Closed (outdated)
Project:
CAS
Version:
master
Component:
CAS
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
16 Sep 2008 at 19:44 UTC
Updated:
23 Mar 2019 at 02:06 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
metzlerd commentedIt is not something that is supported in the current version of the cas module. Patches are welcome here.
Dave
Comment #2
ronpeterson commentedTo address the problem I added a new checkbox in the CAS settings:
$form['server']['cas_renew'] = array (
'#type' => 'checkbox',
'#title' => t('Force renew'),
'#default_value' => variable_get('cas_renew', 0),
'#description' => t('Check this box if you require users to renew their credentials when they login to Drupal using CAS. Or if your CAS server is configured to require the renew=true parameter.'),
);
And then if the checkbox is checked I add the renew parameter to the URL and use phpCAS::setServerLoginUrl() to update the URL used by phpCAS::forceAuthentication()
if (is_callable(array(phpCAS,'authenticateIfNeeded')))
{
phpCAS::authenticateIfNeeded();
}
else
{
// If Force Renew is checked, add renew parameter to Server Login URL
if ($cas_renew != 0) {
$ServerLoginUrl = phpCAS::getServerLoginUrl()."&renew=true";
phpCAS::setServerLoginUrl($ServerLoginUrl);
}
phpCAS::forceAuthentication();
}
I didn't use phpCAS::renewAuthentication() because it only includes the renew parameter if the user is already authenticated and the CAS server I am using for authentication requires the renew parameter for all requests.
See attached for updated file.
Comment #3
metzlerd commentedFYI: The reason that this hasn't gone anywhere is that this is not in patch format, but rather includes the whole module. I'll try and integrate this functionality if I have time, but it would be great if you created a regular patch from the HEAD CVS file. See the Handbooks for more information about how to do this.
Comment #4
metzlerd commentedComment #5
Anonymous (not verified) commentedHere is a proper patch against the HEAD
Comment #6
metzlerd commentedSorry it's been so long, but this patch doesn't look like it will work with newer cas clients. COuld you reroll a patch against 6.3.x-dev or 7.1.x-dev that handles newer clients? Otherwise, I'll look at this in a future release.
Comment #7
bfroehle commentedRetitling and subscribing.
Comment #8
bfroehle commentedI went and implemented this in 7.x-1.x, however the code is INSECURE and needs work before it could be included.
The security issue is this:
- We are hacking the login URL to pass
renew=trueso that the CAS server forces reauthentication.- A malicious user at the login page simply deletes the
&renew=truefrom the end of the URL, the CAS server happily responds with a login ticket and phpCAS blindly accepts it since that code does not know about the renew feature.Now the code could probably be fixed by adding &renew=true to the end of all URL's (i.e. phpCAS::setServiceValidateURL, etc), but this is getting pretty hacky and might open ourselves up to a later security vulnerability (say if there is some new setXYZValidateURL which we don't implement).
Comment #9
bkosborneThis issue is no longer relevant. D6 isn't supported, and D7 has the gateway feature.