Re: [cas-user] CASifying web applications
I believe you said you're using CAS 4.0.x/4.x. I'll just add that you may need the latest version of mod_auth_cas with that, which I believe isn't yet the official release. If you have any trouble/questions with that, you can ask on this list or on the mod_auth_cas_dev list (or just search those lists). Milt Epstein Programmer in Computational Genomics Institute for Genomic Biology (IGB) University of Illinois at Urbana-Champaign (UIUC) mepst...@illinois.edu On Thu, 23 Apr 2015, Paul B. Henson wrote: On Thu, Apr 23, 2015 at 02:37:47PM -0700, Andrew Morgan wrote: I have several Perl apps that I wanted to CASify. I looked at a few of the Perl modules for CAS and didn't like what I saw, so I used mod_auth_cas instead. I'm very happy with mod_auth_cas. It's very easy to check $ENV{'REMOTE_USER'} in Perl. :) Unfortunately, I've got one mod_perl app that needs to accept proxy auth, and another that needs to initiate it, so mod_auth_cas isn't going to cut it for those :(. But thanks for the opinion of mod_auth_cas, that will handle a lot of our needs. -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: mepst...@illinois.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CASifying web applications
From: Milt Epstein Sent: Friday, April 24, 2015 7:38 AM I believe you said you're using CAS 4.0.x/4.x. I'll just add that you may need the latest version of mod_auth_cas with that, which I believe isn't yet the official release. Actually, we're not; I was just using the existence of the newer CAS protocol and the lack of any recent changes in some of the CAS clients as an argument that they might not be maintained. But thanks for the tip, I will keep that in mind. We will probably upgrade by the end of the year. Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CASifying web applications
From: Christopher Myers Sent: Thursday, April 23, 2015 6:31 AM For the Java CAS stuff, you may want to check out the sample webapp provided here: https://wiki.jasig.org/display/CASC/JA- SIG+Java+Client+Simple+WebApp+Sample - it gives you a really good, simple overview of how stuff is set up. We don't currently have any java apps in need of CASification, but I'll keep this in mind, thanks. -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CASifying web applications
From: Waldbieser, Carl Sent: Thursday, April 23, 2015 6:20 AM We are using mod_auth_cas in front of a couple web apps, and it works pretty much as you would expect. Since it is a fairly decoupled integration with your web app, the log out links in your web app will tend not to work the way one might expect. Cool, thanks for the feedback. The majority of the applications we would switch to mod_auth_cas already use web server-based authentication, so they don't really have logout buttons, that shouldn't be a problem. I can't speak to the perl modules you mention, but a lack of activity is not necessarily a bad thing. CAS is a relatively simple and straightforward protocol. The code for a CAS client should tend to stabilize pretty quickly. True; although CAS 4 has been out for a while, with a new version of the protocol. Not seeing any changes at all for 3-4 years, whether bug fixes, enhancements, or updated protocol support, makes one concerned they are not really maintained. Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CASifying web applications
On Thu, 23 Apr 2015, Paul B. Henson wrote: From: Waldbieser, Carl Sent: Thursday, April 23, 2015 6:20 AM We are using mod_auth_cas in front of a couple web apps, and it works pretty much as you would expect. Since it is a fairly decoupled integration with your web app, the log out links in your web app will tend not to work the way one might expect. Cool, thanks for the feedback. The majority of the applications we would switch to mod_auth_cas already use web server-based authentication, so they don't really have logout buttons, that shouldn't be a problem. I can't speak to the perl modules you mention, but a lack of activity is not necessarily a bad thing. CAS is a relatively simple and straightforward protocol. The code for a CAS client should tend to stabilize pretty quickly. True; although CAS 4 has been out for a while, with a new version of the protocol. Not seeing any changes at all for 3-4 years, whether bug fixes, enhancements, or updated protocol support, makes one concerned they are not really maintained. I have several Perl apps that I wanted to CASify. I looked at a few of the Perl modules for CAS and didn't like what I saw, so I used mod_auth_cas instead. I'm very happy with mod_auth_cas. It's very easy to check $ENV{'REMOTE_USER'} in Perl. :) Andy -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CASifying web applications
For the Java CAS stuff, you may want to check out the sample webapp provided here: https://wiki.jasig.org/display/CASC/JA-SIG+Java+Client+Simple+WebApp+Sample - it gives you a really good, simple overview of how stuff is set up. I can't speak to the other CAS clients at the moment however. Chris Waldbieser, Carl waldb...@lafayette.edu 04/23/15 8:20 AM Paul, We are using mod_auth_cas in front of a couple web apps, and it works pretty much as you would expect. Since it is a fairly decoupled integration with your web app, the log out links in your web app will tend not to work the way one might expect. However, once you get mod_auth_cas built, configuring it and deploying it to production is rather straightforward. We have only used it with Apache v2.2. I have integrated some apps with phpCAS, and it is also pretty simple to configure. I find if you crank up debugging in that library you get a good amount of detail that can really help with some of the more subtle problems (like if the CA of the SSL cert is not recognized by the back channel call). We have also integrated some of our Java based apps with the Java client. Like other integrated solutions, the setup is more complex, but the user experience typically feels more smooth and less bolted on, especially if you want your log out controls to log you out of a your SSO session. I can't speak to the perl modules you mention, but a lack of activity is not necessarily a bad thing. CAS is a relatively simple and straightforward protocol. The code for a CAS client should tend to stabilize pretty quickly. Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Paul B. Henson hen...@cpp.edu To: cas-user@lists.jasig.org Sent: Wednesday, April 22, 2015 10:54:27 PM Subject: [cas-user] CASifying web applications We're at a point in our CAS deployment where we'd like to start converting some of our existing applications to use it, and I'd appreciate some feedback on the best path to do so. It seems there are two types of webapps under consideration, those that do no authentication at all on their own and rely entirely on web service based authentication, and those that have no web server authentication and implement auth entirely on their own. For web server auth, it looks like the only real solution is mod_auth_cas (https://wiki.jasig.org/display/CASC/mod_auth_cas) for Apache? Anyone currently using this that might be able to comment on how well it works, how reliable it is, etc? It looks like it doesn't support proxy authentication, but we only have one app that needs that. Does anyone know if this module works as-is under Apache 2.4? According to the docs, some 2.2 modules work fine under 2.4, while others require updates for certain changed API's. If the app is mod_perl based, or mod_perl can be added just for authentication, it looks like there are two options: http://search.cpan.org/~dcastro/Apache-AuthCAS/lib/Apache/AuthCAS.pm http://search.cpan.org/~jhitt/Apache2-AuthCAS-0.4/lib/Apache2/AuthCAS.pm Any opinion/consensus on which of these is better, and how they compare to mod_auth_cas? It looks like both of these support proxy auth, which makes them presumably beat out mod_auth_cas for that use case. For applications which do their own authentication, it looks like phpCAS (https://wiki.jasig.org/display/CASC/phpCAS) is the officially supported solution for php based apps? For perl based applications, I see there's only an unofficial client available (https://github.com/Unicon/cas-perl-client). The last update is over 3 years ago, and the documentation is a bit lacking. There are no better solutions for CAS via perl? We have one app that will need to do proxy auth, it's part of our idm infrastructure. The client facing front end is on a windows box, currently doing forms based auth and proxying the plaintext credentials to a mod_perl based web service via apache ldap authentication. To CASify this, our webapps group will presumably use the .net CAS client to authenticate the browser and then use CAS proxy auth to authenticate the end user to the web service. We are flexible on this as to whether the auth is done by the web server or integrated into the app itself. As mod_auth_cas doesn't do proxy auth, that is ruled out. Any thoughts on whether it would be cleaner to use one of the mod_perl based solutions to do the proxy auth at the web server level vs a perl CAS client in the application? Thanks much... -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu
Re: [cas-user] CASifying web applications
On Thu, Apr 23, 2015 at 02:37:47PM -0700, Andrew Morgan wrote: I have several Perl apps that I wanted to CASify. I looked at a few of the Perl modules for CAS and didn't like what I saw, so I used mod_auth_cas instead. I'm very happy with mod_auth_cas. It's very easy to check $ENV{'REMOTE_USER'} in Perl. :) Unfortunately, I've got one mod_perl app that needs to accept proxy auth, and another that needs to initiate it, so mod_auth_cas isn't going to cut it for those :(. But thanks for the opinion of mod_auth_cas, that will handle a lot of our needs. -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CASifying web applications
We're at a point in our CAS deployment where we'd like to start converting some of our existing applications to use it, and I'd appreciate some feedback on the best path to do so. It seems there are two types of webapps under consideration, those that do no authentication at all on their own and rely entirely on web service based authentication, and those that have no web server authentication and implement auth entirely on their own. For web server auth, it looks like the only real solution is mod_auth_cas (https://wiki.jasig.org/display/CASC/mod_auth_cas) for Apache? Anyone currently using this that might be able to comment on how well it works, how reliable it is, etc? It looks like it doesn't support proxy authentication, but we only have one app that needs that. Does anyone know if this module works as-is under Apache 2.4? According to the docs, some 2.2 modules work fine under 2.4, while others require updates for certain changed API's. If the app is mod_perl based, or mod_perl can be added just for authentication, it looks like there are two options: http://search.cpan.org/~dcastro/Apache-AuthCAS/lib/Apache/AuthCAS.pm http://search.cpan.org/~jhitt/Apache2-AuthCAS-0.4/lib/Apache2/AuthCAS.pm Any opinion/consensus on which of these is better, and how they compare to mod_auth_cas? It looks like both of these support proxy auth, which makes them presumably beat out mod_auth_cas for that use case. For applications which do their own authentication, it looks like phpCAS (https://wiki.jasig.org/display/CASC/phpCAS) is the officially supported solution for php based apps? For perl based applications, I see there's only an unofficial client available (https://github.com/Unicon/cas-perl-client). The last update is over 3 years ago, and the documentation is a bit lacking. There are no better solutions for CAS via perl? We have one app that will need to do proxy auth, it's part of our idm infrastructure. The client facing front end is on a windows box, currently doing forms based auth and proxying the plaintext credentials to a mod_perl based web service via apache ldap authentication. To CASify this, our webapps group will presumably use the .net CAS client to authenticate the browser and then use CAS proxy auth to authenticate the end user to the web service. We are flexible on this as to whether the auth is done by the web server or integrated into the app itself. As mod_auth_cas doesn't do proxy auth, that is ruled out. Any thoughts on whether it would be cleaner to use one of the mod_perl based solutions to do the proxy auth at the web server level vs a perl CAS client in the application? Thanks much... -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | hen...@cpp.edu California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user