Le mardi 12 août 2008 à 13:10 +0200, Olivier Berger a écrit :
> Hi.
>
> Sorry again if this a FAQ.
>
> I am trying to CAS-ify a TWiki installation behind mod-auth-cas.
>
> After authentication by the CAS server, the URL displayed in TWiki looks
> like :
> http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas
>
> I would have expected the removal of the
> "&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas" part by mod_auth_cas (looking
> at the code : removeCASParams() which seems to do that)
>
> Unfortunately, it won't please TWiki to have this trailing "ticket"
> param when saving page contents later on :(
>
> Maybe removeCASParams() ain't called when it should be, or it fails
> parsing the params ?
>
> Any hints ?
>
I've looked at the code and I think I identified what happens. It's a
problem with the Web browser not knowing the "ticket" parameter was
removed when the page contains POST forms.
A URL like
http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas
is invoked.
But the perl script is actually called as
http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240
once authentified by mod-auth-cas (which removes the "ticket" param before
invoking it) directly, without a redirection (HTTP 200/ OK success code).
So the web browser still thinks it's displaying
http://localhost/cgi-bin/twiki/viewauth/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas
So when trying to edit a wiki page, a POST is issued to
"edit/TWiki/TWikiAccessControl?t=1218539240&ticket=ST-15-4pkBwI2qhZc0NHmaKVyi-cas"
(which fails).
I think that an aditional redirect should be necessary in
cas_authenticate() whenever the params are changed by removeCASParams(),
for additional consistency, then.
In the code, in "if(ticket != NULL)" block, if "isValidCASTicket()",
then not return OK directly but a redirect to the same script without
the ticket= parameter, then.
Here's a proposed patch, that I think will solve this issue.
Comments welcome.
Best regards,
--
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
diff -irubw libapache2-mod-auth-cas-1.0.7/src/mod_auth_cas.c mod_auth_cas-1.0.7.new/src/mod_auth_cas.c
--- libapache2-mod-auth-cas-1.0.7/src/mod_auth_cas.c 2008-03-10 22:18:17.000000000 +0100
+++ mod_auth_cas-1.0.7.new/src/mod_auth_cas.c 2008-08-12 14:16:25.000000000 +0200
@@ -507,15 +507,16 @@
}
-static void removeCASParams(request_rec *r)
+static apr_byte_t removeCASParams(request_rec *r)
{
+
char *newArgs, *oldArgs, *p;
apr_byte_t copy = TRUE;
apr_byte_t changed = FALSE;
cas_cfg *c = ap_get_module_config(r->server->module_config, &auth_cas_module);
if(r->args == NULL)
- return;
+ return changed;
oldArgs = r->args;
p = newArgs = apr_pcalloc(r->pool, strlen(oldArgs) + 1); /* add 1 for terminating NULL */
@@ -555,7 +556,7 @@
else if(strlen(newArgs) == 0)
r->args = NULL;
- return;
+ return changed;
}
static char *getCASTicket(request_rec *r)
@@ -1491,6 +1492,8 @@
cas_cfg *c;
cas_dir_cfg *d;
apr_byte_t ssl;
+ apr_byte_t parametersRemoved = FALSE;
+ char *newLocation = NULL;
/* Do nothing if we are not the authenticator */
if(apr_strnatcasecmp((const char *) ap_auth_type(r), "cas"))
@@ -1509,7 +1512,7 @@
ticket = getCASTicket(r);
cookieString = getCASCookie(r, (ssl ? d->CASSecureCookie : d->CASCookie));
- removeCASParams(r);
+ parametersRemoved = removeCASParams(r);
/* first, handle the gateway case */
if(d->CASGateway != NULL && strncmp(d->CASGateway, r->parsed_uri.path, strlen(d->CASGateway)) == 0 && ticket == NULL && cookieString == NULL) {
@@ -1537,7 +1540,14 @@
r->user = remoteUser;
if(d->CASAuthNHeader != NULL)
apr_table_set(r->headers_in, d->CASAuthNHeader, remoteUser);
+ if (parametersRemoved) {
+ newLocation = apr_psprintf(r->pool, "%s%s%s", r->uri, (r->args != NULL) ? "?" : "", (r->args != NULL) ? r->args : "");
+ apr_table_add(r->headers_out, "Location", newLocation);
+ return HTTP_MOVED_TEMPORARILY;
+ }
+ else {
return OK;
+ }
} else {
/* sometimes, pages that automatically refresh will re-send the ticket parameter, so let's check any cookies presented or return an error if none */
if(cookieString == NULL)
diff -irubw libapache2-mod-auth-cas-1.0.7/src/mod_auth_cas.h mod_auth_cas-1.0.7.new/src/mod_auth_cas.h
--- libapache2-mod-auth-cas-1.0.7/src/mod_auth_cas.h 2008-03-10 22:18:17.000000000 +0100
+++ mod_auth_cas-1.0.7.new/src/mod_auth_cas.h 2008-08-12 13:39:24.000000000 +0200
@@ -163,7 +163,7 @@
static char *getCASService(request_rec *r, cas_cfg *c);
static void redirectRequest(request_rec *r, cas_cfg *c);
static char *getCASTicket(request_rec *r);
-static void removeCASParams(request_rec *r);
+static apr_byte_t removeCASParams(request_rec *r);
static int cas_authenticate(request_rec *r);
static int cas_post_config(apr_pool_t *pool, apr_pool_t *p1, apr_pool_t *p2, server_rec *s);
static void cas_register_hooks(apr_pool_t *p);
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
