Protect Single Page application using mod_auth_cas

24 views
Skip to first unread message

Shankaranand Bahushrutham

unread,
Nov 30, 2018, 7:46:17 PM11/30/18
to CAS Community

I have 2 single page applications developed in angular 6. I want to protect one of them with CAS and the other one should not be protected. In apache webserver, i have them under htdocs folder with the name 'unsecured' and 'secured'. Below is my mod_auth_cas configuration and it isn't working. It protects fine if i give <Location ~ "index.html"> but the problem is that it protects the unsecured app as well.

    <Location /secured>
      Authtype CAS
      require valid-user
      CASAuthNHeader sm_user
      CASScope /secured
    </Location>

I have a rewrite rule to rewrite /* to /secured and another rule /unsecured to /unsecured (this is placed above the /* so that unsecured rule executes first)

Please advise the right configuration

David Hawes

unread,
Dec 3, 2018, 6:53:28 PM12/3/18
to cas-...@apereo.org
The order of these directives matters. You may want to review:

http://httpd.apache.org/docs/current/sections.html#merging

We'd need more config to tell what's going on in your case.
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/56801da5-25b9-41e5-a94d-b788f4000626%40apereo.org.

Shankaranand Bahushrutham

unread,
Dec 4, 2018, 10:44:05 AM12/4/18
to CAS Community
Thanks. This is very informative. I was under the assumption that mod_auth_cas will understand only Location. Does this mean mod_auth_cas can act on Directory as well?

David Curry

unread,
Dec 4, 2018, 11:03:25 AM12/4/18
to cas-...@apereo.org
Directory works fine with mod_auth_cas. For example, I usually use some variation on this for /etc/httpd/conf.d/cas.conf:

LoadModule auth_cas_module modules/mod_auth_cas.so

<Directory "/var/www/html/secured-by-cas">
    <IfModule mod_auth_cas.c>
        AuthType        CAS
        CASAuthNHeader  On
    </IfModule>

    Require valid-user
</Directory>

<IfModule mod_auth_cas.c>
    CASLoginUrl           https://casdev.newschool.edu/cas/login
    CASValidateUrl        https://casdev.newschool.edu/cas/samlValidate
    CASCookiePath         /var/cache/httpd/mod_auth_cas/
    CASValidateSAML       On
    CASSSOEnabled         On
    CASDebug              Off
</IfModule>

And there's no need to limit yourself to one Directory section... I actually have three of them on this server (the different directory names produce different URLs for different service registry entries with different settings).

Note: if you don't need attribute values returned from the CAS server, you can use "serviceValidate" instead of "samlValidate" on the CASValidateUrl, and get rid of the CASAuthNHeader setting.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL  INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu



To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/843e0e42-88f5-4654-9118-e90e81684311%40apereo.org.
Reply all
Reply to author
Forward
0 new messages