For the Java CAS stuff, you may want to check out the "sample" webapp provided here: https://wiki.jasig.org/display/CASC/JA-SIG+Java+Client+Simple+WebApp+Sample - it gives you a really good, simple overview of how stuff is set up.
I can't speak to the other CAS clients at the moment however. Chris >>> "Waldbieser, Carl" <[email protected]> 04/23/15 8:20 AM >>> Paul, We are using mod_auth_cas in front of a couple web apps, and it works pretty much as you would expect. Since it is a fairly decoupled integration with your web app, the "log out" links in your web app will tend not to work the way one might expect. However, once you get mod_auth_cas built, configuring it and deploying it to production is rather straightforward. We have only used it with Apache v2.2. I have integrated some apps with phpCAS, and it is also pretty simple to configure. I find if you crank up debugging in that library you get a good amount of detail that can really help with some of the more subtle problems (like if the CA of the SSL cert is not recognized by the back channel call). We have also integrated some of our Java based apps with the Java client. Like other integrated solutions, the setup is more complex, but the user experience typically feels more smooth and less "bolted on", especially if you want your log out controls to log you out of a your SSO session. I can't speak to the perl modules you mention, but a lack of activity is not necessarily a bad thing. CAS is a relatively simple and straightforward protocol. The code for a CAS client should tend to stabilize pretty quickly. Thanks, Carl Waldbieser ITS System Programmer Lafayette College ----- Original Message ----- From: "Paul B. Henson" <[email protected]> To: [email protected] Sent: Wednesday, April 22, 2015 10:54:27 PM Subject: [cas-user] CASifying web applications We're at a point in our CAS deployment where we'd like to start converting some of our existing applications to use it, and I'd appreciate some feedback on the best path to do so. It seems there are two types of webapps under consideration, those that do no authentication at all on their own and rely entirely on web service based authentication, and those that have no web server authentication and implement auth entirely on their own. For web server auth, it looks like the only real solution is mod_auth_cas (https://wiki.jasig.org/display/CASC/mod_auth_cas) for Apache? Anyone currently using this that might be able to comment on how well it works, how reliable it is, etc? It looks like it doesn't support proxy authentication, but we only have one app that needs that. Does anyone know if this module works as-is under Apache 2.4? According to the docs, some 2.2 modules work fine under 2.4, while others require updates for certain changed API's. If the app is mod_perl based, or mod_perl can be added just for authentication, it looks like there are two options: http://search.cpan.org/~dcastro/Apache-AuthCAS/lib/Apache/AuthCAS.pm http://search.cpan.org/~jhitt/Apache2-AuthCAS-0.4/lib/Apache2/AuthCAS.pm Any opinion/consensus on which of these is better, and how they compare to mod_auth_cas? It looks like both of these support proxy auth, which makes them presumably beat out mod_auth_cas for that use case. For applications which do their own authentication, it looks like phpCAS (https://wiki.jasig.org/display/CASC/phpCAS) is the officially supported solution for php based apps? For perl based applications, I see there's only an unofficial client available (https://github.com/Unicon/cas-perl-client). The last update is over 3 years ago, and the documentation is a bit lacking. There are no better solutions for CAS via perl? We have one app that will need to do proxy auth, it's part of our idm infrastructure. The client facing front end is on a windows box, currently doing forms based auth and proxying the plaintext credentials to a mod_perl based web service via apache ldap authentication. To CASify this, our webapps group will presumably use the .net CAS client to authenticate the browser and then use CAS proxy auth to authenticate the end user to the web service. We are flexible on this as to whether the auth is done by the web server or integrated into the app itself. As mod_auth_cas doesn't do proxy auth, that is ruled out. Any thoughts on whether it would be cleaner to use one of the mod_perl based solutions to do the proxy auth at the web server level vs a perl CAS client in the application? Thanks much... -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | [email protected] California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
