wmernagh-rubycas-server 0.6.99.336
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG.txt +1 -0
- data/History.txt +245 -0
- data/LICENSE.txt +504 -0
- data/Manifest.txt +74 -0
- data/PostInstall.txt +3 -0
- data/README.txt +25 -0
- data/Rakefile +4 -0
- data/bin/rubycas-server +26 -0
- data/bin/rubycas-server-ctl +22 -0
- data/config/hoe.rb +76 -0
- data/config/requirements.rb +15 -0
- data/config.example.yml +442 -0
- data/custom_views.example.rb +11 -0
- data/lib/casserver/authenticators/active_directory_ldap.rb +11 -0
- data/lib/casserver/authenticators/base.rb +48 -0
- data/lib/casserver/authenticators/client_certificate.rb +46 -0
- data/lib/casserver/authenticators/ldap.rb +138 -0
- data/lib/casserver/authenticators/ntlm.rb +88 -0
- data/lib/casserver/authenticators/open_id.rb +22 -0
- data/lib/casserver/authenticators/sql.rb +102 -0
- data/lib/casserver/authenticators/sql_encrypted.rb +75 -0
- data/lib/casserver/authenticators/sql_md5.rb +19 -0
- data/lib/casserver/authenticators/test.rb +19 -0
- data/lib/casserver/cas.rb +308 -0
- data/lib/casserver/conf.rb +112 -0
- data/lib/casserver/controllers.rb +452 -0
- data/lib/casserver/environment.rb +26 -0
- data/lib/casserver/models.rb +218 -0
- data/lib/casserver/postambles.rb +174 -0
- data/lib/casserver/utils.rb +30 -0
- data/lib/casserver/version.rb +9 -0
- data/lib/casserver/views.rb +243 -0
- data/lib/casserver.rb +111 -0
- data/lib/rubycas-server/version.rb +1 -0
- data/lib/rubycas-server.rb +1 -0
- data/lib/themes/cas.css +121 -0
- data/lib/themes/notice.png +0 -0
- data/lib/themes/ok.png +0 -0
- data/lib/themes/simple/bg.png +0 -0
- data/lib/themes/simple/login_box_bg.png +0 -0
- data/lib/themes/simple/logo.png +0 -0
- data/lib/themes/simple/theme.css +28 -0
- data/lib/themes/urbacon/bg.png +0 -0
- data/lib/themes/urbacon/login_box_bg.png +0 -0
- data/lib/themes/urbacon/logo.png +0 -0
- data/lib/themes/urbacon/theme.css +33 -0
- data/lib/themes/warning.png +0 -0
- data/misc/basic_cas_single_signon_mechanism_diagram.png +0 -0
- data/misc/basic_cas_single_signon_mechanism_diagram.svg +652 -0
- data/resources/init.d.sh +58 -0
- data/script/console +10 -0
- data/script/destroy +14 -0
- data/script/generate +14 -0
- data/script/txt2html +82 -0
- data/setup.rb +1585 -0
- data/tasks/deployment.rake +34 -0
- data/tasks/environment.rake +7 -0
- data/tasks/website.rake +17 -0
- data/vendor/isaac_0.9.1/LICENSE +26 -0
- data/vendor/isaac_0.9.1/README +78 -0
- data/vendor/isaac_0.9.1/TODO +3 -0
- data/vendor/isaac_0.9.1/VERSIONS +3 -0
- data/vendor/isaac_0.9.1/crypt/ISAAC.rb +171 -0
- data/vendor/isaac_0.9.1/isaac.gemspec +39 -0
- data/vendor/isaac_0.9.1/setup.rb +596 -0
- data/vendor/isaac_0.9.1/test/TC_ISAAC.rb +76 -0
- data/website/index.html +40 -0
- data/website/index.txt +3 -0
- data/website/javascripts/rounded_corners_lite.inc.js +285 -0
- data/website/stylesheets/screen.css +138 -0
- data/website/template.html.erb +40 -0
- metadata +146 -0
data/config/hoe.rb
ADDED
@@ -0,0 +1,76 @@
|
|
1
|
+
require 'rubycas-server/version'
|
2
|
+
|
3
|
+
AUTHOR = 'Matt Zukowski' # can also be an array of Authors
|
4
|
+
EMAIL = "matt@zukowski.ca"
|
5
|
+
DESCRIPTION = "Provides single sign-on authentication for web applications using the CAS protocol."
