On 2/9/10 6:10 PM, Vitty, Paul wrote:
...
> Secondly, has anyone been able to get SAML release and mod_auth_cas
> to work successfully, by that I mean .htaccess files with 'require
> group student' etc, where the group information is provided by SAML
> release to mod_auth_cas?
Attached is a patch against mod_auth_cas trunk that allows you to do
what you describe above.
The directive:
require group student
would check the headers for the 'group' attribute provided by SAML and
give access if it equals 'student'.
Note that with this patch you should use the name that was returned by
SAML, and not the name plus the CASAttributePrefix that could have been
configured.
Also note that CASAuthNHeader must be set so the SAML attributes will be
stored in the headers.
Finally, note that the require directives are effectively OR-ed. Any
match will give access.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--- mod_auth_cas/src/mod_auth_cas.c 2010-02-10 10:44:09.000000000 -0500
+++ mod_auth_cas-authz/src/mod_auth_cas.c 2010-02-10 10:16:56.000000000
-0500
@@ -2006,11 +2006,60 @@
return(ap_pass_brigade(f->next, bb));
}
+static int cas_check_user_access(request_rec *r)
+{
+ const char *attr;
+ int m = r->method_number;
+ const apr_array_header_t *reqs_arr = ap_requires(r);
+ require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
+ register int x;
+ const char *t;
+ char *w;
+ char *tokenizerCtx;
+ char *value;
+ char *values;
+ cas_cfg *c =
+ ap_get_module_config(r->server->module_config, &auth_cas_module);
+
+ for(x=0; x < reqs_arr->nelts; x++) {
+ if(!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
+ continue;
+ }
+ t = reqs[x].requirement;
+ w = ap_getword_white(r->pool, &t);
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "t = %s",t);
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "w = %s",w);
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "c->CASAttributePrefix = %s",c->CASAttributePrefix);
+ attr =
+ apr_table_get(r->headers_in,
+ apr_pstrcat(r->pool, c->CASAttributePrefix, w,
NULL));
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "%s%s = %s",
+ c->CASAttributePrefix, w, attr);
+ if(!attr)
+ continue;
+ values = apr_pstrndup(r->pool, attr, strlen(attr));
+ value = apr_strtok(values, c->CASAttributeDelimiter, &tokenizerCtx);
+ while(value) {
+ if(strncasecmp(value, t, strlen(t)) == 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "MATCH!!!", NULL);
+ return OK;
+ }
+ value = apr_strtok(NULL, c->CASAttributeDelimiter, &tokenizerCtx);
+ }
+ }
+
+ return DECLINED;
+}
+
static void cas_register_hooks(apr_pool_t *p)
{
+ static const char * const aszPost[]={"mod_authz_user.c", NULL};
ap_hook_post_config(cas_post_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id(cas_authenticate, NULL, NULL, APR_HOOK_MIDDLE);
ap_register_input_filter("CAS", cas_in_filter, NULL,
AP_FTYPE_RESOURCE);
+ ap_hook_auth_checker(cas_check_user_access, NULL, aszPost,
APR_HOOK_MIDDLE);
+
}
static const command_rec cas_cmds [] = {
