Hi Scott, I was able to get it working with the CasAuthenticationModule.
Thank you! Dianne -----Original Message----- From: Asis, Dianne Sent: Friday, March 19, 2010 8:45 AM To: [email protected] Subject: RE: [cas-user] How to exclude pages from cas authentication in DotNetCasClient.dll? Hi Scott, Oh my! My mistake on the copy and paste! Actually, I did load the CasAlternateAuthModule. I assumed that the Saml was only available on the CasAlternateAuthModule based on the ExampleWebApp/Web.config.sample.config file. I'll follow your recommendation and use the CasAuthenticationModule. I may have questions if I run into an issue. :o) Thank you again! <configuration> <configSections> <section name="casClientConfig" type="DotNetCasClient.Configuration.CasClientConfiguration, DotNetCasClient"/> ... </configSections> ... <casClientConfig casServerLoginUrl="https://cas.pepperdine.edu:1234/cas/login"; serverName="https://test1.pepperdine.edu"; secureUriRegex="(?i)/SecureTestFolder/.*" secureUriExceptionRegex="(?i)/.*\.axd" casServerUrlPrefix="https://cas.pepperdine.edu:1234/cas"; redirectAfterValidation="true" useSession="true" gateway="false" renew="false" ticketValidatorName="Saml11" ticketTimeTolerance="5000" singleSignOut="true" /> <system.web> <authorization> <allow users="*" /> </authorization> <httpModules> <add name="DotNetCasClient" type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/> <!--<add name="DotNetCasClient" type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>--> <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </httpModules> </system.web> <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules> <remove name="ScriptModule"/> <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <remove name="DotNetCasClient"/> <add name="DotNetCasClient" type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/> <!--<add name="DotNetCasClient" type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>--> </modules> </system.webServer> ... </configuration> Thank you! -Dianne -----Original Message----- From: Scott M. Holodak [mailto:[email protected]] Sent: Friday, March 19, 2010 6:49 AM To: [email protected] Subject: RE: [cas-user] How to exclude pages from cas authentication in DotNetCasClient.dll? Hi Dianne, It looks like you've installed the CasAuthenticationModule but are using configuration for CasAlternateAuthModule. The current milestone build contains 2 HTTP Modules. Only the 'CasAuthenticationModule' supports the ASP.NET Authorization / URL authorization. The configuration for the two modules is slightly different. SampleWebApp's web.sample details which configuration items are required & optional for which module. - CasAuthenticationModule . Requires configuration/system.web/authentication/forms configuration AND configuration/casClientConfig . Authorization controlled by standard ASP.NET configuration/system.web/authorization, configuration/location/authorization, and/or folder-level web.config files containing configuration/system.web/authorization elements. - CasAlternateAuthModule . Requires only configuration/casClientConfig . Authorization controlled by URL regular expressions in casClientConfig I would recommend you stick with the CasAuthenticationModule. It provides more fine-grained control over which pages require CAS authentication. -ScottH > -----Original Message----- > From: Asis, Dianne [mailto:[email protected]] > Sent: Friday, March 19, 2010 2:25 AM > To: [email protected] > Subject: RE: [cas-user] How to exclude pages from cas authentication in > DotNetCasClient.dll? > > Hi Scott, > > Thank you, thank you for the excellent information that you've sent me. > I tried your recommendation, but it doesn't seem like it's using the > authorization tag. (Note: I could be wrong at this assumption.) I > tried to create a new website from scratch, tried different version of > authorization tags from the root and location tag, and I couldn't get > it working based on location tag. From my observation and further > debugging, it seems like it's checking the authorization based on the > casClientConfig. > > Inside the CasAlternateAuthModule, the Init() fires off an event > handler: > public override void Init(HttpApplication application) { > ... > application.AcquireRequestState += (new > EventHandler(this.Application_AcquireRequestState)); > ... > } > > This Application_AcquireRequestState calls this method > IsCasProtected(), and it seems like it's checking based on the > "secureUriRegex" and "secureUriExceptionRegex" config. > > protected bool IsCasProtected(HttpApplication application) > { > bool isProtected = > this.SecureUriRegex.IsMatch(application.Request.RawUrl); > if (isProtected) { > isProtected = > !this.SecureUriExceptionRegex.IsMatch(application.Request.RawUrl); > } > ... > > } > > Also found this other reference that was helpful: > http://www.middleware.vt.edu/doku.php?do=export_pdf&id=middleware:cas:c > lient:dotnet > > So I was able to get it working with the following configurations. > The skeleton below illustrated how I set up my web.config: > - Allowed anonymous access to any file at the root a web application > (configuration/system.web/authorization/allow[users='*']) > - Redirected a specific folder (e.g. "SecureTestFolder") to CAS > (casClientConfig/secureUriRegex="(?i)/SecureTestFolder/.