I need to include the parameter renew=true to authentic against our CAS server. I've looked all over, but I don't see any way to do that. Does anyone know how to do set up that parameter in Drupal?

Thanks.

CommentFileSizeAuthor
#8 309352-by-ronpeterson-spenserj-Added-option-fo.patch3.36 KBbfroehle
#5 cas.309352.patch1.8 KBAnonymous (not verified)
#2 cas.module.patch26.81 KBronpeterson

Comments

metzlerd’s picture

It is not something that is supported in the current version of the cas module. Patches are welcome here.

Dave

ronpeterson’s picture

Status: Active » Needs review
StatusFileSize
new26.81 KB

To address the problem I added a new checkbox in the CAS settings:

$form['server']['cas_renew'] = array (
'#type' => 'checkbox',
'#title' => t('Force renew'),
'#default_value' => variable_get('cas_renew', 0),
'#description' => t('Check this box if you require users to renew their credentials when they login to Drupal using CAS. Or if your CAS server is configured to require the renew=true parameter.'),
);

And then if the checkbox is checked I add the renew parameter to the URL and use phpCAS::setServerLoginUrl() to update the URL used by phpCAS::forceAuthentication()

if (is_callable(array(phpCAS,'authenticateIfNeeded')))
{
phpCAS::authenticateIfNeeded();
}
else
{
// If Force Renew is checked, add renew parameter to Server Login URL
if ($cas_renew != 0) {
$ServerLoginUrl = phpCAS::getServerLoginUrl()."&renew=true";
phpCAS::setServerLoginUrl($ServerLoginUrl);
}

phpCAS::forceAuthentication();

}

I didn't use phpCAS::renewAuthentication() because it only includes the renew parameter if the user is already authenticated and the CAS server I am using for authentication requires the renew parameter for all requests.

See attached for updated file.

metzlerd’s picture

FYI: The reason that this hasn't gone anywhere is that this is not in patch format, but rather includes the whole module. I'll try and integrate this functionality if I have time, but it would be great if you created a regular patch from the HEAD CVS file. See the Handbooks for more information about how to do this.

metzlerd’s picture

Component: Documentation » Code
Category: task » feature
Status: Needs review » Needs work
Anonymous’s picture

Version: 6.x-1.0 » master
Status: Needs work » Needs review
StatusFileSize
new1.8 KB

Here is a proper patch against the HEAD

metzlerd’s picture

Status: Needs review » Needs work

Sorry it's been so long, but this patch doesn't look like it will work with newer cas clients. COuld you reroll a patch against 6.3.x-dev or 7.1.x-dev that handles newer clients? Otherwise, I'll look at this in a future release.

bfroehle’s picture

Title: CAS parameters » Allow option for CAS renew (i.e., force reauthentication)

Retitling and subscribing.

bfroehle’s picture

I went and implemented this in 7.x-1.x, however the code is INSECURE and needs work before it could be included.

The security issue is this:
- We are hacking the login URL to pass renew=true so that the CAS server forces reauthentication.
- A malicious user at the login page simply deletes the &renew=true from the end of the URL, the CAS server happily responds with a login ticket and phpCAS blindly accepts it since that code does not know about the renew feature.

Now the code could probably be fixed by adding &renew=true to the end of all URL's (i.e. phpCAS::setServiceValidateURL, etc), but this is getting pretty hacky and might open ourselves up to a later security vulnerability (say if there is some new setXYZValidateURL which we don't implement).

bkosborne’s picture

Component: Code » CAS
Issue summary: View changes
Status: Needs work » Closed (outdated)

This issue is no longer relevant. D6 isn't supported, and D7 has the gateway feature.