Index: openacs-4/packages/auth-cas/auth-cas.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/auth-cas/auth-cas.info,v
diff -u -N
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ openacs-4/packages/auth-cas/auth-cas.info 11 Sep 2007 17:30:40 -0000 1.1
@@ -0,0 +1,38 @@
+
+
+
+
+ CAS Authentication Driver
+ CAS Authentication Drivers
+ f
+ t
+ cas
+
+
+ Nima Mazloumi
+ CAS authentication drivers for acs-authentication.
+ 2007-07-02
+ Mazloumi
+ Implements the CAS authentication, password management, and other drivers for use with the acs-authentication service contracts.
+ GPL
+ 3
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Index: openacs-4/packages/auth-cas/lib/login.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/auth-cas/lib/login.tcl,v
diff -u -N
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ openacs-4/packages/auth-cas/lib/login.tcl 11 Sep 2007 17:30:40 -0000 1.1
@@ -0,0 +1,14 @@
+#this is an include and requires a return_url parameter
+
+set authenticated_p [ad_get_client_property auth-cas authenticated_p]
+
+#if user was not authenticated redirect to cas-web module as defined in the parameters
+if {[empty_string_p $authenticated_p] || $authenticated_p != 1} {
+ #lets load the required parameters
+ auth::cas::authentication::GetParameters
+ ns_log Debug "auth-cas: Redirecting to $cas(server)login?service=[ns_conn location]$cas(handler)"
+ ad_returnredirect "$cas(server)login?service=[ns_conn location]$cas(handler)"
+ }
+} else {
+ ad_returnredirect $return_url
+}
Index: openacs-4/packages/auth-cas/tcl/auth-cas-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/auth-cas/tcl/auth-cas-procs.tcl,v
diff -u -N
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ openacs-4/packages/auth-cas/tcl/auth-cas-procs.tcl 11 Sep 2007 17:30:40 -0000 1.1
@@ -0,0 +1,197 @@
+ad_library {
+ Procs for cas authentication
+
+ @author Nima Mazloumi nima.mazloumi@gmx.de)
+ @creation-date 2007-06-29
+}
+
+namespace eval auth {}
+namespace eval auth::cas {}
+namespace eval auth::cas::authentication {}
+
+ad_proc -private auth::cas::after_install {} {} {
+ set spec {
+ contract_name "auth_authentication"
+ owner "auth-cas"
+ name "CAS"
+ pretty_name "CAS"
+ aliases {
+ Authenticate auth::cas::authentication::Authenticate
+ GetParameters auth::cas::authentication::GetParameters
+ MergeUser auth::cas::authentication::MergeUser
+ }
+ }
+
+ set auth_impl_id [acs_sc::impl::new_from_spec -spec $spec]
+}
+
+ad_proc -private auth::cas::before_uninstall {} {} {
+ acs_sc::impl::delete -contract_name "auth_authentication" -impl_name "CAS"
+}
+
+#####
+#
+# CAS Authentication Driver
+#
+#####
+
+ad_proc -private auth::cas::authentication::Authenticate {
+ username
+ password
+ {parameters {}}
+ {authority_id {}}
+} {
+ Implements the Authenticate operation of the auth_authentication service contract for CAS.
+ This proc is only called if the oacs login page was used.
+ We simply redirect to CAS here
+} {
+ ad_returnredirect "[lindex $parameters 0]/login?service=[ns_conn location][lindex $parameters 5]"
+}
+
+ad_proc -private auth::cas::authentication::GetParameters {} {
+ Implements the GetParameters operation of the auth_authentication
+ service contract for CAS. Returns a list as well as upvars an array called cas
+} {
+ # we upvar the parameters as well for named access to the parameters
+ upvar cas _cas
+
+ set server [parameter::get_from_package_key -parameter CasServer -package_key "auth-cas"]
+ regexp -nocase {^(http.?://)?([^:/]+)(:([0-9]+))?(/.*)} $server tX_x tX_protocol tX_server tX_y tX_port tX_path
+
+ set _cas(host) $tX_server
+ set _cas(path) $tX_path
+ set _cas(port) $tX_port
+ set _cas(protocol) $tX_protocol
+ set _cas(handler) [parameter::get_from_package_key -parameter LocalSsoHandler -package_key "auth-cas"]
+
+ #in some cases not this OpenACS instance but a third service shall be used for ticket validation use that if provided or default to the oacs instance
+ set _cas(type) [parameter::get_from_package_key -parameter ValidationType -package_key "auth-cas"]
+ set _cas(server) $server
+
+ #proc must return a list as well in for the service contract auth::cas::authentication::Authenticate to work correctly
+ return [list $_cas(server) $_cas(host) $_cas(path) $_cas(port) $_cas(protocol) $_cas(handler) $_cas(type)]
+}
+
+ad_proc -private auth::cas::authentication::MergeUser {
+ from_user_id
+ to_user_id
+ {authority_id ""}
+} {
+ Required but not used MergeUser operation for auth_authentication service contract
+} {
+ #do nothing
+}
+
+ad_proc -private auth::cas::authentication::validate {
+ -ticket
+ {-service ""}
+ {-return_url ""}
+} {
+ Validates a ticket or tries to get a new ticket from CAS server. Supported are http/https as well as CAS 1.0 and 2.0 validation.
