rubycas-client 0.10.1 → 0.11.0

data/CHANGES

@@ -0,0 +1,46 @@
+= RubyCAS-Client Changelog
+
+== Version 0.11.0
+
+* Added this changelog to advise users of major changes to the library.
+
+* Large chunks of the library have been re-written. Beware of the possibility
+  of new bugs (although the re-write was meant to fix a whole slew of existing
+  bugs, so you're almost certainly better off upgrading).
+
+* service and targetService parameters in requests are now properly URI-encoded,
+  so the filter should behave properly when your service has query parameters.
+  Thanks sakazuki for pointing out the problem.
+
+* You can now force the CAS client to re-authenticate itself with the CAS server
+  (i.e. override the authentication stored in the session) by providing a new
+  service ticket in the URI. In other words, the client will authenticate with
+  CAS if: a) you have a 'ticket' parameter in the URI, and there is currently no
+  authentication info in the session, or b) you have a 'ticket' parameter in the
+  URI and this ticket is different than the ticket that was used to authenticat
+  the existing session. This is especially useful when you are using CAS proxying,
+  since it allows you to force re-authentication in proxied applications (for
+  example, when the user has logged out and a new user has logged in in the parent
+  proxy-granting application).
+
+* If your service URI has a 'ticket' parameter, it will now be automatically
+  removed when passing the service as a parameter in any CAS request. This is
+  done because at least some CAS servers will happily accept a service URI with
+  a 'ticket' parameter, which will result in a URI with  multiple 'ticket' 
+  parameters once you are redirected back to CAS (and that in turn can result 
+  in an endless redirection loop).
+
+* Logging has been greatly improved, which should make debugging your CAS
+  installation much easier. Look for the logs under log/cas_client_RAILS_ENV.log
+
+* When you install RubyCAS-Client as a Rails plugin, it will now by default
+  use a custom logger. You can change this by explicitly setting your own
+  logger in your environment.rb, or by modifying the plugin's init.rb.
+
+* CasProxyCallbackController no longer checks to make sure that the incoming
+  request is secure. The check is impossible since the secure header is not 
+  passed on by at least some reverse proxies (like Pound), and if you are using
+  the callback controller then you are almost certainly also using a reverse
+  proxy.
+
+* Cleaned up and updated documentation, fixed some example code.

data/README

@@ -1,6 +1,6 @@
 = RubyCAS-Client
 
-Author::    Ola Bini <ola.bini AT ki DOT se>, Matt Zukowski <matt AT roughest DOT net>, Matt Walker <mwalker AT tamu DOT edu>
+Author::    Matt Zukowski <matt AT roughest DOT net>, Ola Bini <ola.bini AT ki DOT se>, Matt Walker <mwalker AT tamu DOT edu>
 Copyright:: (c) 2006 Karolinska Institutet, portions (c) 2006 Urbacon Ltd.
 License::   GNU Lesser General Public License v2.1 (LGPL 2.1)
 Website::   http://rubyforge.org/projects/rubycas-client and http://code.google.com/p/rubycas-client
@@ -22,15 +22,16 @@ This CAS client library is designed to work easily with Rails, but can of course
 == Installing
 
 You can always download the latest version of RubyCAS-Client from the project's rubyforge page at http://rubyforge.org/projects/rubycas-client.
-However probably the easiest way to install CAS support into your Rails app is via the plugins facility:
+However, probably the easiest way to install CAS support into your Rails app is via the plugins facility:
 
-  ./script/plugin install http://rubycas-client.rubyforge.org/plugin/rubycas-client
+  ./script/plugin install http://rubycas-client.googlecode.com/svn/trunk/rubycas-client
 
 Alternatively, the library is also available as a gem, which can be installed by:
 
   gem install rubycas-client
   
-The latest development version is availabe via subversion:
+If your Rails application is under subversion control, you can also install the plugin as an external, which will ensure that
+you are always up to date:
 
   ./script/plugin install -x http://rubycas-client.googlecode.com/svn/trunk/rubycas-client
   
@@ -45,6 +46,12 @@ Somewhere in your <tt>config/environment.rb</tt> file add this (assuming that yo
 you'll need to <tt>require 'cas_auth'</tt> and <tt>require 'cas_proxy_callback_controller'</tt>):
 
   CAS::Filter.cas_base_url = "https://login.example.com/cas"
+  
+You will also probably (but not necessarily) need to specify the server name where your CAS-protected app is running:
+
+  CAS::Filter.server_name = "yourapplication.example.com:3000"
+
+The above setting might not be necessary if your application is running on the standard port 80.
 
