There have been a few messages lately about using CAS in non-browser interactions. After fiddling with things just long enough to realize that extending CAS to the non-browser world is not easy (and, in most cases for us, simply not possible), we inverted our thinking. Instead of trying to extend CAS outside of the browser environments, we decided to use a mechanism that works well in the non-browser environment, then use CAS to extend that mechanism into the browser environment.
So, we are using Kerberos for the non-browser environments (including GSSAPI/SPNEGO for some HTTP transactions like SVN), then use CAS to extend our authentication to the browser environment (since SPNEGO is not widespread yet). This works very well, giving us SSO (or more accurately, ISO) across the non-browser environment (via Kerberos) and also across the browser environment (via CAS). Once I get around to configuring SPNEGO auth for our production CAS, we will have unified ISO across the non-browser & browser environments. Kerberos can also sit "behind" most common LDAP servers, providing credential verification for LDAP "simple binds". While this is normally discouraged from a security perpsective, it does allow for those apps that only auth via LDAP. Soooo, I'd recommend investigating this type of approach for those looking at SSO for browser and non-browser activities. Given that CAS employs mechanisms that are tailored for browsers (such as the 302 redirect), and handles browser environments *extremely* well, and given that there are other technologies (like Kerberos) that handle non-browser environments *extremely* well, I'd recommend deploying both (best tool for the job), and bridging them by having CAS authenticate against Kerberos. HTH, -Matt -----Original Message----- From: [EMAIL PROTECTED] on behalf of Scott Beardsley Sent: Mon 2006-11-13 19:36 To: [email protected] Cc: Subject: CAS and Subversion So I saw a message about CAS and Subversion (aka SVN) a few days ago... I'd like to get things working without using LDAP. I'm using a *slightly* modified mod_cas from CASE[1] with a standard SVN install. The web server is acting as the SVN server also and the only way users can access our repo is via HTTPS. Previously we were using mod_auth_mysql to authenticate SVN users. I'd like to move away from mysql and start using CAS instead. I want users (with CAS accounts) to be able to run the following: $ svn co https://subversion.example.com/repo/somecoolproject/trunk I have the following config that works though the web browser but fails with the above command. The svn command doesn't like 302 redirects: $ svn co https://subversion.example.com/repo/somecoolproject/trunk svn: PROPFIND request failed on '/repo/somecoolproject/trunk' svn: PROPFIND of '/repo/somecoolproject/trunk': 302 Found (https://subversion.example.com) I realize I might need to talk to the SVN folks but I wanted to stop here first. Here's my Apache2 config (that works great with trac BTW): # the mod_cas stuff: LoadModule cas_module /usr/lib/apache2/modules/mod_cas.so <IfModule mod_cas.c> CASTrustedCerts /etc/ssl/certs/ca.crt CASLoginURL https://cas.example.com:8443/cas/login CASHost cas.example.com CASPort 8443 CASMethod GET CASValidate /cas/validate </IfModule> # the SVN stuff: <Location /repo/somecoolproject> AuthType CAS AuthName "Cool Project" require valid-user </Location> # the trac stuff: Alias /trac/somecoolproject "/usr/share/trac/cgi-bin/trac.cgi" <Location "/trac/somecoolproject"> SetEnv TRAC_ENV "/trac/somecoolproject" </Location> <Location "/trac/somecoolproject/login"> AuthType CAS AuthName "TRAC" require valid-user </Location> Any ideas or pointers? Scott ----- [1] http://wiki.case.edu/Central_Authentication_Service#Using_Apache _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