+} {
+ auth::cas::authentication::GetParameters
+
+ if {[empty_string_p $return_url]} {
+ set return_url [parameter::get_from_package_key -package_key acs-kernel -parameter IndexRedirectUrl]
+ }
+
+ #if no external service is given we use the default
+ if {[empty_string_p $service]} {
+ set service "[ns_conn location]$cas(handler)"
+ }
+
+ #if no ticket passed get a ticket
+ if {[empty_string_p $ticket]} {
+
+ ns_log Debug "auth-cas: No ticket, redirecting to $cas(server)login?service=$service"
+ ad_returnredirect "$cas(server)login?service=$service"
+
+ } else {
+
+ #CAS validation version
+ switch $cas(type) {
+ 1.0 {
+ set validatePath validate
+ }
+ 2.0 {
+ set validatePath serviceValidate
+ }
+ }
+
+ set url "$cas(server)$validatePath?ticket=$ticket&service=$service"
+
+ #get cas response for the given ticket
+ switch $cas(protocol) {
+ http:// {
+ set response [ns_httpget $url]
+ }
+ https:// {
+ #alternatively we can use nsopenssl module if available
+ #set response [ns_httpsget $url]
+ package require http
+ package require tls
+ http::register https 443 [list ::tls::socket]
+ set handle [http::geturl $url]
+ set response [::http::data $handle]
+ }
+ }
+
+ ns_log Debug "auth-cas: $url\n$response"
+
+ set message ""
+ set validation_failed_p 1
+
+ #parse response depending on the cas validation version
+ switch $cas(type) {
+ 1.0 {
+ #validation failed
+ if {[lindex $response 0] == "no"} {
+ set validation_failed_p 1
+ set message "Validation failed for ticket $ticket"
+ }
+
+ #validation succeeded, check if user exists and create cookie
+ if {[lindex $response 0] == "yes"} {
+ set username [lindex $response 1]
+ set validation_failed_p 0
+ }
+ }
+ 2.0 {
+ set query "//cas:serviceResponse/cas:authenticationSuccess/cas:user/text()"
+ dom parse $response document
+ $document documentElement root
+ set textNode [$root selectNodes $query]
+ if {![empty_string_p $textNode]} {
+ #validation succeeded, check if user exists and create cookie
+ set username [$textNode nodeValue]
+ set validation_failed_p 0
+ } else {
+ #validation failed, return error message
+ set validation_failed_p 1
+ set query "//cas:serviceResponse/cas:authenticationFailure"
+ dom parse $response document
+ $document documentElement root
+ set failureNode [$root selectNodes $query]
+ set errorCode [$failureNode getAttribute code]
+ set textNode [$failureNode selectNodes text()]
+ set reason [$textNode nodeValue]
+ set message "$reason ($errorCode)"
+ }
+ }
+ }
+
+ if {$validation_failed_p} {
+ ad_set_client_property auth-cas authenticated_p 0
+ util_user_message -html -message $message
+ } else {
+ set authority_id [db_string select_first_authority {select authority_id from auth_authorities order by sort_order limit 1} -default [auth::authority::local]]
+ set user_id [acs_user::get_by_username -authority_id $authority_id -username $username]
+
+ # Issue login cookie if login was successful
+ auth::issue_login -user_id $user_id -account_status "ok"
+ ad_set_client_property auth-cas authenticated_p 1
+ }
+
+ ad_returnredirect $return_url
+ }
+}
Index: openacs-4/packages/auth-cas/www/index.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/auth-cas/www/index.tcl,v
diff -u -N
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ openacs-4/packages/auth-cas/www/index.tcl 11 Sep 2007 17:30:40 -0000 1.1
@@ -0,0 +1,24 @@
+# Service Page for CAS
+
+ad_page_contract {
+
+ @author Nima Mazloumi (nima.mazloumi@gmx.de)
+ @creation-date 2007-07-03
+} {
+ {ticket ""}
+} -properties {
+} -validate {
+} -errors {
+}
+
+set authenticated_p [ad_get_client_property auth-cas authenticated_p]
+set return_url [parameter::get_from_package_key -package_key acs-kernel -parameter IndexRedirectUrl]
+
+#if invalid session
+if {[empty_string_p $authenticated_p] || $authenticated_p != 1} {
+ ns_log Debug "auth-cas: authenticated_p '$authenticated_p' validating ticket"
+ auth::cas::authentication::validate -ticket $ticket -return_url $return_url
+} else {
+ ns_log Debug "auth-cas: authenticated_p '$authenticated_p' redirecting to $return_url"
+ ad_returnredirect $return_url
+}
Index: openacs-4/packages/auth-cas/www/doc/index.html
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/auth-cas/www/doc/index.html,v
diff -u -N
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ openacs-4/packages/auth-cas/www/doc/index.html 11 Sep 2007 17:30:40 -0000 1.1
@@ -0,0 +1,77 @@
+
+
+
+ Auth-CAS
+
+
+Auth-CAS
+Nima Mazloumi (nima.mazloumi@gmx.de)
+Introduction
+The Central Authentication Service [1] is a mechanism that allows Single-Sign-On
+ (SSO) for web-based applications. When activated authentication takes
+ place on a central authentication service and integrated applications
+ provide a CAS client that forwards login and logout requests to a central
+ service and receive a ticket instead. This ticket is used against the
+ central service to validate an active session. If the validation succeeds
+ that user is logged-in automatically. If not the user has to provide a
+ username and a password.