 Then, in your <tt>app/controllers/application.rb</tt> (or in whatever controller you want to add the CAS filter for):
 
@@ -127,14 +134,18 @@ to authenticate another application:
 
   service_uri = "http://some.other.application"
   proxy_granting_ticket = session[:casfilterpgt]
-  ticket = CAS::Filter.request_proxy_ticket(service_uri, proxy_granting_ticket)
+  ticket = CAS::Filter.request_proxy_ticket(service_uri, proxy_granting_ticket).proxy_ticket
 
-<tt>ticket</tt> should now contain a valid service ticket. You can use it to authenticate your other by sending it and the service URI
+<tt>ticket</tt> should now contain a valid service ticket. You can use it to authenticate by sending it and the service URI
 as query parameters to your target application:
 
-  http://some.other.application?service=#{ticket.target_service}&ticket=#{ticket.proxy_ticket}
+  http://some.other.application?service=#{CGI.encode(ticket.target_service)}&ticket=#{ticket.proxy_ticket}
   
-This is of course assuming that some.other.application is also protected by the CAS filter.
+This is of course assuming that some.other.application is also protected by the CAS filter. 
+Note that you should always URI-encode your service parameter inside URIs!
+
+Note that CAS::Filter#request_proxy_ticket actually returns a CAS::ProxyTicketRequest object, which is why we need to call
+#proxy_ticket on it to retrieve the actual service ticket.
 
 For extra security -- and you will likely want to do this on production machines in the wild -- in the proxied app's configuration
 (some.other.appliction in this example) you can specify the list of authorized proxies. For example, on your proxied app the CAS

data/init.rb

@@ -1,12 +1,20 @@
 require 'cas_auth'
+require 'cas_logger'
 require 'cas_proxy_callback_controller'
 
 #CAS::Filter.logger = RAILS_DEFAULT_LOGGER if !RAILS_DEFAULT_LOGGER.nil?
 #CAS::Filter.logger = config.logger if !config.logger.nil?
 
-CAS::Filter.logger = Logger.new "#{RAILS_ROOT}/log/cas_filter.log"
-CAS::Filter.logger.level = Logger::DEBUG
+CAS::Filter.logger = CAS::Logger.new("#{RAILS_ROOT}/log/cas_client_#{RAILS_ENV}.log", 1024000)
+CAS::Filter.logger.formatter = CAS::Logger::Formatter.new
+
+#if RAILS_ENV == "production"
+#  CAS::Filter.logger.level = Logger::WARN
+#else
+  CAS::Filter.logger.level = Logger::DEBUG
+#end
+
 
 #class ActionController::Base
 #  append_before_filter CAS::Filter
-#end
+#end

data/lib/cas.rb

@@ -57,6 +57,7 @@ module CAS
   class AbstractCASResponse
   
     def self.retrieve(uri_str)
+#      puts uri_str
       prs = URI.parse(uri_str)
 #      puts prs.inspect
       https = Net::HTTP.new(prs.host,prs.port)
@@ -105,7 +106,7 @@ module CAS
       raise ValidationException, "must set validation URL and ticket" if validate_url.nil? || service_ticket.nil?
       clear!
       @attempted_authentication = true
-      url_building = "#{validate_url}#{(url_building =~ /\?/)?'&':'?'}service=#{service}&ticket=#{service_ticket}"
+      url_building = "#{validate_url}#{(url_building =~ /\?/)?'&':'?'}service=#{CGI.escape(service)}&ticket=#{service_ticket}"
       url_building += "&pgtUrl=#{proxy_callback_url}" if proxy_callback_url
       url_building += "&renew=true" if renew
       @@entire_response = ServiceTicketValidator.retrieve url_building
@@ -169,7 +170,7 @@ module CAS
     attr_reader :proxy_ticket
   
