Re: [cas-dev] .Net JasigCasClient

Mon, 30 Mar 2009 10:08:51 -0700 

I'm concerned about the integration with .NET forms authentication.
It looks like it would buy us a hook into a standardized
authentication and authorization framework at the expense of a good
deal more complication.  Perhaps it's worth the trade off; what
arguments in favor of integrating with forms can you make?  My real
concern is that reliance on forms authentication would complicate or
preclude some use cases with IIS 7 integration, like protecting static
resources or non-.NET applications like Sharepoint.  Can you comment
on that?

Following is a concrete alternative to CasAuthenticationModule that is
semantically much closer to the Java client that hopefully
demonstrates we don't _have_ to integrate with .NET forms.

void OnBeginRequest(object sender, EventArgs args)
{
   HttpApplication app = (HttpApplication)sender;
   HttpRequest request = app.Context.Request;
   HttpResponse response = app.Context.Response;
   HttpCookie cookie = request.Cookies.Get(COOKIE_NAME);
   if (authenticatedUsers.ContainsKey(cookie.Value))
   {
      // User has already authenticated
      // Check whether their CAS client "session" has expired
      DateTime lastSeen = authenticatedUsers[cookie.Value];
      if (DateTime.Now.Subtract(lastSeen) > cookieTTL)
      {
        // Cookie expired, redirect to CAS
        response.Redirect(casLoginUrl);
      }
      else
      {
        // Update the time authenticated user was last seen
        authenticatedUsers[cookie.Value] = DateTime.Now;
      }
   }
   else if (request.QueryString.Get(ArtifactParameterName) != null)
   {
      // Request contains ticket -- try to validate it
      try
      {
        ICasPrincipal principal = ticketValidator.validate(
           request.QueryString.Get(ArtifactParameterName),
           GetServiceUrl(request));
        cookie = CreateCasClientCookie(principal);
        authenticatedUsers.Add(cookie.Value, DateTime.Now);
        response.Cookies.Add(cookie);
      }
      catch (TicketValidationException e)
      {
        log.Warn("CAS service ticket validation failed.", e);
        response.StatusCode = 403;
      }
   }
   else
   {
      // Not authenticated
      response.Redirect(casLoginUrl);
   }
}

The only substantial semantic difference from the Java client is the
explicit management of authenticated state since an HTTP session may
not be available in all cases.

M

-- 
You are currently subscribed to cas-dev@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to