*") > > > <configuration> > <configSections> > <section name="casClientConfig" > type="DotNetCasClient.Configuration.CasClientConfiguration, > DotNetCasClient"/> > ... > </configSections> > ... > <casClientConfig > casServerLoginUrl="https://cas.pepperdine.edu:1234/cas/login"; > serverName="https://test1.pepperdine.edu"; > secureUriRegex="(?i)/SecureTestFolder/.*" > secureUriExceptionRegex="(?i)/.*\.axd" > casServerUrlPrefix="https://cas.pepperdine.edu:1234/cas"; > redirectAfterValidation="true" > useSession="true" > gateway="false" > renew="false" > ticketValidatorName="Saml11" > ticketTimeTolerance="5000" > singleSignOut="true" > /> > <system.web> > <httpModules> > <add name="DotNetCasClient" > type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/> > ... > </httpModules> > ... > <authorization> > <allow users="*" /> > </authorization> > ... > </system.web> > <system.webServer> > <validation validateIntegratedModeConfiguration="false"/> > <modules> > <remove name="DotNetCasClient" /> > <add name="DotNetCasClient" > type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/> > </modules> > </system.webserver> > ... > </configuration> > > > Is this the proper way? Is there a way to get the location tag to > work. > Many thanks again for your help, time, and patience. > -Dianne > > > -----Original Message----- > From: Scott M. Holodak [mailto:[email protected]] > Sent: Wednesday, March 17, 2010 8:54 PM > To: [email protected] > Subject: RE: [cas-user] How to exclude pages from cas authentication in > DotNetCasClient.dll? > > Hi Dianne, > > I'm not sure if you left out the configuration/configSections/section, > configuration/casClientConfig, and > configuration/system.web/authentication/forms blocks in your examples > on purpose. If not, see the web.sample file in the ExampleWebApp for > configuration details. > > You want to setup 1 web.config at the root of your web application. > That web.config should define the CAS client configuration and should > add the CasAuthenticationModule to configuration/system.web/httpModules > (IIS5/6) and/or configuration/system.webserver/modules (IIS7+). If you > decide to add it in both places (because you want it to work on IIS 5/6 > and 7+ without editing) you'll need to remove it from > configuration/system.webserver/modules and add it back again to get > around an integrated pipeline error message when you try to run the > code on IIS 7+. That's the only scenario in which you want to remove > the CasAuthenticationModule from the pipeline. You don't want to add > it for authenticated subdirectories either. In fact, it's generally a > good idea to avoid dealing with Http Modules in location blocks > altogether. You also don't need to worry about IIS virtual > directories. You do need to worry about inheritance though. For > instance, if you the CasAuthenticationModule in the root application on > your web server, it's running in every sub-application (in some cases, > you might want to remove it for sub-applications). The trick is > getting it to redirect/not redirect when appropriate for your > applications. > > The general idea is that the CasAuthenticationModule doesn’t _cause_ > the interactions with the CAS server. It's URL Authorization that > ultimately causes the redirections. CasAuthenticationModule deals with > setting/verifying the identity of the user making the request, not > determining whether that user is allowed to access a specific resource. > The UrlAuthorizationModule (or any other HttpModule / global.asax code) > handles the AuthorizeRequest event and determines whether to send a > 403/Forbidden to the browser. The CasAuthenticationModule intercepts > this before it makes it to the browser (for anonymous requests) and > redirects to the CAS server instead. When the request is redirected > back from CAS, it is authenticated and authorized again, except this > time with credentials (hopefully with authorization to access the > resource). > > CAS authentication behaves identically to Forms Authentication with > respect to how it interacts with the authorization subsystem, so any of > the general info on ASP.NET authorization (i.e., URL authorization) > should apply (More info: http://msdn.microsoft.com/en- > us/library/wce3kxhd.aspx) You just need to write the authorization > rules to match the goals of your application. For varying the > authorization by directory, you can either use location tags to > overwrite the system.web/authorization rules in the main web.config, or > you can create a web.config file in the subdirectories that only > contains configuration/system.web/authorization rules. > > The skeleton below illustrates how you would: > - allow anonymous access to any file at the root of your web > application ~/ > (configuration/system.web/authorization/allow[users='*']) > - except ~/SecurePageAtRoot.aspx > (configuration/location[path='SecurePageAtRoot.aspx']/system.web/author > ization/deny[users='?']) > - deny anonymous access to any files in the ~/secure/ subdirectory. > (configuration/location[path='secure']/system.web/authorization/deny[us > ers='?']) > - except ~/secure/AllowAnonymous.aspx > (configuration/location[path='secure/AllowAnonymous.aspx']/system.web/a > uthorization/allow[users='*']) > > <configuration> > <configSections> > <section name="casClientConfig" > type="DotNetCasClient.Configuration.CasClientConfiguration, > DotNetCasClient"/> > ... > </configSections> > ... > <casClientConfig ... ... ... /> > <system.web> > <httpModules> > <add name="DotNetCasClient" > type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/> > ... > </httpModules> > <authentication mode="Forms"> > <forms loginUrl="https://fed.princeton.edu/cas/login"; > timeout="30" defaultUrl="~/Default.aspx" > cookieless="UseCookies" slidingExpiration="true" > path="/example/" /> > </authentication> > ... > <authorization> > <allow users="*" /> > </authorization> > ... > </system.web> > <system.webServer> > <validation validateIntegratedModeConfiguration="false"/> > <modules> > <remove name="DotNetCasClient" /> > <add name="DotNetCasClient" > type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/> > </modules> > </system.webserver> > ... > <location path="SecurePageAtRoot.aspx"> > <system.web> > <authorization> > <deny users="?" /> > </authorization> > </system.web> > </location> > <location path="secure"> > <system.web> > <authorization> > <deny users="?" /> > </authorization> > </system.web> > </location> > <location path="secure/AllowAnonymous.aspx"> > <allow users="*" /> > </location> > ... > </configuration> > > Let me know if you have any questions. > > -ScottH > > -----Original Message----- > From: Dianne Asis [mailto:[email protected]] > Sent: Wednesday, March 17, 2010 6:42 PM > To: [email protected] > Subject: [cas-user] How to exclude pages from cas authentication in > DotNetCasClient.dll? > > How would one exclude pages from cas authentication? > > Scenario #A > I added the DotNetCasClient httpModule (line #14) in the location tag, > but this module doesn't seem to be loading. > Using the DotNetCasClient.dll dev version, I have the following > httpModule in my web.config file. > 1: <configuration> > 2: <system.web> > 3: <httpModules> > 4: <remove name="FormsAuthentication"/> > 5: <remove name="WindowsAuthentication"/> > 6: <remove name="PassportAuthentication"/> > 7: <!--<add name="DotNetCasClient" > type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/>--> > 8: <add name="ScriptModule" > type="System.Web.Handlers.ScriptModule, System.Web.Extensions, > Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> > 9: </httpModules> > 10 : </system.web> > 11: <location path="SecureFolder"> > 12: <system.web> > 13: <httpModules> > 14: <add name="DotNetCasClient" > type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/> > 15: </httpModules> > 16: <authorization> > 17: <deny users="?" /> > 18: </authorization> > 19: </system.web> > 20: </location> > 21:</configuration> > > What happens? > a) go to http://www.foo.com/blah.aspx, there's no CAS authentication > (the expected behavior) > b) go to http://www.foo.com/SecureFolder/blah2.aspx, there's no CAS > authentication (expected to have authentication) > > > Scenario #B > I tried to reverse the logic and set up a "NonSecureFolder" and have > the <remove> tag (see line #14). > 1: <configuration> > 2: <system.web> > 3: <httpModules> > 4: <remove name="FormsAuthentication"/> > 5: <remove name="WindowsAuthentication"/> > 6: <remove name="PassportAuthentication"/> > 7: <add name="DotNetCasClient" > type="DotNetCasClient.CasAlternateAuthModule,DotNetCasClient"/> > 8: <add name="ScriptModule" > type="System.Web.Handlers.ScriptModule, System.Web.Extensions, > Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> > 9: </httpModules> > 10 : </system.web> > 11: <location path="NonSecureFolder"> > 12: <system.web> > 13: <httpModules> > 14: <remove name="DotNetCasClient"/> > 15: </httpModules> > 16: <authorization> > 17: <allow users="*" /> > 18: </authorization> > 19: </system.web> > 20: </location> > 21:</configuration> > > What happens? > a) go to http://www.foo.com/blah.aspx, there's CAS authentication (the > expected behavior) > b) go to http://www.foo.com/NonSecureFolder/blah2.aspx, there's CAS > authentication (expected to have no authentication) > > > Scenario #C > I also tried to set up a virtual directory for a specific folder > <root>/Secure and added a second web.config file so I could load the > DotNetCasClient, but I was not able to exclude pages from cas > authentication. > > > Would you happen to have other ideas on how to exclude pages from cas > authentication? > Thank you in advance for your help! > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access > archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