+
+ While the clear benefit is a SSO a SSOut is not supported for CAS releases
+ prio to 3.1. The current package only supports SSO. SSOut is left for
+ future releases. Therefore a logout in OpenACS is not reflected in
+ other integrated systems since the CAS cookie is valid for the whole
+ browser session. To logout safely the user MUST close the browser!
+
Dependencies
+To support https validation this package requires TLS 1.5 or up. If you use OpenSSL/nsopenssl uncomment the ns_httpsget
statement in auth-cas-procs.tcl
and comment out the tls part.
+Installation
+
+- Install tls 1.5
+
+# Install TLS for https assuming you have installed AOLServer under /usr/local/aolserver45
+wget http://dfn.dl.sourceforge.net/sourceforge/tls/tls1.5.0-src.tar.gz
+tar xzpf tls1.5.0-src.tar.gz
+cd tls1.5
+./configure --with-ssl-dir=/usr --with-tcl=/usr/local/aolserver45/lib --enable-threads --enable-shared --prefix=/usr/local/aolserver45 --exec-prefix=/usr/local/aolserver45
+make install
+
+or install nsopenssl module. Make sure you change auth-cas-procs.tcl
to use ns_httpsget
.
+
+# Install OpenSSL module for https
+# Assuming that OpenSSL is installed an available under /usr/local/ssl and AOLServer under /usr/local/aolserver45
+cd /usr/local/src/aolserver45
+cvs -z3 -d:pserver:anonymous@aolserver.cvs.sourceforge.net:/cvsroot/aolserver co nsopenssl
+cd nsopenssl
+make install OPENSSL=/usr/local/ssl AOLSERVER=/usr/local/aolserver45
+
+ - Install this package. An instance of it will be mounted under
/cas/
. Important is the CasServer
parameter. You don't need to change the other parameters. If you don't want to use the standard auth-cas instance change the LocalSsoHandler
(defaults to /cas/
). Also you can choose between CAS 1.0 and 2.0 validation (parameter ValidationType
).
+ - Open Authorities Administration and create a new authority 'CAS'. Set the authentication parameter to "CAS". Password Management and Account Registration can be set to 'local'.
+
- Create a new user that exists on your CAS Server, grant the user site-wide admin rights and change the users authority from 'local' to 'CAS'. Write down the
user_id
of that user. You will need it in case something goes wrong.
+ - Change the main site subsite parameter
LoginTemplate
to /packages/auth-cas/lib/login
+ - Go to the authorities. Move the 'CAS' authority up, enable it and disable the 'local' authority.
+
- Logout. The system should redirect to the CAS server and request account information. Once you have passed in the correct data you should be forwarded to your OpenACS installation.
+
- In case something goes wrong create a file called:
youropenacsroot/www/autologin.tcl
and change the user_id
accordingly:
+
+set user_id foo
+auth::issue_login -user_id $user_id -account_status "ok"
+parameter::set_value -package_id [subsite::main_site_id] -parameter LoginTemplate -value /packages/acs-subsite/lib/login
+ad_set_client_property auth-cas authenticated_p 1
+ad_returnredirect [parameter::get_from_package_key -package_key acs-kernel -parameter IndexRedirectUrl]
+
+This code will grant you access to the OpenACS installation and reset the subsite parameter.
+
+Features
+
+- CAS 1.0 and 2.0 validation
+
- HTTP and HTTPS validation if TLS or NSOpenSSL is installed
+
- SSO
+
+Restrictions
+
+- No SSOut
+
- CAS client instances must be top level site nodes
+
- acs-subsite 5.4.0 or up required for
LoginTemplate
parameter
+
+References
+[1] http://www.ja-sig.org/products/cas/
+
+
Index: openacs-4/packages/auth-cas/www/doc/ws-support.html
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/auth-cas/www/doc/ws-support.html,v
diff -u -N
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ openacs-4/packages/auth-cas/www/doc/ws-support.html 11 Sep 2007 17:30:40 -0000 1.1
@@ -0,0 +1,14 @@
+
+
+
+ Web Service Support
+
+
+Web Service Support
+Nima Mazloumi (nima.mazloumi@gmx.de)
+See under cas-auth/lib/login.tcl
for a web service based support. In order
+to get it working you need tsoap. Comment out in tsoap/tcl/SOAP-procs.tcl
the lines
+
package require SOAP::Utils;
+package require rpcvar;
+Rename rpcvar-procs.tcl
to 00-rpcvar-procs.tcl
Otherwise SOAP-procs.tcl
won't load correctly.
+
You also need to install tls
to get tsoap
load correctly.