We use this approach on a number of sites. In one of the Java clients, there was a CasValidateFilter that does this. (I'm not sure if it still exists in the latest Java client.)
The biggest problem is that it won't automatically recognize a logged-in user unless they take some sort of action. This approach acts similarly to Facebook Connect and OpenID. I've heard that Facebook can do OpenID in an invisible IFRAME, effectively doing a "gateway" but without issuing a redirect on the outer page (the redirect is happening within the IFRAME). This approach might work for enabling gateway-style single sign-on while using a validation-only (passthru mode) CAS client. -Nathan -----Original Message----- From: Matthew J. Smith [mailto:matt.sm...@uconn.edu] Sent: Tuesday, July 13, 2010 4:48 PM To: cas-dev@lists.jasig.org Subject: RE: [cas-dev] Prevent CAS Redirect for Bots I've tossed around (only in discussions with myself) the idea of prototyping a CAS "Passthru" mode to mod_auth_cas. This is similar to Gateway mode, but without the redirect to determine if a user is already authenticated. The flow would be something like this: 1) User accesses resource protected by mod_auth_cas. 2) m-a-c, configured in "Passthru" mode checks for a "ticket=" parameter or a session cookie. Finding none, the user is allowed through anonymously. 3) Internal to the application a "Login" link is available, bringing the user to https://login.example.com/cas/login 4) Upon successful authentication (or acceptance of previously issued TGC), user is directed back to application with "ticket=" parameter (normal CAS flow), 5) m-a-c, configured in Passthru mode, finds a "ticket=" parameter, performs "serviceValidate", sets REMOTE_USER for authenticated access, and sets a session cookie. 6) Subsequent access(es), m-a-c configured in Passthru mode finds the cookie and sets REMOTE_USER for authenticated access. In this mode, anonymous access is allowed without redirects, and authenticated access with one extra action from the user. Anyone else think this would be useful? Is there a big security hole I haven't yet identified? -Matt On Tue, 2010-07-13 at 16:30 -0400, Nathan Kopp wrote: > I think the use case is that bots should always look like guests. > Recall that gateway mode is being used. > > > > We actually will have this same requirement. Consider a public > website that uses gateway mode to provide customized content for users > who are logged in, but will show generic content for all guest users. > You want Google to spider the site and see the public (generic) > content. But it stops the instant it sees the gateway redirect. > > > > -Nathan > > > > > From: J. David Beutel [mailto:jbeu...@hawaii.edu] > Sent: Tuesday, July 13, 2010 4:00 PM > To: cas-dev@lists.jasig.org > Subject: Re: [cas-dev] Prevent CAS Redirect for Bots > > > > > It sounds like you want to allow access for bots without > authentication, while still requiring humans to authenticate for the > same URL. That can't be secure. A human could impersonate a bot. > > On the other hand, if you want to authenticate just the 20% of the > site that you don't need the bots to access, you could use the > url-pattern on the CAS filter in web.xml (with the Java client, at > least). > > > On 2010-07-13 05:44 , prasanna h wrote: > > Hi Joachim, > > > > > I can use a robots.txt to allow or deny bots accessing portions of the > site. But about 80% of the site has data that needs to be accessed by > bots so as to not affect the search rank. Since I have enabled a CAS > gateway, every request is intercepted and redirected to cas. I need to > modify this so that requests from bots are not redirected to CAS. > > > > > > Not sure if robots.txt is the way to go for what I'm trying to > accomplish. > > > > > > Prasanna. > > > > > On Tue, Jul 13, 2010 at 9:01 PM, Joachim Fritschi > <frits...@hrz.tu-darmstadt.de> wrote: > > Hi, > > i guess a classic robots.txt should solve the issue for search > engines. > > Cheers, > > Joachim > > Am 13.07.2010 11:18, schrieb prasanna h: > > Hi All, > > We use CAS as a gateway where each request is intercepted and > redirected > to CAS to check for a ticket. I noticed that the redirect to CAS > happens > for users as well as bots. Has anyone using CAS encountered this and > if > yes, can you let me know the solution? > > Right now, I'm planning to check the user-agent against a list of > common > bots to determine whether to redirect to CAS. > > Looking forward to your thoughts as well. > > Prasanna > > > -- > You are currently subscribed tocas-...@lists.jasig.org > <mailto:cas-dev@lists.jasig.org> as: frits...@hrz.tu-darmstadt.de > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > > -- > Joachim Fritschi > Hochschulrechenzentrum (HRZ) > L1|01 Raum 248 > Petersenstr. 30 > 64287 Darmstadt > > Tel. +49 6151 16-5638 > Fax. +49 6151 16-3050 > E-Mail: frits...@hrz.tu-darmstadt.de > > > > > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: jbeu...@hawaii.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > > -- > > You are currently subscribed to cas-dev@lists.jasig.org as: > nathan.k...@ccci.org > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > matt.sm...@uconn.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- Matthew J. Smith <matt.sm...@uconn.edu> University Information Technology Services -- You are currently subscribed to cas-dev@lists.jasig.org as: nathan.k...@ccci.org To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