     def request
-      url_building = "#{proxy_url}#{(url_building =~ /\?/)?'&':'?'}targetService=#{target_service}&pgt=#{pgt}"
+      url_building = "#{proxy_url}#{(url_building =~ /\?/)?'&':'?'}pgt=#{pgt}&targetService=#{CGI.escape(target_service)}"
 #      puts "REQUESTING:"+url_building
       @@entire_response = ServiceTicketValidator.retrieve url_building
 #      puts @@entire_response.to_s

data/lib/cas_auth.rb

@@ -1,6 +1,11 @@
-require 'uri'
+require 'cgi'
 require 'logger'
 
+# these requires are needed when outside of a Rails app context (e.g. in unit tests)
+require 'rubygems'
+require 'active_support'
+require 'action_controller'
+
 require File.dirname(File.expand_path(__FILE__))+'/cas'
 
 module CAS
@@ -85,6 +90,7 @@ module CAS
 
 
     class << self
+    
       # Retrieves the current Logger instance
       def logger
         CAS::LOGGER
@@ -92,32 +98,34 @@ module CAS
       def logger=(val)
         CAS::LOGGER.set_logger(val)
       end
-
+  
       alias :log :logger
       alias :log= :logger=
-
+  
       def create_logout_url
         if !@@logout_url && @@login_url =~ %r{^(.+?)/[^/]*$}
           @@logout_url = "#{$1}/logout"
         end
-        logger.info "Created logout-url: #{@@logout_url}"
+        logger.info "Created logout url: #{@@logout_url}"
       end
       
       def logout_url(controller)
         create_logout_url unless @@logout_url
         url = redirect_url(controller,@@logout_url)
-        logger.info "Using logout-url #{url}"
+        logger.info "Logout url is: #{url}"
         url
       end
       
-      def logout_url=(val)
-        @@logout_url = val
+      def logout_url=(url)
+        @@logout_url = url
+        logger.info "Set logout url to: #{url}"
       end
       
       def cas_base_url=(url)
         CAS::Filter.login_url = "#{url}/login"
         CAS::Filter.validate_url = "#{url}/proxyValidate"
         CAS::Filter.proxy_url = "#{url}/proxy"
+        logger.info "Set CAS base url to: #{url}"
       end
         
       def fake
@@ -127,14 +135,17 @@ module CAS
       def fake=(val)
         if val.nil?
           alias :filter :filter_r
+          logger.info "Will use real filter"
         else
           alias :filter :filter_f
+          logger.warn "Will use fake filter"
+          end
+          @@fake = val
         end
-        @@fake = val
-      end
-
+  
       def filter_f(controller)
-        logger.debug("entering fake cas filter")
+          logger.break
+          logger.warn("Using fake CAS filter")
         username = @@fake
         if :failure == @@fake
           return false
@@ -143,147 +154,244 @@ module CAS
         elsif Proc === @@fake
           username = @@fake.call(controller)
         end
-        logger.debug("our username is: #{username}")
+        logger.info("The username set by the fake filter is: #{username}")
         controller.session[@@session_username] = username
         return true
       end
       
