Hi Maciej. I'm putting up a project today. If there is anyone else that has been following this thread that would like to contribute to a CAS solution for z3 please let me know.

Just a side note that the PHP client for CAS uses sessions. I'm going to contact Martijn on the ldappas work and see if he has any advice to offer on this in the interim. Chris Withers had also put a solution together a few years back for z2 under mit license so will also likely see if there is some interest in advising or helping considering his experience.


Maciej Wisniowski wrote:
Hi Maciej. Thank you for your reply and outlining the authentication
process. This does make things clearer. There are a variety of backends,
I read that something as simple as reading fom a file is possible. ldappas and dl.ldapauth provide some good hints for plugins and user
management from infrae's documentlibrary. I became aware of these
packages working on documentlibrary recently.
I don't know documentlibrary but with cas you'll get only the user
name and with this it is necessary to
get user roles/permissions from specific backend.

I want to be clear that https enters into the picture as soon as
authentication is required or someone were to click on a login link. I
am seeing links such as this in the docs I have been reading:


Reading the plone code, I noticed a replacement for login portlet (to
replace it with a link to CAS server) so I am assuming at this point
folks would be coming to portal unauthenticated and no https until you
were to login or attempt to gain access to an area where you need
authorization (then you are redirected - and now https on CAS server)
Have I got this right?
CAS authentication will work with http, but single sing on will not.
I mean if you have CAS server like:


and applications:

then you'll have to login while trying to acces http://my/url2
even thought you already are logged in to http://my/url. With
https you'll be automatically logged into url2 via SSO.

There were discussions about turning off https on CAS users
list but I don't know if it is possible in recent CAS versions.

Also you may send 'service url' as https one. This way users
accesses http site but after successfull login at CAS user is
redirected to https one.

I thought sessions should be used but maybe there are some other
opinions. I realize there were some issues with sessions some years back
with z2. I have not heard anything negative about sessions in z3.
Hm... I'm not sure about session implementation in zope3 but
I had some issues with sessions with zope 2 (conflicts).
I think that accessing session with every request is not too good as
this causes session buckets to be moved in oobtree because of
expiration, starts garbage collections etc. But I'm not sure how
this exactly goes.

I was also thinking to some extent about the url redirection etc for
this CAS activity and it made me wonder whether some of this should not
be occurring as part of a WSGI middleware (but this is just a random
thought at the moment).
I have no experience with that but like to get to know more :)

I am interested in setting up a project for this shortly. I'll likely
get this going in the next day or so and will be grateful for your help
since you have experience with this. I'll provide details for the
project as soon as I have them but will likely put it in zif collective
on sourceforge in svn.
OK, but possibly I will have no internet access for few days so I may
answer with delays.

BTW, I recently noticed that the authentication server need not be java
so long as it complies with the CAS protocol. In fact I was reading code
for rubyCAS server earlier today. It makes me wonder why the
authentication server itself could not be written in python and served
using zope or twisted. Gives me something to think about for later if
things work. Many thanks,
Would be great to have this server in python :)

Zope3-users mailing list

Reply via email to