|
6
|
+
GEM_NAME = 'rubycas-server' # what ppl will type to install your gem
|
7
|
+
RUBYFORGE_PROJECT = 'rubycas-server' # The unix name for your project
|
8
|
+
HOMEPATH = "http://#{RUBYFORGE_PROJECT}.rubyforge.org"
|
9
|
+
DOWNLOAD_PATH = "http://rubyforge.org/projects/#{RUBYFORGE_PROJECT}"
|
10
|
+
EXTRA_DEPENDENCIES = [
|
11
|
+
['activesupport', '>= 2.0.2'],
|
12
|
+
['activerecord', '>= 2.0.2'],
|
13
|
+
['picnic', '>= 0.6.5']
|
14
|
+
] # An array of rubygem dependencies [name, version]
|
15
|
+
|
16
|
+
@config_file = "~/.rubyforge/user-config.yml"
|
17
|
+
@config = nil
|
18
|
+
RUBYFORGE_USERNAME = "unknown"
|
19
|
+
def rubyforge_username
|
20
|
+
unless @config
|
21
|
+
begin
|
22
|
+
@config = YAML.load(File.read(File.expand_path(@config_file)))
|
23
|
+
rescue
|
24
|
+
puts <<-EOS
|
25
|
+
ERROR: No rubyforge config file found: #{@config_file}
|
26
|
+
Run 'rubyforge setup' to prepare your env for access to Rubyforge
|
27
|
+
- See http://newgem.rubyforge.org/rubyforge.html for more details
|
28
|
+
EOS
|
29
|
+
exit
|
30
|
+
end
|
31
|
+
end
|
32
|
+
RUBYFORGE_USERNAME.replace @config["username"]
|
33
|
+
end
|
34
|
+
|
35
|
+
ENV['NODOT'] = '1'
|
36
|
+
|
37
|
+
#REV = nil
|
38
|
+
# UNCOMMENT IF REQUIRED:
|
39
|
+
REV = YAML.load(`svn info`)['Revision']
|
40
|
+
VERS = CASServer::VERSION::STRING + (REV ? ".#{REV}" : "")
|
41
|
+
RDOC_OPTS = ['--quiet', '--title', 'rubycas-server documentation',
|
42
|
+
"--opname", "index.html",
|
43
|
+
"--line-numbers",
|
44
|
+
"--main", "README",
|
45
|
+
"--inline-source"]
|
46
|
+
|
47
|
+
class Hoe
|
48
|
+
def extra_deps
|
49
|
+
@extra_deps.reject! { |x| Array(x).first == 'hoe' }
|
50
|
+
@extra_deps
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
# Generate all the Rake tasks
|
55
|
+
# Run 'rake -T' to see list of generated tasks (from gem root directory)
|
56
|
+
$hoe = Hoe.new(GEM_NAME, VERS) do |p|
|
57
|
+
p.developer(AUTHOR, EMAIL)
|
58
|
+
p.description = DESCRIPTION
|
59
|
+
p.summary = DESCRIPTION
|
60
|
+
p.url = HOMEPATH
|
61
|
+
p.rubyforge_name = RUBYFORGE_PROJECT if RUBYFORGE_PROJECT
|
62
|
+
p.test_globs = ["test/**/test_*.rb"]
|
63
|
+
p.clean_globs |= ['**/.*.sw?', '*.gem', '.config', '**/.DS_Store'] #An array of file patterns to delete on clean.
|
64
|
+
|
65
|
+
# == Optional
|
66
|
+
p.changes = p.paragraphs_of("History.txt", 0..1).join("\n\n")
|
67
|
+
#p.extra_deps = EXTRA_DEPENDENCIES
|
68
|
+
|
69
|
+
p.spec_extras = {:executables => ['rubycas-server', 'rubycas-server-ctl']} # A hash of extra values to set in the gemspec.
|
70
|
+
end
|
71
|
+
|
72
|
+
CHANGES = $hoe.paragraphs_of('History.txt', 0..1).join("\\n\\n")
|
73
|
+
PATH = (RUBYFORGE_PROJECT == GEM_NAME) ? RUBYFORGE_PROJECT : "#{RUBYFORGE_PROJECT}"
|
74
|
+
$hoe.remote_rdoc_dir = File.join(PATH.gsub(/^#{RUBYFORGE_PROJECT}\/?/,''), 'rdoc')
|
75
|
+
$hoe.rsync_args = '-av --delete --ignore-errors'
|
76
|
+
$hoe.spec.post_install_message = File.open(File.dirname(__FILE__) + "/../PostInstall.txt").read rescue ""
|
@@ -0,0 +1,15 @@
|
|
1
|
+
require 'fileutils'
|
2
|
+
include FileUtils
|
3
|
+
|
4
|
+
require 'rubygems'
|
5
|
+
%w[rake hoe newgem rubigen].each do |req_gem|
|
6
|
+
begin
|
7
|
+
require req_gem
|
8
|
+
rescue LoadError
|
9
|
+
puts "This Rakefile requires the '#{req_gem}' RubyGem."