       def filter_r(controller)
-        logger.debug("filter of controller: #{controller}")
-        receipt = controller.session[:casfilterreceipt]
-        logger.info("receipt: #{receipt}")
-        valid = false
-        if receipt
-          valid = validate_receipt(receipt)
-          logger.info("valid receipt?: #{valid}")
-        else
-          reqticket = controller.params["ticket"]
-          logger.info("ticket: #{reqticket}")
-          if reqticket
-            # We temporarily allow ActionController requests to be handled concurrently.
-            # Otherwise proxy granting ticket callbacks from CAS wouldn't work, since
-            # the Rails server would be deadlocked while it waits for the CAS server to validate
-            # the ticket, and the CAS server waits for the Rails server to receive the PGT callback.
-            # Note that since the allow_concurrency option is undocumented and considered
-            # experimental, what we're doing here may cause unforseen problems. Beware!
-            ActionController::Base.allow_concurrency = true
-            receipt = authenticated_user(reqticket,controller)
-            ActionController::Base.allow_concurrency = false
+        logger.break
+        logger.info("Using real CAS filter in controller: #{controller}")
+          session_receipt = controller.session[:casfilterreceipt]
+          session_ticket = controller.session[:caslastticket]
+          ticket = controller.params[:ticket]
+  
+          is_valid = false
+          
+          if ticket and (!session_ticket or session_ticket != ticket)
+            log.info "A ticket parameter was given in the URI: #{ticket} and "+
+              (!session_ticket ? "there is no previous ticket for this session" : 
+                  "the ticket is different than the previous ticket, which was #{session_ticket}")
+          
+          receipt = get_receipt_for_ticket(ticket, controller)
+          
+          if receipt && validate_receipt(receipt)
+            logger.info("Receipt for ticket request #{ticket} is valid, belongs to user #{receipt.user_name}, and will be stored in the session.")
+            controller.session[:casfilterreceipt] = receipt
+            controller.session[:caslastticket] = ticket
+            controller.session[@@session_username] = receipt.user_name
             
-            logger.info("new receipt: #{receipt}")
-            logger.info("validate_receipt: " + validate_receipt(receipt).to_s)
-            if receipt && validate_receipt(receipt)
-              controller.session[:casfilterreceipt] = receipt
-              controller.session[@@session_username] = receipt.user_name
-              
-              if receipt.pgt_iou
-                ActionController::Base.allow_concurrency = true
-                retrieve_url = "#{@@proxy_retrieval_url}?pgtIou=#{receipt.pgt_iou}"
-                logger.info("retrieving pgt from: #{retrieve_url}")
-                controller.session[:casfilterpgt] = CAS::ServiceTicketValidator.retrieve(retrieve_url)
-                ActionController::Base.allow_concurrency = false
+            if receipt.pgt_iou
+              logger.info("Receipt has a proxy-granting ticket IOU. Attempting to retrieve the proxy-granting ticket...")
+              pgt = retrieve_pgt(receipt)
+              if pgt
+                log.debug("Got PGT #{pgt} for PGT IOU #{receipt.pgt_iou}. This will be stored in the session.")
+                controller.session[:casfilterpgt] = pgt
+              else
+                log.warning("Failed to retrieve a PGT for PGT IOU #{receipt.pgt_iou}!")
               end
-              
-              valid = true
             end
+            
+            is_valid = true
           else
-            did_gateway = controller.session[:casfiltergateway]
-            raise CASException, "Can't redirect without login url" if !@@login_url
-            if did_gateway
-              if controller.session[@@session_username]
-                valid = true
-              else
-                controller.session[:casfiltergateway] = true
-              end
+            if receipt
+              log.warn "get_receipt_for_ticket() for ticket #{ticket} did not return a receipt!"
             else
+              log.warn "Receipt was invalid for ticket #{ticket}!"
+            end
+          end
+          
+        elsif session_receipt
+        
+          log.info "Validating receipt from the session because " + 
+            (ticket ? "the given ticket #{ticket} is the same as the old ticket" : "there was no ticket given in the URI") + "."
+          log.debug "The session receipt is: #{session_receipt}"
+          
+          is_valid = validate_receipt(session_receipt)
+          
+          if is_valid
+            log.info "The session receipt is VALID"
+          else 
+            log.warn "The session receipt is NOT VALID!"
+          end
+          
+        else
+          
+          log.info "No ticket was given and we do not have a receipt in the session."
+        
+          did_gateway = controller.session[:casfiltergateway]
+          raise CASException, "Can't redirect without login url" unless @@login_url
+          
+          if did_gateway
+            if controller.session[@@session_username]
+              log.info "We gatewayed and have a username stored in the session. The gateway was therefore successful."
+              is_valid = true
+            else
+              log.debug "We gatewayed but do not have a username stored in the session, so we will keep session[:casfiltergateway] true"
               controller.session[:casfiltergateway] = true
             end
+          else
+            log.info "We did not gateway, so we will notify the filter that the next request is being gatewayed by setting sesson[:casfiltergateway} to true"
+            controller.session[:casfiltergateway] = true
           end
+          
+        end
+        
+        if is_valid
+          logger.info "This request is successfully CAS authenticated for user #{controller.session[@@session_username]}!"
+          return true
+        else
+          logger.info "This request is NOT CAS authenticated, so we will redirect to the login page at: #{redirect_url(controller)}"
+            controller.send :redirect_to, redirect_url(controller) and return false
         end
-        logger.info("will send redirect #{redirect_url(controller)}") if !valid
-        controller.send :redirect_to,redirect_url(controller) if !valid
-        return valid
       end
       alias :filter :filter_r
-      
-      
+        
+        
       def request_proxy_ticket(target_service, pgt)
         r = ProxyTicketRequest.new
         r.proxy_url = @@proxy_url
-        r.target_service = escape_service_uri(target_service)
+        r.target_service = target_service
         r.pgt = pgt
-
-        raise "Cannot request a proxy ticket for service #{r.target_service} because no proxy granting ticket (PGT) has been set." unless r.pgt
+  
+        raise CAS::ProxyGrantingNotAvailable, "Cannot request a proxy ticket for service #{r.target_service} because no proxy granting ticket (PGT) has been set." unless r.pgt
         
