Class: CAS::Filter
- Inherits:
-
Object
- Object
- CAS::Filter
- Defined in:
- lib/cas_auth.rb
Overview
Allows authentication through a CAS server. The precondition for this filter to work is that you have an authentication infrastructure. As such, this is for the enterprise rather than small shops.
To use CAS::Filter for authentication, add something like this to your environment:
CAS::Filter.server_name = "yourapplication.server.name"
CAS::Filter.cas_base_url = "https://cas.company.com
The filter will try to use the standard CAS page locations based on this URL. Or you can explicitly specify the individual URLs:
CAS::Filter.server_name = "yourapplication.server.name"
CAS::Filter.login_url = "https://cas.company.com/login"
CAS::Filter.validate_url = "https://cas.company.com/proxyValidate"
It is of course possible to use different configurations in development, test and production by placing the configuration in the appropriate environments file.
To add CAS protection to a controller:
before_filter CAS::Filter
All of the standard Rails filter qualifiers can also be used. For example:
before_filter CAS::Filter, :only => [:admin, :private]
By default CAS::Filter saves the logged in user in session but that name can be changed by setting CAS::Filter.session_username The username is also available from the request by
request.username
This wrapping of the request can be disabled by
CAS::Filter.wrap_request = false
Proxying is also possible. Please see the README for examples.
Constant Summary collapse
- @@login_url =
"https://localhost/login"
- @@logout_url =
nil
- @@validate_url =
"https://localhost/proxyValidate"
- @@server_name =
"localhost"
- @@renew =
false
- @@session_username =
:casfilteruser
- @@query_string =
{}
- @@fake =
nil
- @@pgt =
nil
[]
Class Method Summary collapse
- .cas_base_url=(url) ⇒ Object
- .create_logout_url ⇒ Object
- .fake ⇒ Object
- .fake=(val) ⇒ Object
- .filter_f(controller) ⇒ Object
- .filter_r(controller) ⇒ Object (also: filter)
-
.logger ⇒ Object
(also: log)
Retrieves the current Logger instance.
- .logger=(val) ⇒ Object (also: log=)
- .logout_url(controller) ⇒ Object
- .logout_url=(url) ⇒ Object
- .request_proxy_ticket(target_service, pgt) ⇒ Object
Class Method Details
.cas_base_url=(url) ⇒ Object
124 125 126 127 128 129 130 |
# File 'lib/cas_auth.rb', line 124 def cas_base_url=(url) url.gsub!(/\/$/, '') CAS::Filter.login_url = "#{url}/login" CAS::Filter.validate_url = "#{url}/proxyValidate" CAS::Filter.proxy_url = "#{url}/proxy" logger.debug "Initialized CAS base url to: #{url}" end |
.create_logout_url ⇒ Object
105 106 107 108 109 110 |
# File 'lib/cas_auth.rb', line 105 def create_logout_url if !@@logout_url && @@login_url =~ %r{^(.+?)/[^/]*$} @@logout_url = "#{$1}/logout" end logger.debug "Created logout url: #{@@logout_url}" end |
.fake ⇒ Object
132 133 134 |
# File 'lib/cas_auth.rb', line 132 def fake @@fake end |
.fake=(val) ⇒ Object
136 137 138 139 140 141 142 143 144 145 |
# File 'lib/cas_auth.rb', line 136 def fake=(val) if val.nil? alias :filter :filter_r logger.info "Will use real filter" else alias :filter :filter_f logger.warn "Will use fake filter" end @@fake = val end |
.filter_f(controller) ⇒ Object
147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 |
# File 'lib/cas_auth.rb', line 147 def filter_f(controller) logger.break logger.warn("Using fake CAS filter") username = @@fake if :failure == @@fake return false elsif :param == @@fake username = controller.params['username'] elsif Proc === @@fake username = @@fake.call(controller) end logger.info("The username set by the fake filter is: #{username}") controller.session[@@session_username] = username return true end |
.filter_r(controller) ⇒ Object Also known as: filter
163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 |
