Posted by rwohleb on August 26, 2011 at 8:57am
2 followers
| Project: | CAS |
| Version: | 7.x-1.x-dev |
| Component: | CAS Server |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs work |
Issue Summary
I'm opening this ticket to track service whitelisting as discussed in #1181310: Let cas_server module send attributes:
Another approach would be to implement the functionality that limits ticket validation requests to a list of URLs. This is the way that the CAS server typically handles it. The username itself is considered an attribute. So if you allowed the user to whitelist the URLS that it can accept service requests to, you could control whether the attributes got sent outside that way.
Comments
#1
Here is an initial patch along these lines.
#2
For clarity, I'd suggest to make the following changes:
(1): No radio button, but instead just check the value of the textfield to see if it is enabled.
(2): Use asterisks to indicate wildcards, i.e.
- https://*
- http://example.com/*
- http://example.com/cas
.. etc.
The actual matching could be done with a function similar to drupal_match_path().
How do other popular CAS servers store this whitelist information?
Also, let's use drupal_parse_url (instead of parse_url). This will save us some difficulty of working with the scheme, etc, and instead we can just check the 'path' attribute.
#3
+ if (!_cas_server_check_service_whitelist($_GET['service'])) {+ $output=t('You do not have permission to log into CAS from this service.');
+ }
+ else {
This code block appears twice (once if the user is logged in, once if not). Let's move this up in the function so we only have to include it once.
#4
I concur.... In the cas.module we already have a wildcard syntax that was adopted from what's in drupal_match_path several drupal versions ago. This is also consistent with how the JASig cas server behaves. It supports a differnt wildcard syntax, but I'd rather use the syntax that people are used to in drupal for consistency's sake.
#5
Agreed with all of the above. I blame a lack of sleep on my part ;)
I'll try and get a new patch rolled soon.