-        logger.info("requesting proxy ticket for service #{r.target_service} with pgt #{pgt}")
+        logger.info("Requesting proxy ticket for service: #{r.target_service} with PGT #{pgt}")
         r.request
         
         if r.proxy_ticket
-          logger.info("got proxy ticket #{r.proxy_ticket} for service #{r.target_service}")
+          logger.info("Got proxy ticket #{r.proxy_ticket} for service #{r.target_service}")
         else
-          logger.warn("did not receive a proxy ticket for service #{r.target_service}!")
+          logger.warn("Did not receive a proxy ticket for service #{r.target_service}!")
         end
         
         return r
       end
     end
     
+    
+    
     private
-    def self.validate_receipt(receipt)       
-        if receipt
-          logger.debug "authorized proxies: #{@@authorized_proxies.inspect}"
-          logger.debug "proxying service: #{receipt.proxying_service.inspect}"
+    
+      def self.retrieve_pgt(receipt)
+        retrieve_url = "#{@@proxy_retrieval_url}?pgtIou=#{receipt.pgt_iou}"
+                
+        logger.debug("Will attempt to retrieve the PGT from: #{retrieve_url}")
+        
+        pgt = CAS::ServiceTicketValidator.retrieve(retrieve_url)
+        
+        logger.info("Retrieved the PGT: #{pgt}")
+        
+        return pgt
+      end
+    
+      def self.validate_receipt(receipt)
+        logger.info "Checking that the receipt is valid and coherent..."
+        
+        if not receipt
+          logger.info "No receipt given, so the receipt is invalid"
+          return false
+        elsif @@renew && !receipt.primary_authentication?
+          logger.info "The filter is configured to force primary authentication (i.e. the renew options is set to true), but the receipt was not generated by primary authentication so we consider it invalid"
+          return false
         end
         
-        valid = receipt && !(@@renew && !receipt.primary_authentication?)
+        if receipt.proxied?    
+          logger.info "The receipt is proxied by proxying service: #{receipt.proxying_service}"
+          
+          if @@authorized_proxies and !@@authorized_proxies.empty?
+            logger.debug "Authorized proxies are: #{@@authorized_proxies.inspect}"
+            
+            if !@@authorized_proxies.include? receipt.proxying_service
+              logger.warn "Receipt was proxied by #{receipt_proxying_service} but this proxying service is not in the list of authorized proxies. The receipt is therefore invalid."
+              return false
+            else
+              logger.info "Receipt is proxied by a valid proxying service."
+            end
+          else
+            logger.info "No authorized proxies set, so any proxy will be considered valid"
+          end
+        else
+          logger.info "Receipt is not proxied"
+        end
         