|
10
|
+
puts "Installation: gem install #{req_gem} -y"
|
11
|
+
exit
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
$:.unshift(File.join(File.dirname(__FILE__), %w[.. lib]))
|
data/config.example.yml
ADDED
@@ -0,0 +1,442 @@
|
|
1
|
+
# IMPORTANT NOTE ABOUT YAML CONFIGURATION FILES
|
2
|
+
# ---> Be sure to use spaces instead of tabs for indentation. YAML is
|
3
|
+
# white-space sensitive!
|
4
|
+
|
5
|
+
##### SERVER ###################################################################
|
6
|
+
|
7
|
+
# Under what environment are you running the CAS server? The following methods
|
8
|
+
# are currently supported:
|
9
|
+
#
|
10
|
+
# webrick -- run as a stand-alone webrick server; this is the default method
|
11
|
+
# mongrel -- run as a stand-alone mongrel server; fast, but you'll need to
|
12
|
+
# install mongrel and run it behind an https reverse proxy like Pound
|
13
|
+
# or Apache 2.2's mod_proxy)
|
14
|
+
# cgi -- slow, but simple to set up if you're already familliar with
|
15
|
+
# deploying CGI scripts
|
16
|
+
# fastcgi -- see http://www.fastcgi.com (e.g. under Apache you can use this with
|
17
|
+
# mod_fastcgi)
|
18
|
+
#
|
19
|
+
# The cgi and fastcgi methods have not been thoroughly tested!
|
20
|
+
# Please report any problems to the authors.
|
21
|
+
#
|
22
|
+
# IMPORTANT: If you use mongrel, you will need to run the server behind a
|
23
|
+
# reverse proxy (Pound, Apache 2.2 with mod_proxy, etc.) since
|
24
|
+
# mongrel does not support SSL/HTTPS. See the RubyCAS-Server install
|
25
|
+
# docs for more info.
|
26
|
+
|
27
|
+
### webrick example
|
28
|
+
|
29
|
+
server: webrick
|
30
|
+
port: 443
|
31
|
+
ssl_cert: /path/to/your/ssl.pem
|
32
|
+
|
33
|
+
# If private key is separate from cert
|
34
|
+
#ssl_key: /path/to/your/private_key.pem
|
35
|
+
|
36
|
+
# By default the login page will be available at the root path
|
37
|
+
# (e.g. https://example.foo/). The uri_path option lets you serve it from a
|
38
|
+
# different path (e.g. https://example.foo/cas).
|
39
|
+
#uri_path: /cas
|
40
|
+
|
41
|
+
# Bind the server to a specific address. Use 0.0.0.0 to listen on all
|
42
|
+
# available interfaces.
|
43
|
+
#bind_address: 0.0.0.0
|
44
|
+
|
45
|
+
### mongrel example (since mongrel doesn't support SSL on its own, you will have
|
46
|
+
### to run this behind an https reverse proxy)
|
47
|
+
|
48
|
+
#server: mongrel
|
49
|
+
#port: 110011
|
50
|
+
|
51
|
+
# By default the login page will be available at the root path
|
52
|
+
# (e.g. https://example.foo/). The uri_path option lets you serve it from a
|
53
|
+
# different path (e.g. https://example.foo/cas).
|
54
|
+
#uri_path: /cas
|
55
|
+
|
56
|
+
# Bind the server to a specific address. Use 0.0.0.0 to listen on all
|
57
|
+
# available interfaces.
|
58
|
+
#bind_address: 0.0.0.0
|
59
|
+
|
60
|
+
### cgi example (you'll need to serve this via an SSL-capable server like Apache)
|
61
|
+
|
62
|
+
#server: cgi
|
63
|
+
|
64
|
+
### fastcgi example (you'll need to serve this via an SSL-capable server like Apache)
|
65
|
+
|
66
|
+
#server: fastcgi
|
67
|
+
|
68
|
+
|
69
|
+
##### DATABASE #################################################################
|
70
|
+
|
71
|
+
# Set up the database connection. Make sure that this database is secure!
|
72
|
+
#
|
73
|
+
# By default, we use MySQL, since it is widely used and does not require any
|
74
|
+
# additional
|
75
|
+
# ruby libraries besides ActiveRecord.
|
76
|
+
#
|
77
|
+
# With MySQL, your config would be something like the following:
|
78
|
+
# (be sure to create the casserver database in MySQL beforehand,
|
79
|
+
# i.e. `mysqladmin -u root create casserver`)
|
80
|
+
|
81
|
+
database:
|
82
|
+
adapter: mysql
|
83
|
+
database: casserver
|
84
|
+
username: root
|
85
|
+
password:
|
86
|
+
host: localhost
|
87
|
+
|
88
|
+
#
|
89
|
+
# Instead of MySQL you can use SQLite3, PostgreSQL, MSSQL, or anything else
|
90
|
+
# supported by ActiveRecord.
|
91
|
+
#
|
92
|
+
# With SQLite3 (which does not require a separate database server), your
|
93
|
+
# configuration would look something like the following (don't forget to install
|
94
|
+
# the sqlite3-ruby gem beforehand!):
|
95
|
+
#
|
96
|
+
#database:
|
97
|
+
# adapter: sqlite3
|
98
|
+
# dbfile: /var/lib/casserver.db
|
99
|
+
|
100
|
+
|
101
|
+
##### AUTHENTICATION ###########################################################
|
102
|
+
|
103
|
+
# Configure how username/passwords are validated.
|
104
|
+
#
|
105
|
+
# !!! YOU MUST CONFIGURE ONE OF THESE AUTHENTICATION METHODS !!!
|
106
|
+
#
|
107
|
+
# Currently there are three built-in methods for authentication:
|
108
|
+
# SQL, ActiveDirectory, and LDAP. If none of these work for you, it is
|
109
|
+
# relatively easy to write your own custom Authenticator class.
|
110
|
+
#
|
111
|
+
# === SQL Authentication =======================================================
|
112
|
+
#
|
113
|
+
# The simplest method is to validate against a SQL database. This assumes
|
114
|
+
# that all of your users are stored in a table that has a 'username' column
|
115
|
+
# and a 'password' column. When the user logs in, CAS conects to this database
|
116
|
+
# and looks for a matching username/password in the users table. If a matching
|
117
|
+
# username and password is found, authentication is successful.
|
118
|
+
#
|
119
|
+
# If you prefer to have your passwords stored in an encrypted form, have a
|
120
|
+
# look at the SQLEncrypted authenticator:
|
121
|
+
# http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
|
122
|
+
#
|
123
|
+
# If your users table stores passwords with MD5 hashing (for example as with
|
124
|
+
# Drupal) try using the SQLMd5 version of the SQL authenticator.
|
125
|
+
#
|
126
|
+
# Example:
|
127
|
+
#
|
128
|
+
#authenticator:
|
129
|
+
# class: CASServer::Authenticators::SQL
|
130
|
+
# database:
|
131
|
+
# adapter: mysql
|
132
|
+
# database: some_database_with_users_table
|
133
|
+
# username: root
|
134
|
+
# password:
|
135
|
+
# server: localhost
|
136
|
+
# user_table: users
|
137
|
+
# username_column: username
|
138
|
+
# password_column: password
|
139
|
+
#
|
140
|
+
# When replying to a CAS client's validation request, the server will normally
|
141
|
+
# provide the client with the authenticated user's username. However it is now
|
142
|
+
# possible for the server to provide the client with additional attributes.
|
143
|
+
# You can configure the SQL authenticator to provide data from additional
|
144
|
+
# columns in the users table by listing the names of the columns under the
|
145
|
+
# 'extra_attributes' option. Note though that this functionality is experimental.
|
146
|
+
# It should work with RubyCAS-Client, but may or may not work with other CAS
|
147
|
+
# clients.
|
148
|
+
#
|
149
|
+
# For example, with this configuration, the 'full_name' and 'access_level'
|
150
|
+
# columns will be provided to your CAS clients along with the username:
|
151
|
+
#
|
152
|
+
#authenticator:
|
153
|
+
# class: CASServer::Authenticators::SQL
|
154
|
+
# database:
|
155
|
+
# adapter: mysql
|
156
|
+
# database: some_database_with_users_table
|
157
|
+
# user_table: users
|
158
|
+
# username_column: username
|
159
|
+
# password_column: password
|
160
|
+
# extra_attributes: full_name, access_level
|
161
|
+
#
|
162
|
+
#
|
163
|
+
# === Google Authentication ====================================================
|
164
|
+
#
|
165
|
+
# The Google authenticator allows users to log in to your CAS server using
|
166
|
+
# their Google account credentials (i.e. the same email and password they
|
167
|
+
# would use to log in to Google services like Gmail). This authenticator
|
168
|
+
# requires no special configuration -- just specify its class name:
|
169
|
+
#
|
170
|
+
#authenticator:
|
171
|
+
# class: CASServer::Authenticators::Google
|
172
|
+
#
|
173
|
+
# Note that as with all authenticators, it is possible to use the Google
|
174
|
+
# authenticator alongside other authenticators. For example, CAS can first
|
175
|
+
# attempt to validate the account with Google, and if that fails, fall back
|
176
|
+
# to some other local authentication mechanism.
|
177
|
+
#
|
178
|
+
# For example:
|
179
|
+
#
|
180
|
+
#authenticator:
|
181
|
+
# -
|
182
|
+
# class: CASServer::Authenticators::Google
|
183
|
+
# -
|
184
|
+
# class: CASServer::Authenticators::SQL
|
185
|
+
# database:
|
186
|
+
# adapter: mysql
|
187
|
+
# database: some_database_with_users_table
|
188
|
+
# user: root
|
189
|
+
# password:
|
190
|
+
# server: localhost
|
191
|
+
# user_table: user
|
192
|
+
# username_column: username
|
193
|
+
# password_column: password
|
194
|
+
#
|
195
|
+
#
|
196
|
+
# === ActiveDirectory Authentication ===========================================
|
197
|
+
#
|
198
|
+
# This method authenticates against Microsoft's Active Directory using LDAP.
|
199
|
+
# You must enter your ActiveDirectory server, and base DN. The port number
|
200
|
+
# and LDAP filter are optional. You must also enter a CN and password
|
201
|
+
# for an "authenticator" user. The authenticator users this account to
|
202
|
+
# log in to the ActiveDirectory server and search LDAP. This does not have
|
203
|
+
# to be an administrative account -- it only has to be able to search for other
|
204
|
+
# users.
|
205
|
+
#
|
206
|
+
# Note that the auth_user parameter must be the user's CN (Common Name).
|
207
|
+
# In Active Directory, the CN is genarally the user's full name, which is NOT
|
208
|
+
# generally the same as their username (sAMAccountName).
|
209
|
+
#
|
210
|
+
# For example:
|
211
|
+
#
|
212
|
+
#authenticator:
|
213
|
+
# class: CASServer::Authenticators::ActiveDirectoryLDAP
|
214
|
+
# ldap:
|
215
|
+
# server: ad.example.net
|
216
|
+
# port: 389
|
217
|
+
# base: dc=example,dc=net
|
218
|
+
# filter: (objectClass=person)
|
219
|
+
# auth_user: authenticator
|
220
|
+
# auth_password: itsasecret
|
221
|
+
#
|
222
|
+
# A more complicated example, where the authenticator will use TLS encryption,
|
223
|
+
# will ignore users with disabled accounts, and will pass on the 'cn' and 'mail'
|
224
|
+
# attributes to CAS clients:
|
225
|
+
#
|
226
|
+
#authenticator:
|
227
|
+
# class: CASServer::Authenticators::ActiveDirectoryLDAP
|
228
|
+
# ldap:
|
229
|
+
# server: ad.example.net
|
230
|
+
# port: 636
|
231
|
+
# base: dc=example,dc=net
|
232
|
+
# filter: (objectClass=person) & !(msExchHideFromAddressLists=TRUE)
|
233
|
+
# auth_user: authenticator
|
234
|
+
# auth_password: itsasecret
|
235
|
+
# encryption: simple_tls
|
236
|
+
# extra_attributes: cn, mail
|
237
|
+
#
|
238
|
+
# It is possible to authenticate against Active Directory without the
|
239
|
+
# authenticator user, but this requires that users type in their CN as
|
240
|
+
# the username rather than typing in their sAMAccountName. In other words
|
241
|
+
# users will likely have to authenticate by typing their full name,
|
242
|
+
# rather than their username. If you prefer to do this, then just
|
243
|
+
# omit the auth_user and auth_password values in the above example.
|
244
|
+
#
|
245
|
+
#
|
246
|
+
# === LDAP Authentication ======================================================
|
247
|
+
#
|
248
|
+
# This is a more general version of the ActiveDirectory authenticator.
|
249
|
+
# The configuration is similar, except you don't need an authenticator
|
250
|
+
# username or password. Note that this authenticator hasn't been widely
|
251
|
+
# tested, so it is not guaranteed to work.
|
252
|
+
#
|
253
|
+
#authenticator:
|
254
|
+
# class: CASServer::Authenticators::LDAP
|
255
|
+
# ldap:
|
256
|
+
# server: ldap.example.net
|
257
|
+
# port: 389
|
258
|
+
# base: dc=example,dc=net
|
259
|
+
# filter: (objectClass=person)
|
260
|
+
#
|
261
|
+
# If you need more secure connections via TSL, specify the 'encryption'
|
262
|
+
# option and change the port:
|
263
|
+
#
|
264
|
+
#authenticator:
|
265
|
+
# class: CASServer::Authenticators::LDAP
|
266
|
+
# ldap:
|
267
|
+
# server: ldap.example.net
|
268
|
+
# port: 636
|
269
|
+
# base: dc=example,dc=net
|
270
|
+
# filter: (objectClass=person)
|
271
|
+
# encryption: simple_tls
|
272
|
+
#
|
273
|
+
# If you need additional data about the user passed to the client (for example,
|
274
|
+
# their 'cn' and 'mail' attributes, you can specify the list of attributes
|
275
|
+
# under the extra_attributes config option:
|
276
|
+
#
|
277
|
+
#authenticator:
|
278
|
+
# class: CASServer::Authenticators::LDAP
|
279
|
+
# ldap:
|
280
|
+
# server: ldap.example.net
|
281
|
+
# port: 389
|
282
|
+
# base: dc=example,dc=net
|
283
|
+
# filter: (objectClass=person)
|
284
|
+
# extra_attributes: cn, mail
|
285
|
+
#
|
286
|
+
# Note that the above functionality is somewhat limited by client compatibility.
|
287
|
+
# See the SQL authenticator notes above for more info.
|
288
|
+
#
|
289
|
+
#
|
290
|
+
# === Custom Authentication ====================================================
|
291
|
+
#
|
292
|
+
# It should be relatively easy to write your own Authenticator class. Have a look
|
293
|
+
# at the built-in authenticators in the casserver/authenticators directory. Your
|
294
|
+
# authenticator should extend the CASServer::Authenticators::Base class and must
|
295
|
+
# implement a validate() method that takes a single hash argument. When the user
|
296
|
+
# submits the login form, the username and password they entered is passed to
|
297
|
+
# validate() as a hash under :username and :password keys. In the future, this
|
298
|
+
# hash might also contain other data such as the domain that the user is logging
|
299
|
+
# in to.
|
300
|
+
#
|
301
|
+
# To use your custom authenticator, specify it's class name and path to the
|
302
|
+
# source file in the authenticator section of the config. Any other parameters
|
303
|
+
# you specify in the authenticator configuration will be passed on to the
|
304
|
+
# authenticator and made availabe in the validate() method as an @options hash.
|
305
|
+
#
|
306
|
+
# Example:
|
307
|
+
#
|
308
|
+
#authenticator:
|
309
|
+
# class: FooModule::MyCustomAuthenticator
|
310
|
+
# source: /path/to/source.rb
|
311
|
+
# option_a: foo
|
312
|
+
# another_option: yeeha
|
313
|
+
#
|
314
|
+
# === Multiple Authenticators ==================================================
|
315
|
+
#
|
316
|
+
# If you need to have more than one source for authentication, such as an LDAP
|
317
|
+
# directory and a database, you can use multiple authenticators by making
|
318
|
+
# :authenticator an array of authenticators.
|
319
|
+
#
|
320
|
+
#authenticator:
|
321
|
+
# -
|
322
|
+
# class: CASServer::Authenticators::ActiveDirectoryLDAP
|
323
|
+
# ldap:
|
324
|
+
# server: ad.example.net
|
325
|
+
# port: 389
|
326
|
+
# base: dc=example,dc=net
|
327
|
+
# filter: (objectClass=person)
|
328
|
+
# -
|
329
|
+
# class: CASServer::Authenticators::SQL
|
330
|
+
# database:
|
331
|
+
# adapter: mysql
|
332
|
+
# database: some_database_with_users_table
|
333
|
+
# user: root
|
334
|
+
# password:
|
335
|
+
# server: localhost
|
336
|
+
# user_table: user
|
337
|
+
# username_column: username
|
338
|
+
# password_column: password
|
339
|
+
#
|
340
|
+
# During authentication, the user credentials will be checked against the first
|
341
|
+
# authenticator and on failure fall through to the second authenticator.
|
342
|
+
#
|
343
|
+
|
344
|
+
|
345
|
+
##### LOOK & FEEL ##############################################################
|
346
|
+
|
347
|
+
# Set the path to the theme directory that determines how your CAS pages look.
|
348
|
+
#
|
349
|
+
# Custom themes are not well supported yet, but will be in the near future. In
|
350
|
+
# the meantime, if you want to create a custom theme, you can create a
|
351
|
+
# subdirectory under the CASServer's themes dir (for example,
|
352
|
+
# '/usr/lib/ruby/1.8/gems/casserver-xxx/lib/themes', if you installed CASServer
|
353
|
+
# on Linux as a gem). A theme is basically just a theme.css file that overrides
|
354
|
+
# the themes/cas.css styles along with a collection of image files
|
355
|
+
# like logo.png and bg.png.
|
356
|
+
#
|
357
|
+
# By default, we use the 'simple' theme which you can find in themes/simple.
|
358
|
+
theme: simple
|
359
|
+
|
360
|
+
# The name of your company/organization. This will show up on the login page.
|
361
|
+
organization: CAS
|
362
|
+
|
363
|
+
# A short bit of text that shows up on the login page. You can make this blank
|
364
|
+
# if you prefer to have no extra text shown at the bottom of the login box.
|
365
|
+
infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a>
|
366
|
+
|
367
|
+
# Custom views file. Overrides methodes in lib/casserver/views.rb
|
368
|
+
#custom_views_file: /path/to/custom/views.rb
|
369
|
+
|
370
|
+
|
371
|
+
##### LOGGING ##################################################################
|
372
|
+
|
373
|
+
# Configure general logging. This log is where you'll want to look in case of
|
374
|
+
# problems.
|
375
|
+
#
|
376
|
+
# You may want to change the file to something like /var/log/casserver.log
|
377
|
+
# Set the level to DEBUG if you want more detailed logging.
|
378
|
+
|
379
|
+
log:
|
380
|
+
file: /var/log/casserver.log
|
381
|
+
level: INFO
|
382
|
+
|
383
|
+
|
384
|
+
# If you want full database logging, uncomment this next section.
|
385
|
+
# Every SQL query will be logged here. This is useful for debugging database
|
386
|
+
# problems.
|
387
|
+
#
|
388
|
+
#db_log:
|
389
|
+
# file: /var/log/casserver_db.log
|
390
|
+
|
391
|
+
|
392
|
+
##### SINGLE SIGN-OUT ##########################################################
|
393
|
+
|
394
|
+
# When a user logs in to a CAS-enabled client application, that application
|
395
|
+
# generally opens its own local user session. When the user then logs out
|
396
|
+
# through the CAS server, each of the CAS-enabled client applications need
|
397
|
+
# to be notified so that they can close their own local sessions for that user.
|
398
|
+
#
|
399
|
+
# Up until recently this was not possible within CAS. However, a method for
|
400
|
+
# performing this notification was recently added to the protocol (in CAS 3.1).
|
401
|
+
# This works exactly as described above -- when the user logs out, the CAS
|
402
|
+
# server individually contacts each client service and notifies it of the
|
403
|
+
# logout. Currently not all client applications support this, so this
|
404
|
+
# behaviour is disabled by default. To enable it, uncomment the following
|
405
|
+
# configuration line. Note that currently it is not possible to enable
|
406
|
+
# or disable single-sign-out on a per-service basis, but this functionality
|
407
|
+
# is planned for a future release.
|
408
|
+
|
409
|
+
#enable_single_sign_out: true
|
410
|
+
|
411
|
+
|
412
|
+
##### OTHER ####################################################################
|
413
|
+
|
414
|
+
# You can set various ticket expiry times (specify the value in seconds).
|
415
|
+
|
416
|
+
# Expired login and service tickets are no longer usable this many seconds after
|
417
|
+
# they are created. (Defaults to 5 minutes)
|
418
|
+
|
419
|
+
#login_ticket_expiry: 300
|
420
|
+
#service_ticket_expiry: 300
|
421
|
+
|
422
|
+
# Proxy- and ticket-granting tickets do not expire -- normally they are made
|
423
|
+
# invalid only when the user logs out. But the server must periodically delete
|
424
|
+
# them to prevent buildup of stale data. PGTs and TGTs will be deleted during
|
425
|
+
# server startup if they are this many seconds old. (Defaults to 48 hours)
|
426
|
+
|
427
|
+
#proxy_granting_ticket_expiry: 172800
|
428
|
+
#ticket_granting_ticket_expiry: 172800
|
429
|
+
|
430
|
+
# If you would prefer that ticket-granting ticket expiry be enforced (in effect
|
431
|
+
# limiting the maximum length of a session), you can set expire_sessions to true.
|
432
|
+
|
433
|
+
#expire_sessions: false
|
434
|
+
|
435
|
+
|
436
|
+
# If you want the usernames entered on the login page to be automatically
|
437
|
+
# downcased (converted to lowercase), enable the following option. When this
|
438
|
+
# option is set to true, if the user enters "JSmith" as their username, the
|
439
|
+
# system will automatically
|
440
|
+
# convert this to "jsmith".
|
441
|
+
|
442
|
+
#downcase_username: true
|
@@ -0,0 +1,11 @@
|
|
1
|
+
# Custom views file; add methods to the module definition below
|
2
|
+
|
3
|
+
module CASServer::Views
|
4
|
+
|
5
|
+
# Override views here, for example, a custom login form:
|
6
|
+
def login_form
|
7
|
+
# Add your custom login form here, using Markaby
|
8
|
+
# See the original views.rb file at lib/casserver/views.rb for method names and usage
|
9
|
+
end
|
10
|
+
|
11
|
+
end
|
@@ -0,0 +1,11 @@
|
|
1
|
+
require 'casserver/authenticators/ldap'
