Need help with CAS
199 views
Skip to first unread message
TF
Aug 16, 2024, 9:08:59 AM8/16/24
to CAS Community
Hey guys,
i hope i can get help here. Im going crazy with my problem...
My Setup:
Debian Server
Debian Server
Apache2 with mod_auth_cas and mod_wsgi
Application: Django
Problem:
Problem:
if you enter the main domain "https://example.com" everything is good, no problems, Auth via CAS (SSO) => Website => OK
But if you enter a sub page of the website for example "https://example.com/site1" there is a problem with the static files (css, js, etc.). Auth via CAS (SSO) => Website => static files are not loading.
If i take a look into the browser dev tools i can see the browser trys to get the static files from the cas server, not from my server.
for example: main.css => 302 => login?service=example.com/static/css/main.css
But only if you try to enter a sub page directly, if you enter the main domain and then go back to the sub page everyting is ok again....
Maybe someone can help me.
Thanks & kind regards,
TF
But if you enter a sub page of the website for example "https://example.com/site1" there is a problem with the static files (css, js, etc.). Auth via CAS (SSO) => Website => static files are not loading.
If i take a look into the browser dev tools i can see the browser trys to get the static files from the cas server, not from my server.
for example: main.css => 302 => login?service=example.com/static/css/main.css
But only if you try to enter a sub page directly, if you enter the main domain and then go back to the sub page everyting is ok again....
Maybe someone can help me.
Thanks & kind regards,
TF
Carl Waldbieser
Aug 16, 2024, 9:51:25 AM8/16/24
to cas-...@apereo.org
You probably are going to need to share your mod_auth_cas config (if you need to replace your actual domain with "example.com" that is fine).
Thanks,
Carl Waldbieser
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2005cf4e-1c29-49da-ae1d-85ab85d4b6f9n%40apereo.org.
Carl Waldbieser
Aug 16, 2024, 1:30:17 PM8/16/24
to TF, CAS Community
TF,
You might want to try setting the "CASScope" setting to a particular path. For example, to protect just the resource that logs you in and establishes an application session. You probably don't actually want CAS to be involved when accessing every resource on the site.
Thanks,
Carl Waldbieser
On Fri, Aug 16, 2024 at 10:01 AM TF <timm.fl...@ionos.com> wrote:
/etc/apache2/mods-enabled/auth_cas.conf
CASLoginURL https://login.example.org/ims-sso/login
CASCookiePath /var/www/website/production/sessions/
CASValidateURL https://login.example.org/ims-sso/serviceValidate
CASValidateSAML Off
CASVersion 2
CASDebug On
CASTimeout 32400
CASIdleTimeout 7200
/etc/apache2/sites-enabled/001-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName example.com
DocumentRoot /var/www/example
LogLevel error
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.org.pem
SSLCertificateKeyFile /etc/ssl/certs/example.key
Alias /static/ /var/www/example/production/static/
<Directory /var/www/example/production/static>
SSLRequireSSL
AuthType None
Require all granted
Order allow,deny
Allow from all
</Directory>
WSGIDaemonProcess example user=www-data group=www-data processes=4 threads=20 display-name=%{GROUP} python-home=/var/www/example/venv python-path=/var/www/example
WSGIScriptReloading On
WSGIScriptAlias / /var/www/example/system/wsgi.py
<Directory /var/www/example>
SSLRequireSSL
WSGIProcessGroup example
WSGIApplicationGroup %{GLOBAL}
<If "%{REMOTE_ADDR} == 'x.x.x.x'">
AuthType None
Require all granted
</If>
# Regular User
<Else>
AuthType CAS
Require valid-user
</Else>
WSGIPassAuthorization On
</Directory>
</VirtualHost>
</IfModule>
TF
Aug 16, 2024, 1:30:22 PM8/16/24
to CAS Community, Carl Waldbieser
TF
Aug 28, 2024, 5:36:00 AM8/28/24
to CAS Community, TF, Carl Waldbieser
Hi,
sorry for my late response.
i tryd "CasScope" with no success.
Still same behavior :(
Kind regards,
Still same behavior :(
Kind regards,
Timm
Carl Waldbieser
Aug 28, 2024, 7:31:05 AM8/28/24
to TF, CAS Community
If you swap out auth type cas for auth type basic, do you get the same issue?
Thanks,
Carl Waldbieser
TF
Aug 29, 2024, 1:47:57 AM8/29/24
to CAS Community, Carl Waldbieser, CAS Community, TF
Then im getting a Internal Error.
Log:
[Thu Aug 29 05:16:14.581084 2024] [auth_basic:error] [pid 1497476:tid 1497476] [client x.x.x.x:61896] AH01615: need AuthName: /
Log:
[Thu Aug 29 05:16:14.581084 2024] [auth_basic:error] [pid 1497476:tid 1497476] [client x.x.x.x:61896] AH01615: need AuthName: /
Carl Waldbieser
Aug 30, 2024, 8:25:36 AM8/30/24
to TF, CAS Community
I think it is telling you that you forgot the AuthName directive:
To clarify, when I said "swap out", you need to replace your CAS authentication with some other type of dead-simple authentication that you know will work. That way you can determine if the issue is with some mod_auth_cas setting, or if it is just something related to your apache config or application. You could use something like mod_auth_form.
All these authentication modules eventually make the user available in the "REMOTE_USER" environment variable, so you should be able to swap one out for another to test.
Thanks,
Carl Waldbieser
Reply all
Reply to author
Forward
0 new messages