Hi Scott,
Thank you, thank you for the excellent information that you've sent me. I
tried your recommendation, but it doesn't seem like it's using the
authorization tag. (Note: I could be wrong at this assumption.) I tried to
create a new website from scratch, tried different version of authorization
tags from the root and location tag, and I couldn't get it working based on
location tag. From my observation and further debugging, it seems like it's
checking the authorization based on the casClientConfig.
Inside the CasAlternateAuthModule, the Init() fires off an event handler:
public override void Init(HttpApplication application) {
...
application.AcquireRequestState += (new
EventHandler(this.Application_AcquireRequestState));
...
}
This Application_AcquireRequestState calls this method IsCasProtected(),
and it seems like it's checking based on the "secureUriRegex" and
"secureUriExceptionRegex" config.
protected bool IsCasProtected(HttpApplication application)
{
bool isProtected =
this.SecureUriRegex.IsMatch(application.Request.RawUrl);
if (isProtected) {
isProtected =
!this.SecureUriExceptionRegex.IsMatch(application.Request.RawUrl);
}
...
}
Also found this other reference that was helpful:
http://www.middleware.vt.edu/doku.php?do=export_pdf&id=middleware:cas:client:dotnet
So I was able to get it working with the following configurations.
The skeleton below illustrated how I set up my web.config:
- Allowed anonymous access to any file at the root a web application
(configuration/system.web/authorization/allow[users='*'])
- Redirected a specific folder (e.g. "SecureTestFolder") to CAS
(casClientConfig/secureUriRegex="(?i)/SecureTestFolder/.*")
<configuration>
<configSections>
<section name="casClientConfig"
type="DotNetCasClient.Configuration.CasClientConfiguration, DotNetCasClient"/>
...
</configSections>
...
<casClientConfig
casServerLoginUrl="https://cas.pepperdine.edu:1234/cas/login";
serverName="https://test1.pepperdine.edu";
secureUriRegex="(?i)/SecureTestFolder/.*"
secureUriExceptionRegex="(?i)/.*\.axd"
casServerUrlPrefix="https://cas.pepperdine.edu:1234/cas";
redirectAfterValidation="true"
useSession="true"
gateway="false"
renew="false"
ticketValidatorName="Saml11"
ticketTimeTolerance="5000"
singleSignOut="true"
/>
<system.web>
<httpModules>
<add name="DotNetCasClient"
type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>
...
</httpModules>
...
<authorization>
<allow users="*" />
</authorization>
...
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<remove name="DotNetCasClient" />
<add name="DotNetCasClient"
type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>
</modules>
</system.webserver>
...
</configuration>
Is this the proper way? Is there a way to get the location tag to work.
Many thanks again for your help, time, and patience.
-Dianne
-----Original Message-----
From: Scott M. Holodak [mailto:[email protected]]
Sent: Wednesday, March 17, 2010 8:54 PM
To: [email protected]
Subject: RE: [cas-user] How to exclude pages from cas authentication in
DotNetCasClient.dll?
Hi Dianne,
I'm not sure if you left out the configuration/configSections/section,
configuration/casClientConfig, and
configuration/system.web/authentication/forms blocks in your examples on
purpose. If not, see the web.sample file in the ExampleWebApp for
configuration details.
You want to setup 1 web.config at the root of your web application. That
web.config should define the CAS client configuration and should add the
CasAuthenticationModule to configuration/system.web/httpModules (IIS5/6) and/or
configuration/system.webserver/modules (IIS7+). If you decide to add it in
both places (because you want it to work on IIS 5/6 and 7+ without editing)
you'll need to remove it from configuration/system.webserver/modules and add it
back again to get around an integrated pipeline error message when you try to
run the code on IIS 7+. That's the only scenario in which you want to remove
the CasAuthenticationModule from the pipeline. You don't want to add it for
authenticated subdirectories either. In fact, it's generally a good idea to
avoid dealing with Http Modules in location blocks altogether. You also don't
need to worry about IIS virtual directories. You do need to worry about
inheritance though. For instance, if you the CasAuthenticationModule in the
root application on your web server, it's running in every sub-application (in
some cases, you might want to remove it for sub-applications). The trick is
getting it to redirect/not redirect when appropriate for your applications.
The general idea is that the CasAuthenticationModule doesn’t _cause_ the
interactions with the CAS server. It's URL Authorization that ultimately
causes the redirections. CasAuthenticationModule deals with setting/verifying
the identity of the user making the request, not determining whether that user
is allowed to access a specific resource. The UrlAuthorizationModule (or any
other HttpModule / global.asax code) handles the AuthorizeRequest event and
determines whether to send a 403/Forbidden to the browser. The
CasAuthenticationModule intercepts this before it makes it to the browser (for
anonymous requests) and redirects to the CAS server instead. When the request
is redirected back from CAS, it is authenticated and authorized again, except
this time with credentials (hopefully with authorization to access the
resource).
CAS authentication behaves identically to Forms Authentication with respect to
how it interacts with the authorization subsystem, so any of the general info
on ASP.NET authorization (i.e., URL authorization) should apply (More info:
http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx) You just need to write
the authorization rules to match the goals of your application. For varying
the authorization by directory, you can either use location tags to overwrite
the system.web/authorization rules in the main web.config, or you can create a
web.config file in the subdirectories that only contains
configuration/system.web/authorization rules.
The skeleton below illustrates how you would:
- allow anonymous access to any file at the root of your web application ~/
(configuration/system.web/authorization/allow[users='*'])
- except ~/SecurePageAtRoot.aspx
(configuration/location[path='SecurePageAtRoot.aspx']/system.web/authorization/deny[users='?'])
- deny anonymous access to any files in the ~/secure/ subdirectory.
(configuration/location[path='secure']/system.web/authorization/deny[users='?'])
- except ~/secure/AllowAnonymous.aspx
(configuration/location[path='secure/AllowAnonymous.aspx']/system.web/authorization/allow[users='*'])
<configuration>
<configSections>
<section name="casClientConfig"
type="DotNetCasClient.Configuration.CasClientConfiguration, DotNetCasClient"/>
...
</configSections>
...
<casClientConfig ... ... ... />
<system.web>
<httpModules>
<add name="DotNetCasClient"
type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>
...
</httpModules>
<authentication mode="Forms">
<forms loginUrl="https://fed.princeton.edu/cas/login"; timeout="30"
defaultUrl="~/Default.aspx"
cookieless="UseCookies" slidingExpiration="true" path="/example/"
/>
</authentication>
...
<authorization>
<allow users="*" />
</authorization>
...
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<remove name="DotNetCasClient" />
<add name="DotNetCasClient"
type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>
</modules>
</system.webserver>
...
<location path="SecurePageAtRoot.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="secure">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="secure/AllowAnonymous.aspx">
<allow users="*" />
</location>
...
</configuration>
Let me know if you have any questions.
-ScottH
-----Original Message-----
From: Dianne Asis [mailto:[email protected]]
Sent: Wednesday, March 17, 2010 6:42 PM
To: [email protected]
Subject: [cas-user] How to exclude pages from cas authentication in
DotNetCasClient.dll?
How would one exclude pages from cas authentication?
Scenario #A
I added the DotNetCasClient httpModule (line #14) in the location tag, but this
module doesn't seem to be loading.
Using the DotNetCasClient.dll dev version, I have the following httpModule in
my web.config file.
1: <configuration>
2: <system.web>
3: <httpModules>
4: <remove name="FormsAuthentication"/>
5: <remove name="WindowsAuthentication"/>
6: <remove name="PassportAuthentication"/>
7: <!--<add name="DotNetCasClient"
type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/>-->
8: <add name="ScriptModule" type="System.Web.Handlers.ScriptModule,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35"/>
9: </httpModules>
10 : </system.web>
11: <location path="SecureFolder">
12: <system.web>
13: <httpModules>
14: <add name="DotNetCasClient"
type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/>
15: </httpModules>
16: <authorization>
17: <deny users="?" />
18: </authorization>
19: </system.web>
20: </location>
21:</configuration>
What happens?
a) go to http://www.foo.com/blah.aspx, there's no CAS authentication (the
expected behavior)
b) go to http://www.foo.com/SecureFolder/blah2.aspx, there's no CAS
authentication (expected to have authentication)
Scenario #B
I tried to reverse the logic and set up a "NonSecureFolder" and have the
<remove> tag (see line #14).
1: <configuration>
2: <system.web>
3: <httpModules>
4: <remove name="FormsAuthentication"/>
5: <remove name="WindowsAuthentication"/>
6: <remove name="PassportAuthentication"/>
7: <add name="DotNetCasClient"
type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/>
8: <add name="ScriptModule" type="System.Web.Handlers.ScriptModule,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35"/>
9: </httpModules>
10 : </system.web>
11: <location path="NonSecureFolder">
12: <system.web>
13: <httpModules>
14: <remove name="DotNetCasClient"/>
15: </httpModules>
16: <authorization>
17: <allow users="*" />
18: </authorization>
19: </system.web>
20: </location>
21:</configuration>
What happens?
a) go to http://www.foo.com/blah.aspx, there's CAS authentication (the expected
behavior)
b) go to http://www.foo.com/NonSecureFolder/blah2.aspx, there's CAS
authentication (expected to have no authentication)
Scenario #C
I also tried to set up a virtual directory for a specific folder <root>/Secure
and added a second web.config file so I could load the DotNetCasClient, but I
was not able to exclude pages from cas authentication.
Would you happen to have other ideas on how to exclude pages from cas
authentication?
Thank you in advance for your help!
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