# File 'lib/cas_auth.rb', line 163 def filter_r(controller) logger.break logger.info("Using real CAS filter in controller: #{controller}") session_receipt = controller.session[:casfilterreceipt] session_ticket = controller.session[:caslastticket] ticket = controller.params[:ticket] is_valid = false if ticket and (!session_ticket or session_ticket != ticket) log.info "A ticket parameter was given in the URI: #{ticket} and "+ (!session_ticket ? "there is no previous ticket for this session" : "the ticket is different than the previous ticket, which was #{session_ticket}") receipt = get_receipt_for_ticket(ticket, controller) if receipt && validate_receipt(receipt) logger.info("Receipt for ticket request #{ticket} is valid, belongs to user #{receipt.user_name}, and will be stored in the session.") controller.session[:casfilterreceipt] = receipt controller.session[:caslastticket] = ticket controller.session[@@session_username] = receipt.user_name if receipt.pgt_iou logger.info("Receipt has a proxy-granting ticket IOU. Attempting to retrieve the proxy-granting ticket...") pgt = retrieve_pgt(receipt) if pgt log.debug("Got PGT #{pgt} for PGT IOU #{receipt.pgt_iou}. This will be stored in the session.") controller.session[:casfilterpgt] = pgt else log.error("Failed to retrieve a PGT for PGT IOU #{receipt.pgt_iou}!") end end is_valid = true else if receipt log.warn "Receipt was invalid for ticket #{ticket}!" else log.warn "get_receipt_for_ticket() for ticket #{ticket} did not return a receipt!" end end elsif session_receipt log.info "Validating receipt from the session because " + (ticket ? "the given ticket #{ticket} is the same as the old ticket" : "there was no ticket given in the URI") + "." log.debug "The session receipt is: #{session_receipt}" is_valid = validate_receipt(session_receipt) if is_valid log.info "The session receipt is VALID" else log.warn "The session receipt is NOT VALID!" end else log.info "No ticket was given and we do not have a receipt in the session." did_gateway = controller.session[:casfiltergateway] raise CASException, "Can't redirect without login url" unless @@login_url if did_gateway if controller.session[@@session_username] log.info "We gatewayed and have a username stored in the session. The gateway was therefore successful." is_valid = true else log.debug "We gatewayed but do not have a username stored in the session, so we will keep session[:casfiltergateway] true" controller.session[:casfiltergateway] = true end else log.info "We did not gateway, so we will notify the filter that the next request is being gatewayed by setting sesson[:casfiltergateway} to true" controller.session[:casfiltergateway] = true end end if is_valid logger.info "This request is successfully CAS authenticated for user #{controller.session[@@session_username]}!" return true else controller.session[:service] = service_url(controller) logger.info "This request is NOT CAS authenticated, so we will redirect to the login page at: #{redirect_url(controller)}" controller.send :redirect_to, redirect_url(controller) and return false end end |
.logger ⇒ Object Also known as: log
Retrieves the current Logger instance
95 96 97 |
# File 'lib/cas_auth.rb', line 95 def logger CAS::LOGGER end |
.logger=(val) ⇒ Object Also known as: log=
98 99 100 |
# File 'lib/cas_auth.rb', line 98 def logger=(val) CAS::LOGGER.set_logger(val) end |
.logout_url(controller) ⇒ Object
112 113 114 115 116 117 |
# File 'lib/cas_auth.rb', line 112 def logout_url(controller) create_logout_url unless @@logout_url url = redirect_url(controller,@@logout_url) logger.debug "Logout url is: #{url}" url end |
.logout_url=(url) ⇒ Object
119 120 121 122 |
# File 'lib/cas_auth.rb', line 119 def logout_url=(url) @@logout_url = url logger.debug "Initialized logout url to: #{url}" end |
.request_proxy_ticket(target_service, pgt) ⇒ Object
254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 |
# File 'lib/cas_auth.rb', line 254 def request_proxy_ticket(target_service, pgt) r = ProxyTicketRequest.new r.proxy_url = @@proxy_url r.target_service = target_service r.pgt = pgt raise CAS::ProxyGrantingNotAvailable, "Cannot request a proxy ticket for service #{r.target_service} because no proxy granting ticket (PGT) has been set." unless r.pgt logger.info("Requesting proxy ticket for service: #{r.target_service} with PGT #{pgt}") r.request if r.proxy_ticket logger.info("Got proxy ticket #{r.proxy_ticket} for service #{r.target_service}") else logger.warn("Did not receive a proxy ticket for service #{r.target_service}! Reason: #{r.error_code}: #{r.}") end return r end |