Using your own login form

[Marlon Moyer]

Hey all, 

After struggling with it for the better part of two days, I finally got a working version of my own login form authenticating against the RubyCAS server.  It's really simple once you figure it out, but coming up with the correct flow was killing me ;)

Anyway, I did a quick write up describing how I did it if anyone is interested.

http://blog.mcmoyer.com/how-i-finally-got-the-rubycas-incantations-ri

If you see something wrong with it, please feel free to tell me too.  

[Matt Zukowski]

Thanks for sharing that Marlon. There's also an older writeup about this here --> https://github.com/rubycas/rubycas-server/wiki/Custom-Login-Form-And-Authenticator but I think yours is a bit easier to follow.

--
You received this message because you are subscribed to the Google Groups "RubyCAS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubycas-serve...@googlegroups.com.
To post to this group, send email to rubycas...@googlegroups.com.
Visit this group at http://groups.google.com/group/rubycas-server?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Robert Mitwicki]

Hi Marlon,

To improve user experience with your app, you can use API to communicate between application and RubyCAS. Everything works in the background so user even do not realize that there is cas used in your application. You can take a look on my fork https://github.com/mitfik/rubycas-server/tree/my_master or branch api. Is still in development but it works fine. There are plans to include those changes into main repo for new release (v2).

Best regards 

--
Robert Mitwicki
Senior Software Engineer
FXI Technologies

[Trương Hoàng Dũng]

Thank you for the write up. I don't understand how the CAS server save the cookie (SSO cookie) for client ? because it seems you wrote the cookie only for your domain. I'm sorry if i misses something.

[Robert Mitwicki]

Hi,

CAS server save cookie for particular domain, for example .example.com, (this dot at the begging means that anything from any subdomain like serviceA.example.com can get access to this cookie). You can NOT get access to any cookies from different domain. 

So when you setup CAS service you need to make sure that all services will use the same second-level and lower level domain to allow them share cookies otherwise it will wont work.

You can check here for more details: http://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com

Best regards

--

You received this message because you are subscribed to the Google Groups "RubyCAS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubycas-serve...@googlegroups.com.
To post to this group, send email to rubycas...@googlegroups.com.
Visit this group at http://groups.google.com/group/rubycas-server?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Matt Zukowski]

Also,  CAS passes the authentication to services by adding a 'ticket=abcd1234' parameter to the service url. It is then up to the service to set its own cookie to signify that it has been authenticated.

--

[Trương Hoàng Dũng]

Oh, i see. Thank you for the detail. The key to remember here is inside validate method of CAS client, firstly it read the cookie for a TGT ticket, then use it to query the CAS server to validate. Am I right ?

[Trương Hoàng Dũng]

Hi, i think you are WRONG about how CAS works. CAS service doesn't require any requirement on domain to use. Why do you need to share cookies with CAStified applications ?

On Tuesday, February 12, 2013 8:07:53 PM UTC+7, mitfik wrote:

[Robert Mitwicki]

That is true you do not need share cookies. But if you plan to have:

- web browser client application (like chrome, firefox, opera etc.) 

- which mean that your services will be web base services 

- and you would like to have SSO functionality 

then there is no better solution then just sharing cookies.

This scenario is most common, this is why I explained it base on this assumption that this scenario will be used. If you have different scenario then CAS configuration will be a bit different and maybe you do not need to even use cookies. It will be good if you could share with us what scenario do you use and then we could advice you something and answer on your questions in context of your case.

Best regards 

[Trương Hoàng Dũng]

Thank you for the explain.
As you said, if we use shared cookies for subdomains, then in this scenario, what is the benefit of using CAS server ? It's heavy weight to use CAS server in this case.
In my cases, i used a lot of CAStified application to talk to, so to extend a system, i just need to configure, rather than coding that component.
If you have further use cases, please explain more. I'm just beginner of deploying CAStified applications.
Thank you very much.

[Mani Narayanan]

Hi Mitwicki,

Your api fork https://github.com/mitfik/rubycas-server/tree/my_master should perfectly solve my requirement and I have tried to run it with my current config.yml file but got the following error.

/home/sysadmin/rails_projects/rubycas-server-api/lib/casserver/base.rb:33:in `initialize_database': undefined method `database' for CASServer::Base:Class (NoMethodError)
    from /sysadmin/mani/rails_projects/rubycas-server-api/lib/casserver/base.rb:60:in `block in <class:Base>'


The config.yml file is working properly with the normal branch code.Do i need to add any extra config to make this fork work?

Thanks,
Mani

[Robert Mitwicki]

Hi,

Could you provide me your config file (remember to replace passwords ;) ?

Because without that I can't help you with it.

Thanks
Best regards

[Marlon Moyer]

I'm curious what your fork does that's different than the main project?  Right now, I'm using the main project with my own login form (the user never leaves my site to authenticate) and I haven't had to change anything.

[Robert Mitwicki]

I improved a bit how settings are read in. So it can be that there are some inconsistency between my fork and main line.

Any way, we are working right now on new generation of rubycas-server so all those will be changed anyway.

Best regards

[Marlon Moyer]

To clear things up on my end, I created an example app and put it on github.  All that's needed is to create an config/application.yml file with your CAS server address and then run it with Webrick.

https://github.com/mcmoyer/cas_login_example

[Robert Mitwicki]

Hi,
Thanks a lot for this example for sure it will be helpful for others.
Just one advise for the future, when you create an example try to have each step in one commit.
This will help a lot to understand what changes and where you did to make it work.

Thanks anyway
Best regards

[Marlon Moyer]

You are correct, that was hard to follow.  I destroyed the repo and then recreated it.  This time all the changes needed are in their own commit. Thanks

[Matt Zukowski]

Marlon in the future you can just use rebase to squash multiple commits into one: http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html

[Marlon Moyer]

Is there anyway to logout remotely?  Right now, the filter will redirect you back to the cas server, log you out, and then redirect back to the application.  It usually happens instantaneously, but in my scenario, the authentication server might not be available from the remote computer.  

[Robert Mitwicki]

What do you mean by remotely?
Do you want just to logout without redirection user to the cas server?
If so you can try one more time my branch where there is API which do that for you.

https://github.com/mitfik/rubycas-server/tree/my_master

There is also coming up RubyCAS2.0 which will include that.
Best regards