|
2
|
+
|
3
|
+
# Slightly modified version of the LDAP authenticator for Microsoft's ActiveDirectory.
|
4
|
+
# The only difference is that the default_username_attribute for AD is 'sAMAccountName'
|
5
|
+
# rather than 'uid'.
|
6
|
+
class CASServer::Authenticators::ActiveDirectoryLDAP < CASServer::Authenticators::LDAP
|
7
|
+
protected
|
8
|
+
def default_username_attribute
|
9
|
+
"sAMAccountName"
|
10
|
+
end
|
11
|
+
end
|
@@ -0,0 +1,48 @@
|
|
1
|
+
module CASServer
|
2
|
+
module Authenticators
|
3
|
+
class Base
|
4
|
+
attr_accessor :options
|
5
|
+
attr_reader :username # make this accessible so that we can pick up any
|
6
|
+
# transformations done within the authenticator
|
7
|
+
|
8
|
+
def validate(credentials)
|
9
|
+
raise NotImplementedError, "This method must be implemented by a class extending #{self.class}"
|
10
|
+
end
|
11
|
+
|
12
|
+
def configure(options)
|
13
|
+
raise ArgumentError, "options must be a HashWithIndifferentAccess" unless options.kind_of? HashWithIndifferentAccess
|
14
|
+
@options = options.dup
|
15
|
+
@extra_attributes = {}
|
16
|
+
end
|
17
|
+
|
18
|
+
def extra_attributes
|
19
|
+
@extra_attributes
|
20
|
+
end
|
21
|
+
|
22
|
+
protected
|
23
|
+
def read_standard_credentials(credentials)
|
24
|
+
@username = credentials[:username]
|
25
|
+
@password = credentials[:password]
|
26
|
+
@service = credentials[:service]
|
27
|
+
@request = credentials[:request]
|
28
|
+
end
|
29
|
+
|
30
|
+
def extra_attributes_to_extract
|
31
|
+
if @options[:extra_attributes].kind_of? Array
|
32
|
+
attrs = @options[:extra_attributes]
|
33
|
+
elsif @options[:extra_attributes].kind_of? String
|
34
|
+
attrs = @options[:extra_attributes].split(',').collect{|col| col.strip}
|
35
|
+
else
|
36
|
+
$LOG.error("Can't figure out attribute list from #{@options[:extra_attributes].inspect}. This must be an Aarray of column names or a comma-separated list.")
|
37
|
+
attrs = []
|
38
|
+
end
|
39
|
+
|
40
|
+
$LOG.debug("#{self.class.name} will try to extract the following extra_attributes: #{attrs.inspect}")
|
41
|
+
return attrs
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
class AuthenticatorError < Exception
|
47
|
+
end
|
48
|
+
end
|
@@ -0,0 +1,46 @@
|
|
1
|
+
require 'casserver/authenticators/base'
|
2
|
+
|
3
|
+
# NOT YET IMPLEMENTED
|
4
|
+
#
|
5
|
+
# This authenticator will authenticate the user based on a client SSL certificate.
|
6
|
+
#
|
7
|
+
# You will probably want to use this along with another authenticator, chaining
|
8
|
+
# it so that if the client does not provide a certificate, the server can
|
9
|
+
# fall back to some other authentication mechanism.
|
10
|
+
#
|
11
|
+
# Here's an example of how to use two chained authenticators in the config.yml
|
12
|
+
# file. The server will first use the ClientCertificate authenticator, and
|
13
|
+
# only fall back to the SQL authenticator of the first one fails:
|
14
|
+
#
|
15
|
+
# authenticator:
|
16
|
+
# -
|
17
|
+
# class: CASServer::Authenticators::ClientCertificate
|
18
|
+
# -
|
19
|
+
# class: CASServer::Authenticators::SQL
|
20
|
+
# database:
|
21
|
+
# adapter: mysql
|
22
|
+
# database: some_database_with_users_table
|
23
|
+
# user: root
|
24
|
+
# password:
|
25
|
+
# server: localhost
|
26
|
+
# user_table: user
|
27
|
+
# username_column: username
|
28
|
+
# password_column: password
|
29
|
+
#
|
30
|
+
class CASServer::Authenticators::ClientCertificate < CASServer::Authenticators::Base
|
31
|
+
def validate(credentials)
|
32
|
+
read_standard_credentials(credentials)
|
33
|
+
|
34
|
+
@client_cert = credentials[:request]['SSL_CLIENT_CERT']
|
35
|
+
|
36
|
+
# note that I haven't actually tested to see if SSL_CLIENT_CERT gets
|
37
|
+
# filled with data when a client cert is provided, but this should be
|
38
|
+
# the case at least in theory :)
|
39
|
+
|
40
|
+
return false if @client_cert.blank?
|
41
|
+
|
42
|
+
# IMPLEMENT SSL CERTIFICATE VALIDATION CODE HERE
|
43
|
+
|
44
|
+
return true # if SSL certificate is valid, false otherwise
|
45
|
+
end
|
46
|
+
end
|