> 1. If in our app, there are multiple .htaccess files within the branches of > a website. > that have the same AuthType, AuthName, AuthUserFile and AuthGroupFile > but a different "require" apache directive values for both users and groups > to restrict which users or groups has access to specific subdirectories in > our website which is part of Apache Core > would that retrigger m-a-c to reauthenticate? Or if a user is authenticated > when a particular 'require valid-user' , 'require user foo' or 'require > group foo' be locally checked and the m-a-c module will some how remember > who was authenticated and not have to do another round trip to the > CAS Server.
m-a-c creates a session and sets a cookie that records the current user name. The cookie is scoped to the current path (unless overridden by CASScope). Browsing to a different path with trigger m-a-c to reauthenticate. In other words, you will be required to authenticate at https://www.server.com/a, and then again at https://www.server.com/b , but not at https://www.server.com/a/c . If you set CASScope to "/", then the cookie path will be set to "/", and no reauthentication round-trip will be necessary. > > 2. Another important question to me is, if currently our existing web app is > using .htaccess files to control access to certain subdirectories by using > .htaccess files and the Require user xxx and Require group xxx xxx Apache > Core directives > from the README file > https://www.ja-sig.org/svn/cas-clients/mod_auth_cas/trunk/README > It suggests that the Apache directives > Will those existing directives (AuthName, AuthUserFile, AuthGroupFile, > require) still be recognized and enforced by Apache either through > Apache Core directives 'require valid-user', 'require group foo' work, so > I'm assuming require user peter would be enforced. > However, would the directives AuthName, AuthUserFile, AuthGroupFile have any > meaning with the m-a-c where 'AuthType CAS' is set? > Haven't used AuthGroupFile, but AuthName and AuthUserFile are meaningless in terms of m-a-c. The "require valid-user" or "require xxx" will perform authorization based upon the user name provided by m-a-c. > For example, if I had a require valid-user, in some .htaccess file that was > protected by m-a-c, would the m-a-c module first lookup to see if that user > is in the file referenced by AuthUserFile and if in there then make a call > to the CAS Server to verify that that user is valid? Nope -- no need for AuthUserFile. Any CAS authenticated user is a valid-user. For finer granularity, use "require xxx yyy zzz". > How are groups handled though? With AuthType basic, from my understanding, > users are checked to see if they are in the correct group which is looked up > at the location of AuthGroupFile XXX. Since I don't believe CAS has the > concept of groups, I am thinking that the m-a-c module would rely on the > group file reference by AuthGroupFile to see if that user was in the > particular group referenced by the 'require group foo' for example and then > possibly do a CAS server check to log him in if not already authenticated. > Please confirm. Not sure - give it a shot and let us know. > > Is the AuthName also still compatible or enforced with the m-a-c? Nope - AuthName is a BasicAuth construct. > > 3. If we are a Windows 2003 Server box running Apache, can this module work > with it? Are their any recipes to help me compile this module for that > platform using free software? Maybe Cygwin? Take a look at README.win32 in the source tree. HTH, -Matt -- m...@forsetti.com Key ID:D6EEC5B5 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
