« Return to Thread: fixing Gateway mode in mod_auth_cas
fixing Gateway mode in mod_auth_cas
by Earl Fogel
::
Rate this Message:
Hi,
I've been having some problems with the Gatway mode in mod_auth_cas.
It worked fine the first time, but not if you connected a second
time after your first CAS session had expired.
After a few tries :-), I've come up with a patch for mod_auth_cas
1.0.7.
This patch does several things:
- It does not send the user on a Gateway trip if the request has POST
content (because the POST content would get lost in the redirect).
- It creates a CASGatewayCookieTimeout parameter which sets the maximum
time a CASGatewayCookie is valid. Default is 60 seconds.
- It creates a CASGatewayNecessaryCookie parameter. If your CAS server
sets a domain cookie when people login, then the user only needs to make a
Gateway trip when this cookie is present. The value of this parameter is
the name of the cookie to check.
I should explain this last parameter a bit more. We've set up a trust
relationship between a JA-SIG CAS server and a Luminis CAS server. To do
this, we use mod_auth_cas to protect the login page of the JA-SIG CAS
server with a gateway request to the Luminis CAS server. Our Luminis
server sets a domain cookie when users connect. By checking this cookie
in mod_auth_cas, we can bypass unneccessary gateway trips to the Luminis
CAS server, which speeds things up for the user. It also eliminates a
dependency on Luminis. That is, people can still access JA-SIG CAS when
Luminis is down.
I've attached the patch to the MAS-12 JIRA issue:
http://www.ja-sig.org/issues/browse/MAS-12
(Matt and Phil, please note that there are two copies of
mod_auth_cas.c.diffs attached to MAS-12. I tried to remove
the earlier version, but didn't have permission to do so).
Earl Fogel
Information Technology Services phone: (306) 966-4861
University of Saskatchewan email: earl.fogel@...
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
I've been having some problems with the Gatway mode in mod_auth_cas.
It worked fine the first time, but not if you connected a second
time after your first CAS session had expired.
After a few tries :-), I've come up with a patch for mod_auth_cas
1.0.7.
This patch does several things:
- It does not send the user on a Gateway trip if the request has POST
content (because the POST content would get lost in the redirect).
- It creates a CASGatewayCookieTimeout parameter which sets the maximum
time a CASGatewayCookie is valid. Default is 60 seconds.
- It creates a CASGatewayNecessaryCookie parameter. If your CAS server
sets a domain cookie when people login, then the user only needs to make a
Gateway trip when this cookie is present. The value of this parameter is
the name of the cookie to check.
I should explain this last parameter a bit more. We've set up a trust
relationship between a JA-SIG CAS server and a Luminis CAS server. To do
this, we use mod_auth_cas to protect the login page of the JA-SIG CAS
server with a gateway request to the Luminis CAS server. Our Luminis
server sets a domain cookie when users connect. By checking this cookie
in mod_auth_cas, we can bypass unneccessary gateway trips to the Luminis
CAS server, which speeds things up for the user. It also eliminates a
dependency on Luminis. That is, people can still access JA-SIG CAS when
Luminis is down.
I've attached the patch to the MAS-12 JIRA issue:
http://www.ja-sig.org/issues/browse/MAS-12
(Matt and Phil, please note that there are two copies of
mod_auth_cas.c.diffs attached to MAS-12. I tried to remove
the earlier version, but didn't have permission to do so).
Earl Fogel
Information Technology Services phone: (306) 966-4861
University of Saskatchewan email: earl.fogel@...
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
« Return to Thread: fixing Gateway mode in mod_auth_cas
| Free Forum Powered by Nabble | Forum Help |