-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add CASRedirectAfterValidation parameter to mimic java-cas-client's parameter #136
base: master
Are you sure you want to change the base?
Changes from 5 commits
eba7841
512f34e
2fda608
70b6112
9675e4f
c2e865e
71905b4
01c2221
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -194,6 +194,7 @@ void *cas_create_dir_config(apr_pool_t *pool, char *path) | |
c->CASGatewayCookie = CAS_DEFAULT_GATEWAY_COOKIE; | ||
c->CASAuthNHeader = CAS_DEFAULT_AUTHN_HEADER; | ||
c->CASScrubRequestHeaders = CAS_DEFAULT_SCRUB_REQUEST_HEADERS; | ||
c->CASDisableRedirectAfterValidation = CAS_DEFAULT_DISABLE_REDIRECT_AFTER_VALIDATION; | ||
return(c); | ||
} | ||
|
||
|
@@ -237,6 +238,12 @@ void *cas_merge_dir_config(apr_pool_t *pool, void *BASE, void *ADD) | |
if(add->CASScrubRequestHeaders != NULL && apr_strnatcasecmp(add->CASScrubRequestHeaders, "Off") == 0) | ||
c->CASScrubRequestHeaders = NULL; | ||
|
||
c->CASDisableRedirectAfterValidation = (add->CASDisableRedirectAfterValidation != CAS_DEFAULT_DISABLE_REDIRECT_AFTER_VALIDATION ? | ||
add->CASDisableRedirectAfterValidation : | ||
base->CASDisableRedirectAfterValidation); | ||
if(add->CASDisableRedirectAfterValidation != NULL && apr_strnatcasecmp(add->CASDisableRedirectAfterValidation, "Off") == 0) | ||
c->CASDisableRedirectAfterValidation = NULL; | ||
|
||
return(c); | ||
} | ||
|
||
|
@@ -1841,11 +1848,16 @@ char *getResponseFromServer (request_rec *r, cas_cfg *c, char *ticket) | |
else | ||
validateURL.query = apr_psprintf(r->pool, "TARGET=%s%s", getCASService(r, c), getCASRenew(r)); | ||
|
||
if(c->CASDebug) | ||
ap_log_rerror(APLOG_MARK,APLOG_DEBUG,0,r,"MOD_AUTH_CAS: validateUrl: %s", apr_uri_unparse(r->pool, &validateURL, 0)); | ||
|
||
curl_easy_setopt(curl, CURLOPT_URL, apr_uri_unparse(r->pool, &validateURL, 0)); | ||
|
||
if(curl_easy_perform(curl) != CURLE_OK) { | ||
if(c->CASDebug) | ||
if(c->CASDebug) { | ||
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "MOD_AUTH_CAS: query: %s", validateURL.query); | ||
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "MOD_AUTH_CAS: curl_easy_perform() failed (%s)", curlError); | ||
} | ||
goto out; | ||
} | ||
|
||
|
@@ -2124,29 +2136,35 @@ int cas_authenticate(request_rec *r) | |
if(d->CASAuthNHeader != NULL) | ||
apr_table_set(r->headers_in, d->CASAuthNHeader, remoteUser); | ||
|
||
if(parametersRemoved == TRUE) { | ||
if(ssl == TRUE && port != 443) | ||
printPort = TRUE; | ||
else if(port != 80) | ||
printPort = TRUE; | ||
|
||
if(c->CASRootProxiedAs.is_initialized) { | ||
if(d->CASDisableRedirectAfterValidation == NULL) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why not:
and keep everything in the "if(parametersRemoved == TRUE)" unchanged? The patch and code are much more readable like that. |
||
if(parametersRemoved == TRUE) { | ||
if(ssl == TRUE && port != 443) | ||
printPort = TRUE; | ||
else if(port != 80) | ||
printPort = TRUE; | ||
|
||
if(c->CASRootProxiedAs.is_initialized) { | ||
newLocation = apr_psprintf(r->pool, "%s%s%s%s", apr_uri_unparse(r->pool, &c->CASRootProxiedAs, 0), r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); | ||
} else { | ||
} else { | ||
#ifdef APACHE2_0 | ||
if(printPort == TRUE) | ||
newLocation = apr_psprintf(r->pool, "%s://%s:%u%s%s%s", ap_http_method(r), r->server->server_hostname, r->connection->local_addr->port, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); | ||
else | ||
newLocation = apr_psprintf(r->pool, "%s://%s%s%s%s", ap_http_method(r), r->server->server_hostname, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); | ||
if(printPort == TRUE) | ||
newLocation = apr_psprintf(r->pool, "%s://%s:%u%s%s%s", ap_http_method(r), r->server->server_hostname, r->connection->local_addr->port, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); | ||
else | ||
newLocation = apr_psprintf(r->pool, "%s://%s%s%s%s", ap_http_method(r), r->server->server_hostname, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); | ||
#else | ||
if(printPort == TRUE) | ||
