« Return to Thread: fixing Gateway mode in mod_auth_cas
Re: fixing Gateway mode in mod_auth_cas
by Matt Smith-21
::
Rate this Message:
Thanks for the patch Earl, and sorry for the delayed response - we've
both been tied up of late. We'll take a look at your patch as soon as
we can.
Real quick -- could you confirm that the "mod_auth_cas.c.diffs" listed
as the #2 attachment to MAS-12, dated 3/10/08, is the one to be
deleted. I'm assuming so ... but just want to check first before I
delete it.
I'm intrigued by the GatewayNeccesary domain cookie -- it does seem to
offer an optimization, but we'll have to think through it to make sure
there are no security implications. First glance, though, it appears
safe. I'm curious -- what domain does your Luminis server set for
this cookie? "usask.ca" ? Or does it set the domain to the location
of your gateway'd CAS server (hmm - is that possible?) ?
Thanks again Earl,
-Matt
On Wed, Apr 30, 2008 at 5:06 PM, Earl Fogel <earl.fogel@...> wrote:
> Hi,
>
> I've been having some problems with the Gatway mode in mod_auth_cas.
> It worked fine the first time, but not if you connected a second
> time after your first CAS session had expired.
>
> After a few tries :-), I've come up with a patch for mod_auth_cas
> 1.0.7.
>
> This patch does several things:
>
> - It does not send the user on a Gateway trip if the request has POST
> content (because the POST content would get lost in the redirect).
>
> - It creates a CASGatewayCookieTimeout parameter which sets the maximum
> time a CASGatewayCookie is valid. Default is 60 seconds.
>
> - It creates a CASGatewayNecessaryCookie parameter. If your CAS server
> sets a domain cookie when people login, then the user only needs to make a
> Gateway trip when this cookie is present. The value of this parameter is
> the name of the cookie to check.
>
> I should explain this last parameter a bit more. We've set up a trust
> relationship between a JA-SIG CAS server and a Luminis CAS server. To do
> this, we use mod_auth_cas to protect the login page of the JA-SIG CAS
> server with a gateway request to the Luminis CAS server. Our Luminis
> server sets a domain cookie when users connect. By checking this cookie
> in mod_auth_cas, we can bypass unneccessary gateway trips to the Luminis
> CAS server, which speeds things up for the user. It also eliminates a
> dependency on Luminis. That is, people can still access JA-SIG CAS when
> Luminis is down.
>
> I've attached the patch to the MAS-12 JIRA issue:
>
> http://www.ja-sig.org/issues/browse/MAS-12
>
> (Matt and Phil, please note that there are two copies of
> mod_auth_cas.c.diffs attached to MAS-12. I tried to remove
> the earlier version, but didn't have permission to do so).
>
> Earl Fogel
> Information Technology Services phone: (306) 966-4861
> University of Saskatchewan email: earl.fogel@...
> _______________________________________________
> cas-dev mailing list
> cas-dev@...
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
--
matt@...
Key ID:D6EEC5B5
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
both been tied up of late. We'll take a look at your patch as soon as
we can.
Real quick -- could you confirm that the "mod_auth_cas.c.diffs" listed
as the #2 attachment to MAS-12, dated 3/10/08, is the one to be
deleted. I'm assuming so ... but just want to check first before I
delete it.
I'm intrigued by the GatewayNeccesary domain cookie -- it does seem to
offer an optimization, but we'll have to think through it to make sure
there are no security implications. First glance, though, it appears
safe. I'm curious -- what domain does your Luminis server set for
this cookie? "usask.ca" ? Or does it set the domain to the location
of your gateway'd CAS server (hmm - is that possible?) ?
Thanks again Earl,
-Matt
On Wed, Apr 30, 2008 at 5:06 PM, Earl Fogel <earl.fogel@...> wrote:
> Hi,
>
> I've been having some problems with the Gatway mode in mod_auth_cas.
> It worked fine the first time, but not if you connected a second
> time after your first CAS session had expired.
>
> After a few tries :-), I've come up with a patch for mod_auth_cas
> 1.0.7.
>
> This patch does several things:
>
> - It does not send the user on a Gateway trip if the request has POST
> content (because the POST content would get lost in the redirect).
>
> - It creates a CASGatewayCookieTimeout parameter which sets the maximum
> time a CASGatewayCookie is valid. Default is 60 seconds.
>
> - It creates a CASGatewayNecessaryCookie parameter. If your CAS server
> sets a domain cookie when people login, then the user only needs to make a
> Gateway trip when this cookie is present. The value of this parameter is
> the name of the cookie to check.
>
> I should explain this last parameter a bit more. We've set up a trust
> relationship between a JA-SIG CAS server and a Luminis CAS server. To do
> this, we use mod_auth_cas to protect the login page of the JA-SIG CAS
> server with a gateway request to the Luminis CAS server. Our Luminis
> server sets a domain cookie when users connect. By checking this cookie
> in mod_auth_cas, we can bypass unneccessary gateway trips to the Luminis
> CAS server, which speeds things up for the user. It also eliminates a
> dependency on Luminis. That is, people can still access JA-SIG CAS when
> Luminis is down.
>
> I've attached the patch to the MAS-12 JIRA issue:
>
> http://www.ja-sig.org/issues/browse/MAS-12
>
> (Matt and Phil, please note that there are two copies of
> mod_auth_cas.c.diffs attached to MAS-12. I tried to remove
> the earlier version, but didn't have permission to do so).
>
> Earl Fogel
> Information Technology Services phone: (306) 966-4861
> University of Saskatchewan email: earl.fogel@...
> _______________________________________________
> cas-dev mailing list
> cas-dev@...
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
--
matt@...
Key ID:D6EEC5B5
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
« Return to Thread: fixing Gateway mode in mod_auth_cas
| Free Forum Powered by Nabble | Forum Help |