Difference between revisions of "CAS"
(→Apache2::AuthCAS) |
(→Eprints::Session edit) |
||
Line 98: | Line 98: | ||
sub current_user | sub current_user | ||
{ | { | ||
− | + | my( $self ) = @_; | |
− | + | if( $self->{logged_out} ) | |
+ | { | ||
+ | return undef; | ||
+ | } | ||
− | + | if( !defined $self->{current_user} ) | |
− | + | { | |
− | + | if( $self->get_archive->get_conf( "cookie_auth" ) ) | |
+ | { | ||
+ | if ( $self->get_archive->get_conf( 'cas_auth' ) ) | ||
+ | { | ||
+ | print STDERR 'CAS In cas_auth', "\n"; | ||
+ | print STDERR 'CAS server name: ', $ENV{SERVER_NAME}, "\n"; my $username; | ||
+ | my $cookie_name = $self->get_archive->get_conf( 'cas_cookie_name' ); | ||
+ | print STDERR 'CAS cookie name: ', $cookie_name, "\n"; if( defined $ENV{HTTP_CAS_FILTER_USER}) | ||
+ | { print STDERR 'CAS first page', "\n"; | ||
+ | $username = $ENV{HTTP_CAS_FILTER_USER}; | ||
+ | } | ||
+ | else | ||
{ | { | ||
− | + | print STDERR 'CAS other page', "\n"; | |
− | + | my $ticket = raw_cookie($cookie_name); | |
− | + | print STDERR 'CAS Ticket: ', $ticket, "\n"; | |
− | + | if ($ticket ne '') { | |
− | + | my $sql = "SELECT uid FROM cas_sessions where id='?'"; | |
− | + | my $sth = $self->get_database()->prepare( $sql ); | |
− | + | $self->get_database()->execute($sth,$ticket); | |
− | + | my @info = $sth->fetchrow_array(); | |
− | + | my @list = split(":",$info[0]); | |
− | + | $username = $list[0]; | |
− | + | $sth->finish; | |
− | + | } | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
} | } | ||
+ | print STDERR 'CAS username: ',$username, "\n"; | ||
+ | $self->{current_user} = EPrints::DataObj::User::user_with_username( $self, $username ); | ||
+ | } | ||
− | return $self->{ | + | if (not defined $self->{current_user} ) |
+ | { | ||
+ | $self->{current_user} = $self->_current_user_auth_cookie; | ||
+ | } | ||
+ | } | ||
+ | else | ||
+ | { | ||
+ | $self->{current_user} = $self->_current_user_auth_basic; | ||
+ | } | ||
+ | } | ||
+ | return $self->{current_user}; | ||
} | } | ||
</pre> | </pre> | ||
+ | |||
This code assumes CASAuth SQL tables are stored with the rest of the Eprints server. It won't work if you use a Postgres database or even if you stored your CASauth tables on an other MySQL database. If you have any good reason to use a seperated database, you will have to change some lines in order to make it work. | This code assumes CASAuth SQL tables are stored with the rest of the Eprints server. It won't work if you use a Postgres database or even if you stored your CASauth tables on an other MySQL database. If you have any good reason to use a seperated database, you will have to change some lines in order to make it work. | ||
Revision as of 14:35, 22 August 2007
This page explains how to use a CAS server to authenticate user in eprints.
Contents
Install a secure host
The first thing you'll have to do is to install a secure host.
Apache2::AuthCAS
This perl library allows you to easily communicate with a CAS sever.
Install the lib
This can be done with the command: perl -MCPAN -e 'install Apache2::AuthCAS'
More infomartion are available on http://search.cpan.org/~jhitt/Apache2-AuthCAS-0.1/lib/Apache2/AuthCAS.pm
Create the database to store cookies
You should find this mysql schema on http://search.cpan.org/src/JHITT/Apache2-AuthCAS-0.1/schemaPg.sql
-- Schema for use with PostgreSQL CREATE TABLE cas_sessions ( id varchar(32) not null primary key, last_accessed int8 not null, user_id varchar(32) not null, pgtiou varchar(64) pgt varchar(64) ); CREATE INDEX cas_sessions_id_index ON cas_sessions(id); CREATE INDEX cas_sessions_pgtiou_index ON cas_sessions(pgtiou);
Configure your secure host
You must provide some information like the CAS host. You can provide it in your virtual host, or in AuthCAS.pm. Read the module page on CPAN to know more about it.
