Hi, The information that mod_auth_cas has at its disposition is what can be accessed via Apache's request_rec structure:
http://www.temme.net/sander/api/httpd/structrequest__rec.html Within this structure, there is an apr_uri_t member, 'parsed_uri'. http://apr.apache.org/docs/apr-util/0.9/structapr__uri__t.html However, the parsed_uri that is in the request_rec does not contain fields such as 'hostname', 'scheme', or 'port', so mod_auth_cas takes a stab at determining that information, using the members request_rec->server->server_hostname, the use of ap_http_method() or ap_http_scheme() to determine HTTP/HTTPS, and the request_rec->connection->local_addr->port field. If a non-standard combination of scheme and port is detected (HTTP && not port 80 or HTTPS && not port 443) the port field is added to the service URL that mod_auth_cas constructs. Otherwise, it is left off. This most likely works well for everyone using mod_auth_cas to interface with browsers, as mod_auth_cas constructs the service URL using the logic above to both generate the initial redirect as well as perform the ticket validation. Unfortunately, since you are using a RESTful interface, the two may not match. I do not believe there is a way within Apache to determine the exact URL the user initially specified, as Apache only will know the local port the user connected to. If the 'Host' header sent by the client contains the port number, you may be able to use that value instead, however I believe that opens a security risk by trusting the value sent by the client(see http://www.ja-sig.org/wiki/display/CASC/CASFilter). With small modifications you could force mod_auth_cas to include the port number with all service requests by tweaking the getCASService function(set the 'printPort' boolean value to TRUE always), but this may not be sufficient for your needs. Hope this helps, -Phil On Wed, Mar 11, 2009 at 6:57 PM, <[email protected]> wrote: > I'm using mod_auth_cas along with CAS RESTful interface to provide > authentication for my application. We noticed that when generating the > "service" parameter for both forwarding to CAS as well as ticket > validation, mod_auth_cas doesn't use the URL that is given (suitably > escaped), but rather reconstructs the URI based on various parameters > that it gets from Apache. > > For example, suppose I reference the following URI: > > http://www.example.com:80/foo?ticket=ST-footicket > > When mod_auth_cas goes to validate the ticket, it is going to use this > in the ticket parameter: > > http:/www.example.com/foo > > The ticket validation will fail because the ":80" is missing. > > This probabably doesn't cause a problem for browser clients because the > initial forwarding to the CAS login page will already have a rewritten > URI, so that the ticket is issued against the rewritten URI, and the > forwarding back to mod_auth_cas will happen with the rewritten URI and > everything will work. However, since we are using the CAS restful API > to prefetch a ticket, the URI rewriting does cause a problem. > > Is there a reason for this rewriting behavior? Is there a way to > disable it? > > Thanks, > > David Ohsie > EMC Corporation > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
