Hello,
may anybody explain why mod_auth_cas does always remove the ticket
parameter (even if there is a valid mod_auth_cas session/cookie)? Due
to the actual implementation (see removeCASParams in function
cas_authenticate) you can not build a chain of multiple cas clients in
reverse proxy szenarios. For example:
apache (internet reverse proxy with mod_auth_cas) -> internal web- or
application server (running any other cas client)
For such implementations the inner cas client (behind mod_auth_cas from
browser view) can never establish any cas session because it will never
get the ticket parameter (as an result there will be an endless loop of
redirects). To solve this issue I have written a patch (see below). May
anbody have a look at it (for me this patch is working). Please take
also care that other people asking such a fix/feature on the cas newslist.
Finally, I would say thank to all the people who contribute anything
to cas.
cu martin
--- mod_auth_cas.c (revision 25681)
+++ mod_auth_cas.c (working copy)
@@ -1759,10 +1759,21 @@
ticket = getCASTicket(r);
cookieString = getCASCookie(r, (ssl ? d->CASSecureCookie
:d->CASCookie));
- // only remove parameters if a ticket was found (makes no sense
to do this otherwise)
- if(ticket != NULL)
- parametersRemoved = removeCASParams(r);
+ // only remove parameters if no valid session/cookie was found
(makes no sense to do this otherwise)
+ if(ticket != NULL){
+ if(cookieString!=NULL){
+ if(isValidCASCookie(r, c, cookieString,
&remoteUser, &attrs)){
+ r->user = remoteUser;
+ if(d->CASAuthNHeader != NULL)
+ apr_table_set(r->headers_in,
d->CASAuthNHeader, remoteUser);
+ // TODO do we need futher cookie
updates e.g. lifetime
+ return OK;
+ }
+ }
+ parametersRemoved = removeCASParams(r);
+ }
+
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
