
-
-                if session_id
-                  session = current_sess_store::Session.find_by_session_id(session_id)
-                  if session
-                    session.destroy
-                    log.debug("Destroyed #{session.inspect} for session #{session_id.inspect} corresponding to service ticket #{si.inspect}.")
-                  else
-                    log.debug("Data for session #{session_id.inspect} was not found. It may have already been cleared by a local CAS logout request.")
-                  end
-                  
-                  log.info("Single-sign-out for session #{session_id.inspect} completed successfuly.")
-                else
-                  log.warn("Couldn't destroy session with SessionIndex #{si} because no corresponding session id could be looked up.")
-                end
-              else
-                log.error "Cannot process logout request because this Rails application's session store is "+
-                  " #{current_sess_store.name.inspect}. Single Sign-Out only works with the "+
-                  " #{required_sess_store.name.inspect} session store."
-              end
+              @@client.ticket_store.process_single_sign_out(si)             
               
               # Return true to indicate that a single-sign-out request was detected
               # and that further processing of the request is unnecessary.
@@ -322,49 +335,9 @@ module CASClient
             log.debug("Guessed service url: #{service_url.inspect}")
             return service_url
           end
-          
-          # Creates a file in tmp/sessions linking a SessionTicket
-          # with the local Rails session id. The file is named
-          # cas_sess.<session ticket> and its text contents is the corresponding 
-          # Rails session id.
-          # Returns the filename of the lookup file created.
-          def store_service_session_lookup(st, sid)
-            st = st.ticket if st.kind_of? ServiceTicket
-            f = File.new(filename_of_service_session_lookup(st), 'w')
-            f.write(sid)
-            f.close
-            return f.path
-          end
-          
-          # Returns the local Rails session ID corresponding to the given
-          # ServiceTicket. This is done by reading the contents of the
-          # cas_sess.<session ticket> file created in a prior call to 
-          # #store_service_session_lookup.
-          def read_service_session_lookup(st)
-            st = st.ticket if st.kind_of? ServiceTicket
-            ssl_filename = filename_of_service_session_lookup(st)
-            return File.exists?(ssl_filename) && IO.read(ssl_filename)
-          end
-          
-          # Removes a stored relationship between a ServiceTicket and a local
-          # Rails session id. This should be called when the session is being
-          # closed.
-          #
-          # See #store_service_session_lookup.
-          def delete_service_session_lookup(st)
-            st = st.ticket if st.kind_of? ServiceTicket
-            ssl_filename = filename_of_service_session_lookup(st)
-            File.delete(ssl_filename) if File.exists?(ssl_filename)
-          end
-          
-          # Returns the path and filename of the service session lookup file.
-          def filename_of_service_session_lookup(st)
-            st = st.ticket if st.kind_of? ServiceTicket
-            return "#{RAILS_ROOT}/tmp/sessions/cas_sess.#{st}"
-          end
         end
       end
-    
+
       class GatewayFilter < Filter
         def self.use_gatewaying?
           return true unless @@config[:use_gatewaying] == false