-        if @@authorized_proxies and !@@authorized_proxies.empty?
-          valid = valid && !(receipt.proxied? && !@@authorized_proxies.include?(receipt.proxying_service)) 
+        return true
+      end
+  
+      def self.get_receipt_for_ticket(ticket, controller)
+        logger.info "Getting receipt for ticket '#{ticket}'"
+        pv = ProxyTicketValidator.new
+        pv.validate_url = @@validate_url
+        pv.service_ticket = ticket
+        pv.service = service_url(controller)
+        pv.renew = @@renew
+        pv.proxy_callback_url = @@proxy_callback_url
+        receipt = nil
+        logger.debug "ProxyTicketValidator is: #{pv.inspect}"
+        begin
+          receipt = Receipt.new(pv)
+        rescue AuthenticationException => e
+          logger.warn("Getting a receipt for the ProxyTicketValidator threw an exception: #{e}")
         end
+        logger.debug "Receipt is: #{receipt.inspect}"
+        receipt
+      end
+      
+      def self.service_url(controller)
+        unclean = @@service_url || guess_service(controller)
+        clean = remove_ticket_from_service_uri(unclean)
+        logger.debug("Service URI with ticket removed is: #{clean}")
+        clean
+      end
+      
+      # FIXME: this method is really poorly named :(
+      def self.redirect_url(controller,url=@@login_url)
+        "#{url}?service=#{CGI.escape(service_url(controller))}" + ((@@renew)? "&renew=true":"") + ((@@gateway)? "&gateway=true":"") + ((@@query_string.blank?)? "" : "&"+(@@query_string.collect { |k,v| "#{k}=#{v}"}.join("&")))
+      end
+      
+      def self.guess_service(controller)
+        logger.info "Guessing service based on params: #{controller.params.inspect}"
         
-        return valid
-    end
-
-    def self.authenticated_user(tick, controller)
-      pv = ProxyTicketValidator.new
-      pv.validate_url = @@validate_url
-      pv.service_ticket = tick
-      pv.service = service_url(controller)
-      pv.renew = @@renew
-      pv.proxy_callback_url = @@proxy_callback_url
-      receipt = nil
-      logger.debug("pv: #{pv.inspect}")
-      begin
-        receipt = Receipt.new(pv)
-      rescue AuthenticationException=>auth
-        logger.warn("filter: had an authentication-exception #{auth}")
+        # we're assuming that controller.params[:service] is url-encoded!
+        if controller.params and controller.params.include? :service
+          service = controller.params[:service]
+          logger.info "We have a :service param, so we will URI-decode it and use this as the service: #{controller.params[:service]}"
+          return service
+        end
+        
+        req = controller.request
+        
+        if controller.params
+          parms = controller.params.dup
+        else
+          parms = {}
+        end
+        
+        parms.delete("ticket")
+        
+        query = (parms.collect {|key, val| "#{key}=#{val}"}).join("&")
+        query = "?" + query unless query.empty?
+        
+        service = "#{req.protocol}#{@@server_name}#{req.request_uri.split(/\?/)[0]}#{query}"
+        
+        logger.info "Guessed service is: #{service}"
+        
+        return service
       end
-      receipt
-    end
-    def self.service_url(controller)
-      before = @@service_url || guess_service(controller)
-      logger.debug("before: #{before}")
-      after = escape_service_uri(before)
-      logger.debug("after: #{after}")
-      after
-    end
-    def self.redirect_url(controller,url=@@login_url)
-      "#{url}?service=#{service_url(controller)}" + ((@@renew)? "&renew=true":"") + ((@@gateway)? "&gateway=true":"") + ((@@query_string.nil?)? "" : "&"+(@@query_string.collect { |k,v| "#{k}=#{v}"}.join("&")))
-    end
-    def self.guess_service(controller)
-      # we're assuming that controller.params[:service] is url-encoded!
-      return controller.params[:service] if controller.params.include? :service
       
