[
https://issues.apache.org/jira/browse/VCL-1087?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16850972#comment-16850972
]
Josh Thompson commented on VCL-1087:
------------------------------------
Hi Junaid,
I've partly implemented VCL-1086 (improve modularization of authentication).
I've updated things for local, ldap, and Shibboleth authentication. At this
point, each authentication method needs to add an entry in a global array named
$authFuncs. Can you have a look to update CAS? I've merged the develop branch
in to VCL-1087_VCL_CAS_SSO. shibauth.php would probably be the best file to
use as an example. The entry in $authFuncs looks something like this:
{{$authFuncs['shibboleth'] = array(}}
{{ 'test' => 'testShibAuth',}}
{{ 'auth' => 'processShibAuth',}}
{{ 'unauth' => 'unauthShib'}}
{{);}}
'test' and 'auth' are called from initGlobals in utils.php after determining
that the current user is not authenticated. One thing to note is that if the
VCLAUTH cookie exists and is valid, these functions are not used as the user is
already considered to be authenticated.
'test' references a function that checks to see if information exists to
validate a user with this authentication method. For Shibboleth, it checks for
the existence of $_SERVER['SHIB_EPPN'] - a global variable provided by the web
server if the user has been authenticated by Shibboleth. The function should
return 1 if required information is available or 0 if not.
'auth' references a function that handles authenticating the user. It should
return the authenticated user in 'userid@affiliation' form or NULL if
authentication failed. If authentication is successful, it should include a
call to addLoginLog. It should probably set the VCLAUTH cookie to handle
authentication in further interactions with the VCL site (Shibboleth does
this). If it does not set VCLAUTH, the functioned referenced by 'auth' will be
called for each page load by the user, which can be okay, but it should be
written to be pretty quick and not do things like calling addLoginLog every
time.
'unauth' references a function that handles destroying the users
authentication. It takes one argument because unauthenticating the user needs
to happen in two parts. The value of the argument is either 'headers' or
'content'. If called with 'headers', it should set any headers that need to be
sent to the user before page content (most methods simply return and do nothing
in this case). If called with 'content', any page content that should be
displayed to the user should be printed out. This function is called from
sendHeaders in utils.php when $mode is logout. After the function unauth
references has been called, the user should have to log in again.
The idea of all of this is to that creating new authentication methods should
only require creating a new file under authmethods and including the file from
conf.php without requiring any other files to be modified.
Josh
> VCL CAS SSO
> -----------
>
> Key: VCL-1087
> URL: https://issues.apache.org/jira/browse/VCL-1087
> Project: VCL
> Issue Type: New Feature
> Components: web gui (frontend)
> Affects Versions: 2.5
> Reporter: Junaid Ali
> Priority: Major
> Attachments: 0001-CAS-Authentication-Module.patch, Design document
> for adding CAS support to VCL.pdf
>
>
> This new feature will add [CAS|https://www.apereo.org/projects/cas] single
> sign on support to the VCL Website.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
