Hi Dianne, I'm not sure if you left out the configuration/configSections/section, configuration/casClientConfig, and configuration/system.web/authentication/forms blocks in your examples on purpose. If not, see the web.sample file in the ExampleWebApp for configuration details.
You want to setup 1 web.config at the root of your web application. That web.config should define the CAS client configuration and should add the CasAuthenticationModule to configuration/system.web/httpModules (IIS5/6) and/or configuration/system.webserver/modules (IIS7+). If you decide to add it in both places (because you want it to work on IIS 5/6 and 7+ without editing) you'll need to remove it from configuration/system.webserver/modules and add it back again to get around an integrated pipeline error message when you try to run the code on IIS 7+. That's the only scenario in which you want to remove the CasAuthenticationModule from the pipeline. You don't want to add it for authenticated subdirectories either. In fact, it's generally a good idea to avoid dealing with Http Modules in location blocks altogether. You also don't need to worry about IIS virtual directories. You do need to worry about inheritance though. For instance, if you the CasAuthenticationModule in the root application on your web server, it's running in every sub-application (in some cases, you might want to remove it for sub-applications). The trick is getting it to redirect/not redirect when appropriate for your applications. The general idea is that the CasAuthenticationModule doesn’t _cause_ the interactions with the CAS server. It's URL Authorization that ultimately causes the redirections. CasAuthenticationModule deals with setting/verifying the identity of the user making the request, not determining whether that user is allowed to access a specific resource. The UrlAuthorizationModule (or any other HttpModule / global.asax code) handles the AuthorizeRequest event and determines whether to send a 403/Forbidden to the browser. The CasAuthenticationModule intercepts this before it makes it to the browser (for anonymous requests) and redirects to the CAS server instead. When the request is redirected back from CAS, it is authenticated and authorized again, except this time with credentials (hopefully with authorization to access the resource). CAS authentication behaves identically to Forms Authentication with respect to how it interacts with the authorization subsystem, so any of the general info on ASP.NET authorization (i.e., URL authorization) should apply (More info: http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx) You just need to write the authorization rules to match the goals of your application. For varying the authorization by directory, you can either use location tags to overwrite the system.web/authorization rules in the main web.config, or you can create a web.config file in the subdirectories that only contains configuration/system.web/authorization rules. The skeleton below illustrates how you would: - allow anonymous access to any file at the root of your web application ~/ (configuration/system.web/authorization/allow[users='*']) - except ~/SecurePageAtRoot.aspx (configuration/location[path='SecurePageAtRoot.aspx']/system.web/authorization/deny[users='?']) - deny anonymous access to any files in the ~/secure/ subdirectory. (configuration/location[path='secure']/system.web/authorization/deny[users='?']) - except ~/secure/AllowAnonymous.aspx (configuration/location[path='secure/AllowAnonymous.aspx']/system.web/authorization/allow[users='*']) <configuration> <configSections> <section name="casClientConfig" type="DotNetCasClient.Configuration.CasClientConfiguration, DotNetCasClient"/> ... </configSections> ... <casClientConfig ... ... ... /> <system.web> <httpModules> <add name="DotNetCasClient" type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/> ... </httpModules> <authentication mode="Forms"> <forms loginUrl="https://fed.princeton.edu/cas/login"; timeout="30" defaultUrl="~/Default.aspx" cookieless="UseCookies" slidingExpiration="true" path="/example/" /> </authentication> ... <authorization> <allow users="*" /> </authorization> ... </system.web> <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules> <remove name="DotNetCasClient" /> <add name="DotNetCasClient" type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/> </modules> </system.webserver> ... <location path="SecurePageAtRoot.aspx"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> <location path="secure"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> <location path="secure/AllowAnonymous.aspx"> <allow users="*" /> </location> ... </configuration> Let me know if you have any questions. -ScottH -----Original Message----- From: Dianne Asis [mailto:[email protected]] Sent: Wednesday, March 17, 2010 6:42 PM To: [email protected] Subject: [cas-user] How to exclude pages from cas authentication in DotNetCasClient.dll? How would one exclude pages from cas authentication? Scenario #A I added the DotNetCasClient httpModule (line #14) in the location tag, but this module doesn't seem to be loading. Using the DotNetCasClient.dll dev version, I have the following httpModule in my web.config file. 1: <configuration> 2: <system.web> 3: <httpModules> 4: <remove name="FormsAuthentication"/> 5: <remove name="WindowsAuthentication"/> 6: <remove name="PassportAuthentication"/> 7: <!--<add name="DotNetCasClient" type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/>--> 8: <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> 9: </httpModules> 10 : </system.web> 11: <location path="SecureFolder"> 12: <system.web> 13: <httpModules> 14: <add name="DotNetCasClient" type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/> 15: </httpModules> 16: <authorization> 17: <deny users="?" /> 18: </authorization> 19: </system.web> 20: </location> 21:</configuration> What happens? a) go to http://www.foo.com/blah.aspx, there's no CAS authentication (the expected behavior) b) go to http://www.foo.com/SecureFolder/blah2.aspx, there's no CAS authentication (expected to have authentication) Scenario #B I tried to reverse the logic and set up a "NonSecureFolder" and have the <remove> tag (see line #14). 1: <configuration> 2: <system.web> 3: <httpModules> 4: <remove name="FormsAuthentication"/> 5: <remove name="WindowsAuthentication"/> 6: <remove name="PassportAuthentication"/> 7: <add name="DotNetCasClient" type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/> 8: <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> 9: </httpModules> 10 : </system.web> 11: <location path="NonSecureFolder"> 12: <system.web> 13: <httpModules> 14: <remove name="DotNetCasClient"/> 15: </httpModules> 16: <authorization> 17: <allow users="*" /> 18: </authorization> 19: </system.web> 20: </location> 21:</configuration> What happens? a) go to http://www.foo.com/blah.aspx, there's CAS authentication (the expected behavior) b) go to http://www.foo.com/NonSecureFolder/blah2.aspx, there's CAS authentication (expected to have no authentication) Scenario #C I also tried to set up a virtual directory for a specific folder <root>/Secure and added a second web.config file so I could load the DotNetCasClient, but I was not able to exclude pages from cas authentication. Would you happen to have other ideas on how to exclude pages from cas authentication? Thank you in advance for your help! -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