-      req = controller.request
-      parms = controller.params.dup
-      parms.delete("ticket")
-      query = (parms.collect {|key, val| "#{key}=#{val}"}).join("&")
-      query = "?" + query unless query.empty?
-      "#{req.protocol}#{@@server_name}#{req.request_uri.split(/\?/)[0]}#{query}"
-    end
-    def self.escape_service_uri(uri)
-      URI.encode(uri, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]", false, 'U').freeze)
-    end
+      def self.escape_service_uri(uri)
+        URI.encode(uri, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]", false, 'U').freeze)
+      end
+      
+      # The service URI should never have a ticket parameter, but we use this to remove
+      # any parameters named "ticket" just in case, as having a "ticket" parameter in the
+      # service URI will generally cause an infinite redirection loop.
+      def self.remove_ticket_from_service_uri(uri)
+        uri.gsub(/ticket=[^&$]*&?/, '')
+      end
+  end
+  
+  class ProxyGrantingNotAvailable < Exception
   end
 end
 

data/lib/cas_logger.rb

@@ -0,0 +1,27 @@
+require 'logger'
+
+# this overrides clean_logger.rb in Rails that pretty much completely breaks logging #!@%*(#@*$&%!!...
+module CAS
+  class Logger < ::Logger
+    def initialize(logdev, shift_age = 0, shift_size = 1048576)
+      @default_formatter = CAS::Logger::Formatter.new
+      super
+    end
+  
+    def format_message(severity, datetime, progrname, msg)
+      (@formatter || @default_formatter).call(severity, datetime, progname, msg)
+    end
+    
+    def break
+      self << "\n"
+    end
+    
+    class Formatter < ::Logger::Formatter
+      Format = "[%s#%d] %5s -- %s: %s\n"
+      
+      def call(severity, time, progname, msg)
+        Format % [format_datetime(time), $$, severity, progname, msg2str(msg)]
+      end
+    end
+  end
+end

data/lib/cas_proxy_callback_controller.rb

@@ -8,8 +8,10 @@ class CasProxyCallbackController < ActionController::Base
   # Note that this action should ALWAYS be called via https, otherwise you have a gaping security hole.
   # In fact, the JA-SIG implementation of the CAS server will refuse to send PGTs to non-https URLs.
   def receive_pgt
-    render_error "PGTs can be received only via HTTPS or local connections." and return unless
-      request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
+	#FIXME: these checks don't work because REMOTE_HOST doesn't work consistently under all web servers (for example it doesn't work at all under mongrel)
+	#				... need to find a reliable way to check if the request came through from a reverse HTTPS proxy -- until then I'm disabling this check
+    #render_error "PGTs can be received only via HTTPS or local connections." and return unless
+    #  request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
 
     pgtIou = params['pgtIou']
     pgtId = params['pgtId']
@@ -34,8 +36,8 @@ class CasProxyCallbackController < ActionController::Base
   # in fact, the action will not work if the request is not made via SSL or is not local (we allow for local
   # non-SSL requests since this allows for the use of reverse HTTPS proxies like Pound).
   def retrieve_pgt
-    render_error "You can only retrieve PGTs via HTTPS or local connections." and return unless
-      request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
+    #render_error "You can only retrieve PGTs via HTTPS or local connections." and return unless
+    #  request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
     
     pgtIou = params['pgtIou']
     

metadata

@@ -1,10 +1,10 @@
 --- !ruby/object:Gem::Specification 
-rubygems_version: 0.8.11
+rubygems_version: 0.9.0
 specification_version: 1
 name: rubycas-client
 version: !ruby/object:Gem::Version 
-  version: 0.10.1
-date: 2006-10-11 00:00:00 -04:00
+  version: 0.11.0
+date: 2007-01-18 00:00:00 -05:00
 summary: Client library for the CAS single-sign-on protocol.
 require_paths: 
 - lib
@@ -25,6 +25,7 @@ required_ruby_version: !ruby/object:Gem::Version::Requirement
 platform: ruby
 signing_key: 
 cert_chain: 
+post_install_message: 
 authors: 
 - Matt Zukowski
 - Ola Bini
@@ -32,12 +33,14 @@ authors:
 files: 
 - install.rb
 - init.rb
-- lib/cas_proxy_callback_controller.rb
 - lib/cas.rb
+- lib/cas_proxy_callback_controller.rb
 - lib/cas_auth.rb
-- LICENSE
+- lib/cas_logger.rb
+- CHANGES
 - Rakefile
 - README
+- LICENSE
 test_files: []
 
 rdoc_options: