Hi Scott,
Oh my! My mistake on the copy and paste! Actually, I did load the
CasAlternateAuthModule. I assumed that the Saml was only available on the
CasAlternateAuthModule based on the ExampleWebApp/Web.config.sample.config
file. I'll follow your recommendation and use the CasAuthenticationModule. I
may have questions if I run into an issue. :o) Thank you again!
<configuration>
<configSections>
<section name="casClientConfig"
type="DotNetCasClient.Configuration.CasClientConfiguration,
DotNetCasClient"/>
...
</configSections>
...
<casClientConfig
casServerLoginUrl="https://cas.pepperdine.edu:1234/cas/login";
serverName="https://test1.pepperdine.edu";
secureUriRegex="(?i)/SecureTestFolder/.*"
secureUriExceptionRegex="(?i)/.*\.axd"
casServerUrlPrefix="https://cas.pepperdine.edu:1234/cas";
redirectAfterValidation="true"
useSession="true"
gateway="false"
renew="false"
ticketValidatorName="Saml11"
ticketTimeTolerance="5000"
singleSignOut="true"
/>
<system.web>
<authorization>
<allow users="*" />
</authorization>
<httpModules>
<add name="DotNetCasClient"
type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/>
<!--<add name="DotNetCasClient"
type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>-->
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35"/>
</httpModules>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<remove name="ScriptModule"/>
<add name="ScriptModule" preCondition="managedHandler"
type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0,
Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<remove name="DotNetCasClient"/>
<add name="DotNetCasClient"
type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/>
<!--<add name="DotNetCasClient"
type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>-->
</modules>
</system.webServer>
...
</configuration>
Thank you!
-Dianne
-----Original Message-----
From: Scott M. Holodak [mailto:[email protected]]
Sent: Friday, March 19, 2010 6:49 AM
To: [email protected]
Subject: RE: [cas-user] How to exclude pages from cas authentication in
DotNetCasClient.dll?
Hi Dianne,
It looks like you've installed the CasAuthenticationModule but are using
configuration for CasAlternateAuthModule.
The current milestone build contains 2 HTTP Modules. Only the
'CasAuthenticationModule' supports the ASP.NET Authorization / URL
authorization. The configuration for the two modules is slightly
different.
SampleWebApp's web.sample details which configuration items are required &
optional for which module.
- CasAuthenticationModule
. Requires configuration/system.web/authentication/forms configuration
AND configuration/casClientConfig
. Authorization controlled by standard ASP.NET
configuration/system.web/authorization,
configuration/location/authorization, and/or folder-level web.config
files containing configuration/system.web/authorization elements.
- CasAlternateAuthModule
. Requires only configuration/casClientConfig
. Authorization controlled by URL regular expressions in
casClientConfig
I would recommend you stick with the CasAuthenticationModule. It provides
more fine-grained control over which pages require CAS authentication.
-ScottH
> -----Original Message-----
> From: Asis, Dianne [mailto:[email protected]]
> Sent: Friday, March 19, 2010 2:25 AM
> To: [email protected]
> Subject: RE: [cas-user] How to exclude pages from cas authentication in
> DotNetCasClient.dll?
>
> Hi Scott,
>
> Thank you, thank you for the excellent information that you've sent me.
> I tried your recommendation, but it doesn't seem like it's using the
> authorization tag. (Note: I could be wrong at this assumption.) I
> tried to create a new website from scratch, tried different version of
> authorization tags from the root and location tag, and I couldn't get
> it working based on location tag. From my observation and further
> debugging, it seems like it's checking the authorization based on the
> casClientConfig.
>
> Inside the CasAlternateAuthModule, the Init() fires off an event
> handler:
> public override void Init(HttpApplication application) {
> ...
> application.AcquireRequestState += (new
> EventHandler(this.Application_AcquireRequestState));
> ...
> }
>
> This Application_AcquireRequestState calls this method
> IsCasProtected(), and it seems like it's checking based on the
> "secureUriRegex" and "secureUriExceptionRegex" config.
>
> protected bool IsCasProtected(HttpApplication application)
> {
> bool isProtected =
> this.SecureUriRegex.IsMatch(application.Request.RawUrl);
> if (isProtected) {
> isProtected =
> !this.SecureUriExceptionRegex.IsMatch(application.Request.RawUrl);
> }
> ...
>
> }
>
> Also found this other reference that was helpful:
> http://www.middleware.vt.edu/doku.php?do=export_pdf&id=middleware:cas:c
> lient:dotnet
>
> So I was able to get it working with the following configurations.
> The skeleton below illustrated how I set up my web.config:
> - Allowed anonymous access to any file at the root a web application
> (configuration/system.web/authorization/allow[users='*'])
> - Redirected a specific folder (e.g. "SecureTestFolder") to CAS
> (casClientConfig/secureUriRegex="(?i)/SecureTestFolder/.*")
>
>
> <configuration>
> <configSections>
> <section name="casClientConfig"
> type="DotNetCasClient.Configuration.CasClientConfiguration,
> DotNetCasClient"/>
> ...
> </configSections>
> ...
> <casClientConfig
> casServerLoginUrl="https://cas.pepperdine.edu:1234/cas/login";
> serverName="https://test1.pepperdine.edu";
> secureUriRegex="(?i)/SecureTestFolder/.*"
> secureUriExceptionRegex="(?i)/.*\.axd"
> casServerUrlPrefix="https://cas.pepperdine.edu:1234/cas";
> redirectAfterValidation="true"
> useSession="true"
> gateway="false"
> renew="false"
> ticketValidatorName="Saml11"
> ticketTimeTolerance="5000"
> singleSignOut="true"
> />
> <system.web>
> <httpModules>
> <add name="DotNetCasClient"
> type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>
> ...
> </httpModules>
> ...
> <authorization>
> <allow users="*" />
> </authorization>
> ...
> </system.web>
> <system.webServer>
> <validation validateIntegratedModeConfiguration="false"/>
> <modules>
> <remove name="DotNetCasClient" />
> <add name="DotNetCasClient"
> type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>
> </modules>
> </system.webserver>
> ...
> </configuration>
>
>
> Is this the proper way? Is there a way to get the location tag to
> work.
> Many thanks again for your help, time, and patience.
> -Dianne
>
>
> -----Original Message-----
> From: Scott M. Holodak [mailto:[email protected]]
> Sent: Wednesday, March 17, 2010 8:54 PM
> To: [email protected]
> Subject: RE: [cas-user] How to exclude pages from cas authentication in
> DotNetCasClient.dll?
>
> Hi Dianne,
>
> I'm not sure if you left out the configuration/configSections/section,
> configuration/casClientConfig, and
> configuration/system.web/authentication/forms blocks in your examples
> on purpose. If not, see the web.sample file in the ExampleWebApp for
> configuration details.
>
> You want to setup 1 web.config at the root of your web application.
> That web.config should define the CAS client configuration and should
> add the CasAuthenticationModule to configuration/system.web/httpModules
> (IIS5/6) and/or configuration/system.webserver/modules (IIS7+). If you
> decide to add it in both places (because you want it to work on IIS 5/6
> and 7+ without editing) you'll need to remove it from
> configuration/system.webserver/modules and add it back again to get
> around an integrated pipeline error message when you try to run the
> code on IIS 7+. That's the only scenario in which you want to remove
> the CasAuthenticationModule from the pipeline. You don't want to add
> it for authenticated subdirectories either. In fact, it's generally a
> good idea to avoid dealing with Http Modules in location blocks
> altogether. You also don't need to worry about IIS virtual
> directories. You do need to worry about inheritance though. For
> instance, if you the CasAuthenticationModule in the root application on
> your web server, it's running in every sub-application (in some cases,
> you might want to remove it for sub-applications). The trick is
> getting it to redirect/not redirect when appropriate for your
> applications.
>
> The general idea is that the CasAuthenticationModule doesn’t _cause_
> the interactions with the CAS server. It's URL Authorization that
> ultimately causes the redirections. CasAuthenticationModule deals with
> setting/verifying the identity of the user making the request, not
> determining whether that user is allowed to access a specific resource.
> The UrlAuthorizationModule (or any other HttpModule / global.asax code)
> handles the AuthorizeRequest event and determines whether to send a
> 403/Forbidden to the browser. The CasAuthenticationModule intercepts
> this before it makes it to the browser (for anonymous requests) and
> redirects to the CAS server instead. When the request is redirected
> back from CAS, it is authenticated and authorized again, except this
> time with credentials (hopefully with authorization to access the
> resource).
>
> CAS authentication behaves identically to Forms Authentication with
> respect to how it interacts with the authorization subsystem, so any of
> the general info on ASP.NET authorization (i.e., URL authorization)
> should apply (More info: http://msdn.microsoft.com/en-
> us/library/wce3kxhd.aspx) You just need to write the authorization
> rules to match the goals of your application. For varying the
> authorization by directory, you can either use location tags to
> overwrite the system.web/authorization rules in the main web.config, or
> you can create a web.config file in the subdirectories that only
> contains configuration/system.web/authorization rules.
>
> The skeleton below illustrates how you would:
> - allow anonymous access to any file at the root of your web
> application ~/
> (configuration/system.web/authorization/allow[users='*'])
> - except ~/SecurePageAtRoot.aspx
> (configuration/location[path='SecurePageAtRoot.aspx']/system.web/author
> ization/deny[users='?'])
> - deny anonymous access to any files in the ~/secure/ subdirectory.
> (configuration/location[path='secure']/system.web/authorization/deny[us
> ers='?'])
> - except ~/secure/AllowAnonymous.aspx
> (configuration/location[path='secure/AllowAnonymous.aspx']/system.web/a
> uthorization/allow[users='*'])
>
> <configuration>
> <configSections>
> <section name="casClientConfig"
> type="DotNetCasClient.Configuration.CasClientConfiguration,
> DotNetCasClient"/>
> ...
> </configSections>
> ...
> <casClientConfig ... ... ... />
> <system.web>
> <httpModules>
> <add name="DotNetCasClient"
> type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>
> ...
> </httpModules>
> <authentication mode="Forms">
> <forms loginUrl="https://fed.princeton.edu/cas/login";
> timeout="30" defaultUrl="~/Default.aspx"
> cookieless="UseCookies" slidingExpiration="true"
> path="/example/" />
> </authentication>
> ...
> <authorization>
> <allow users="*" />
> </authorization>
> ...
> </system.web>
> <system.webServer>
> <validation validateIntegratedModeConfiguration="false"/>
> <modules>
> <remove name="DotNetCasClient" />
> <add name="DotNetCasClient"
> type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>
> </modules>
> </system.webserver>
> ...
> <location path="SecurePageAtRoot.aspx">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
> </location>
> <location path="secure">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
> </location>
> <location path="secure/AllowAnonymous.aspx">
> <allow users="*" />
> </location>
> ...
> </configuration>
>
> Let me know if you have any questions.
>
> -ScottH
>
> -----Original Message-----
> From: Dianne Asis [mailto:[email protected]]
> Sent: Wednesday, March 17, 2010 6:42 PM
> To: [email protected]
> Subject: [cas-user] How to exclude pages from cas authentication in
> DotNetCasClient.dll?
>
> How would one exclude pages from cas authentication?
>
> Scenario #A
> I added the DotNetCasClient httpModule (line #14) in the location tag,
> but this module doesn't seem to be loading.
> Using the DotNetCasClient.dll dev version, I have the following
> httpModule in my web.config file.
> 1: <configuration>
> 2: <system.web>
> 3: <httpModules>
> 4: <remove name="FormsAuthentication"/>
> 5: <remove name="WindowsAuthentication"/>
> 6: <remove name="PassportAuthentication"/>
> 7: <!--<add name="DotNetCasClient"
> type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/>-->
> 8: <add name="ScriptModule"
> type="System.Web.Handlers.ScriptModule, System.Web.Extensions,
> Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
> 9: </httpModules>
> 10 : </system.web>
> 11: <location path="SecureFolder">
> 12: <system.web>
> 13: <httpModules>
> 14: <add name="DotNetCasClient"
> type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/>
> 15: </httpModules>
> 16: <authorization>
> 17: <deny users="?" />
> 18: </authorization>
> 19: </system.web>
> 20: </location>
> 21:</configuration>
>
> What happens?
> a) go to http://www.foo.com/blah.aspx, there's no CAS authentication
> (the expected behavior)
> b) go to http://www.foo.com/SecureFolder/blah2.aspx, there's no CAS
> authentication (expected to have authentication)
>
>
> Scenario #B
> I tried to reverse the logic and set up a "NonSecureFolder" and have
> the <remove> tag (see line #14).
> 1: <configuration>
> 2: <system.web>
> 3: <httpModules>
> 4: <remove name="FormsAuthentication"/>
> 5: <remove name="WindowsAuthentication"/>
> 6: <remove name="PassportAuthentication"/>
> 7: <add name="DotNetCasClient"
> type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/>
> 8: <add name="ScriptModule"
> type="System.Web.Handlers.ScriptModule, System.Web.Extensions,
> Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
> 9: </httpModules>
> 10 : </system.web>
> 11: <location path="NonSecureFolder">
> 12: <system.web>
> 13: <httpModules>
> 14: <remove name="DotNetCasClient"/>
> 15: </httpModules>
> 16: <authorization>
> 17: <allow users="*" />
> 18: </authorization>
> 19: </system.web>
> 20: </location>
> 21:</configuration>
>
> What happens?
> a) go to http://www.foo.com/blah.aspx, there's CAS authentication (the
> expected behavior)
> b) go to http://www.foo.com/NonSecureFolder/blah2.aspx, there's CAS
> authentication (expected to have no authentication)
>
>
> Scenario #C
> I also tried to set up a virtual directory for a specific folder
> <root>/Secure and added a second web.config file so I could load the
> DotNetCasClient, but I was not able to exclude pages from cas
> authentication.
>
>
> Would you happen to have other ideas on how to exclude pages from cas
> authentication?
> Thank you in advance for your help!
> --
> You are currently subscribed to [email protected] as:
> [email protected] To unsubscribe, change settings or access
> archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see http://www.ja-
> sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see http://www.ja-
> sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