newLocation = apr_psprintf(r->pool, "%s://%s:%u%s%s%s", ap_http_scheme(r), r->server->server_hostname, r->connection->local_addr->port, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); | ||
else | ||
newLocation = apr_psprintf(r->pool, "%s://%s%s%s%s", ap_http_scheme(r), r->server->server_hostname, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); | ||
if(printPort == TRUE) | ||
newLocation = apr_psprintf(r->pool, "%s://%s:%u%s%s%s", ap_http_scheme(r), r->server->server_hostname, r->connection->local_addr->port, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); | ||
else | ||
newLocation = apr_psprintf(r->pool, "%s://%s%s%s%s", ap_http_scheme(r), r->server->server_hostname, r->uri, ((r->args != NULL) ? "?" : ""), ((r->args != NULL) ? r->args : "")); | ||
#endif | ||
} | ||
if(c->CASDebug) | ||
ap_log_rerror(APLOG_MARK,APLOG_DEBUG,0,r,"Sending 302 redirect (%s)", newLocation); | ||
apr_table_add(r->headers_out, "Location", newLocation); | ||
return HTTP_MOVED_TEMPORARILY; | ||
} else { | ||
return OK; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is it intended that we go all the way to https://github.com/ruckc/mod_auth_cas/blob/eba78415e60b2d597c5ee03afd5245f53129a15a/src/mod_auth_cas.c#L2231 to return OK? Should it return before that? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The return OK; was unmodified (except additional indention). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's now inside the if block that checks CASDisableRedirectAfterValidation ( eba7841#diff-b823cf0e10152100b941acd0fb5838a8R2141 ), so it never returns if CASDisableRedirectAfterValidation is On. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I added an additional } else { return OK; }. In my office environment I had caught this but forgot to commit it back. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If that's the intention, this can be simplified by changing the check to:
I mostly ask because the original merge request would fall through to a later return where cas attributes were populated and headers were set. The side effect of this is that |
||
} | ||
apr_table_add(r->headers_out, "Location", newLocation); | ||
return HTTP_MOVED_TEMPORARILY; | ||
} else { | ||
return OK; | ||
} | ||
|
@@ -2827,6 +2845,7 @@ const command_rec cas_cmds [] = { | |
AP_INIT_TAKE1("CASTimeout", cfg_readCASParameter, (void *) cmd_session_timeout, RSRC_CONF, "Maximum time (in seconds) a session cookie is valid for, regardless of idle time. Set to 0 to allow non-idle sessions to never expire"), | ||
AP_INIT_TAKE1("CASIdleTimeout", cfg_readCASParameter, (void *) cmd_idle_timeout, RSRC_CONF, "Maximum time (in seconds) a session can be idle for"), | ||
AP_INIT_TAKE1("CASCacheCleanInterval", cfg_readCASParameter, (void *) cmd_cache_interval, RSRC_CONF, "Amount of time (in seconds) between cache cleanups. This value is checked when a new local ticket is issued or when a ticket expires."), | ||
AP_INIT_TAKE1("CASDisableRedirectAfterValidation", ap_set_string_slot, (void *) APR_OFFSETOF(cas_dir_cfg, CASDisableRedirectAfterValidation), ACCESS_CONF, "Set 'On' to not send a 302 redirect to remove the ticket parameter after ticket validation"), | ||
AP_INIT_TAKE1("CASRootProxiedAs", cfg_readCASParameter, (void *) cmd_root_proxied_as, RSRC_CONF, "URL used to access the root of the virtual server (only needed when the server is proxied)"), | ||
AP_INIT_TAKE1("CASScrubRequestHeaders", ap_set_string_slot, (void *) APR_OFFSETOF(cas_dir_cfg, CASScrubRequestHeaders), ACCESS_CONF, "Scrub CAS user name and SAML attribute headers from the user's request."), | ||
/* authorization options */ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd probably move the previous log addition to line 1855 after validateURL.query is set so we get the whole validateURL printed out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was moved. Good catch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The log at line 1858 is redundant since it's logged at 1852 now.