Edit $EPRINTS_ROOT/archives/$ARCHIVE_ID/var/manual-secure.conf and add the lines:
PerlLoadModule Apache2::AuthCAS::Configuration PerlLoadModule Apache2::AuthCAS <Directory "/opt/eprints3/cgi/users"> AuthName "User Area" AuthType Apache2::AuthCAS AuthName "CAS" PerlAuthenHandler Apache2::AuthCAS->authenticate CASHost "HOST" CASPort "443" CASErrorURL "https://HOST/cas/error/" CASDbDataSource "dbname=DATABASE_NAME" CASDbDriver "mysql" CASDbUser "DATABASE_USERNAME" CASDbPass "DATABASE_PASSWORD" CASSessionCookieName "COOKIE_NAME" CASSessionTimeout "1800" CASLogLevel "0" CASRemoveTicket "true" CASPretendBasicAuth "true" PerlAuthzHandler EPrints::Apache::Auth::authz Require valid-user SetHandler perl-script PerlHandler ModPerl::Registry PerlSendHeader Off Options ExecCGI FollowSymLinks </Directory>
Eprints::Session edit
Now edit the $EPRINTS_PATH/perl_lib/EPrints/Session.pm. First change the line:
use CGI qw(-compile);
use CGI qw(:standard -nph -compile);
Which enables you to use the raw_cookie fuction which returns variables stored in http cookie. Then go to the current_user function definition where you have to put the uid provided by AuthCAS module in $username. To do it, you just have to make a sql query which looks like that:
$sql="SELECT uid FROM cas_sessions WHERE id='$user_ticket'";
Where $user_ticket is the variable stored in the AuthCAS http cookie.
my $user_ticket=raw_cookie('APACHECAS');
Note that 'APACHECAS' is the default name for the AuthCAS cookie but you may have change it.
Here is a code that should work if you have installed your Apache::AuthCAS sql tables in the same database where you store your eprints tables:
sub current_user { my( $self ) = @_; if( $self->{logged_out} ) { return undef; } if( !defined $self->{current_user} ) { if( $self->get_archive->get_conf( "cookie_auth" ) ) { if ( $self->get_archive->get_conf( 'cas_auth' ) ) { print STDERR 'CAS In cas_auth', "\n"; print STDERR 'CAS server name: ', $ENV{SERVER_NAME}, "\n"; my $username; my $cookie_name = $self->get_archive->get_conf( 'cas_cookie_name' ); print STDERR 'CAS cookie name: ', $cookie_name, "\n"; if( defined $ENV{HTTP_CAS_FILTER_USER}) { print STDERR 'CAS first page', "\n"; $username = $ENV{HTTP_CAS_FILTER_USER}; } else { print STDERR 'CAS other page', "\n"; my $ticket = raw_cookie($cookie_name); print STDERR 'CAS Ticket: ', $ticket, "\n"; if ($ticket ne '') { my $sql = "SELECT uid FROM cas_sessions where id='?'"; my $sth = $self->get_database()->prepare( $sql ); $self->get_database()->execute($sth,$ticket); my @info = $sth->fetchrow_array(); my @list = split(":",$info[0]); $username = $list[0]; $sth->finish; } } print STDERR 'CAS username: ',$username, "\n"; $self->{current_user} = EPrints::DataObj::User::user_with_username( $self, $username ); } if (not defined $self->{current_user} ) { $self->{current_user} = $self->_current_user_auth_cookie; } } else { $self->{current_user} = $self->_current_user_auth_basic; } } return $self->{current_user}; }
This code assumes CASAuth SQL tables are stored with the rest of the Eprints server. It won't work if you use a Postgres database or even if you stored your CASauth tables on an other MySQL database. If you have any good reason to use a seperated database, you will have to change some lines in order to make it work.
I'm a busy man, give me a patch!
Okay, here is a patch which includes changes to files:
- Config.pm
- configure_archive
- generate_apacheconf
- Session.pm
It was made with Eprints version 2.3.13. CAS Authentication patch for Gnu eprints
Once your eprints gets patched, you have to:
- install Apache::AuthCAS module and create associated tables in your eprints database (see above)
- run configure_archive (answer yes to «configure secure host» and «use CAS authentication»)
- run generate_apacheconf
- restart your webserver
You should now be able to login through your CAS server.
Once CAS is working, you may need to copy the user entry from an LDAP server. This can be done as describe ine the Integrating_EPrints_with_LDAP article of this wiki or like this :
our LDAP Configuration
in the file perl_lib/EPrints/User.pm, go to the user_with_username function and replace it with the following function:
sub user_with_username { my( $session, $username ) = @_; my $user_ds = $session->get_archive()->get_dataset( "user" ); my $searchexp = new EPrints::SearchExpression( session=>$session, dataset=>$user_ds ); $searchexp->add_field( $user_ds->get_field( "username" ), $username, "EX" ); my $searchid = $searchexp->perform_search; my $user; #if no record was found and that there is an ldap host set, try to add a new record if ( $records[0] eq "" and $session->{archive}->get_conf("ldaphost") ne ""){ #bring back data from ldap server my $ldap = Net::LDAP->new ( $session->{archive}->get_conf("ldaphost") ) or die "$@"; my $userToAuthenticate=$session->{archive}->get_conf("ldapuser"); my $passwd= $session->{archive}->get_conf("ldappass"); my $base=$session->{archive}->get_conf("ldapbase"); my $additionalCriteria=$session->{archive}->get_conf("ldapsearchstring"); my $searchString="uid=$username"; if ($additionalCriteria ne ""){ $searchString="