CAS SSO authentication widget

46 views
Skip to first unread message

Fred

unread,
Nov 18, 2012, 12:22:08 PM11/18/12
to webl...@googlegroups.com
According to this old post (2009),
http://www.digitalkingdom.org/rlp/tiki-index.php?page=Learning+About+Weblocks#What_About_with-flow_and_yield_

and after some read of this forum, i wrote a CAS SSO login widget.

My widget acts as a really simple CAS client (only support v1 protocol : http://www.jasig.org/cas/protocol)

The CAS widget stores the user uid received from the CAS server,
and the "protected" widgets tree.

The main point is the render-widget-body method :
if the user is authenticated then the private widgets tree is rendered.
If not, the login action is used.

It is always the right way to protect private contents ?

The code :

(defparameter *cas-server* "localhost")
(defparameter *cas-server-port*  "9443")
(defparameter *cas-server-login-uri* "/cas/login?service=")
(defparameter *cas-server-validate-uri* "/cas/validate?service=")
(defparameter *cas-service* "http://localhost:8080")


(defwidget cas-client-widget ()
  ((user-uid :accessor cas-user-uid
             :initarg :user-uid
             :initform nil)
   (child-widget :accessor cas-child-widget
                 :initarg :child-widget )))

(defmethod render-widget-body ((obj cas-client-widget) &rest args)
  (declare (ignore args))
  (let ((uid (or (cas-user-uid obj)
                 (validate-cas-ticket-service (get-cas-ticket-service)))))
    (if uid
        (progn
          (setf (cas-user-uid obj) uid)
          (render-widget (cas-child-widget obj)))
        (do-cas-login))))

(defun do-cas-login ()
  (redirect (concatenate 'string
                              "https://"
                              *cas-server*
                              ":"
                              *cas-server-port*
                              *cas-server-login-uri*
                              *cas-service*)))

(defun get-cas-ticket-service ()
  (request-parameter "ticket"))

(defun validate-cas-ticket-service (ticket-service)
  (if ticket-service
      (with-input-from-string
          (str (babel:octets-to-string
                (drakma:http-request
                 (concatenate 'string
                              "https://"
                              *cas-server*
                              ":"
                              *cas-server-port*
                              *cas-server-validate-uri*
                              *cas-service*
                              "&ticket="
                              ticket-service))))
        (if (string= (read-line str nil) "yes")
            (read-line str nil)
            nil))
      nil))

Best regards.

Fred.
Reply all
Reply to author
Forward
0 new messages