Github user necouchman commented on a diff in the pull request:
https://github.com/apache/incubator-guacamole-client/pull/121#discussion_r107401901
--- Diff: extensions/guacamole-auth-cas/src/main/resources/casConfig.js ---
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * Config block which registers CAS-specific field types.
+ */
+angular.module('guacCAS').config(['formServiceProvider',
+ function guacCASConfig(formServiceProvider) {
+
+ // Define field for ticket from CAS service
+ formServiceProvider.registerFieldType("GUAC_CAS_TICKET", {
+ templateUrl : '',
+ controller : 'guacCASController',
+ module : 'guacCAS'
+ });
+
+}]);
+
+/**
+ * Config block which augments the existing routing, providing special
handling
+ * for the "ticket=" fragments provided by OpenID Connect.
+ */
+angular.module('index').config(['$routeProvider','$windowProvider',
+ function indexRouteConfig($routeProvider,$windowProvider) {
+
+ var $window = $windowProvider.$get();
+ var curPath = $window.location.href;
+ var ticketPos = curPath.indexOf("?ticket=") + 8;
+ var hashPos = curPath.indexOf("#/");
+ if (ticketPos > 0 && ticketPos < hashPos) {
+ var ticket = curPath.substring(ticketPos, hashPos);
+ var newPath = curPath.substring(0,ticketPos - 8) + '#/?ticket=' +
ticket;
+ $window.location.href = newPath;
--- End diff --
Yeah, I tried to figure that out, but ran into a significant road-block
going that route, and, after hours of searching and trying, resorted to this
admittedly messy way of accomplishing this. Here's the issue...
When CAS redirects back to Guacamole, the URL that comes back is something
like this:
http://guacamole.example.com/guacamole?ticket=<BIG LONG STRING>
What happens is that Angular then appends the trailing slash and the hash
tag onto the end of that:
http://guacamole.example.com/guacamole?ticket=<BIG LONG STRING>/#/
So, if I try to use the Angular built-in routing functions, it's only
looking for the ticket= after the trailing slash. It doesn't process anything
ahead of that slash. I tried several incantations, including putting a
trailing slash in the redirect URI, but just ended up with this:
http://guacamole.example.com/guacamole/?ticket=<BIG LONG STRING>/#/
I also tried putting the #/ in the CAS redirect URI, and that didn't work,
either. I think the core of the issue is that, during authentication, it isn't
just an iFrame or something like that that accomplishes the authentication (as
in the case of Duo) - it actually redirects completely away from the site, then
back, with this ticket= parameter in the URL. Since the ticket= parameter is
placed there before Angular ever initializes, Angular believes that it is part
of the URL it should be using, appends it /#/ to the end, and goes on. So, I
have to manually move the ?ticket= chunk to the end.
I'm definitely open to suggestions and help with this one - I banged my
head on a kitchen table for quite a while trying to figure out where I went
wrong, and came away with the belief that the way CAS interacts with the page
here just doesn't place well with Angular.
I suppose I could try to go the iFrame route, instead of a full redirect,
and see if that changes things? Maybe it would end up looking a lot more like
the Duo module...and it might dovetail nicely with the suggestion below about
having a separate button for the user to click to authenticate with CAS, rather
than just having it redirect to CAS authentication automatically. Based on how
I've explained CAS to you, does that sound more feasible (and desirable) than
redirecting completely away??
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
