Posted by: Wildan Maulana | September 8, 2009

symfony 1.2 and CAS Integration

Download phpCAS at [1]

Uncompress the package and put the folder on the project lib directory, as you see in Fig 1 :

Symfony CAS Integration

Symfony CAS Integration

create sfCASRequiredFilter class on application lib directory with the following content :

<?php
class sfCASRequiredFilter extends sfBasicSecurityFilter
{
  public function execute ($filterChain)
  {
    if ($this->isFirstCall()) {
        //require_once('phpCAS/CAS.php');
        phpCAS::setDebug();

        phpCAS::client(CAS_VERSION_2_0,$this->getParameter('server_domain'), $this->getParameter('server_port'), $this->getParameter('server_path'));

        // no SSL validation for the CAS server
        phpCAS::setNoCasServerValidation();

        $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} about to force auth');
        phpCAS::forceAuthentication();
        $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} auth is good');

        $this->getContext()->getUser()->setAuthenticated(true);
        $this->getContext()->getUser()->setAttribute('username', phpCAS::getUser(), 'cas');
        $this->getContext()->getUser()->addCredential('username_'.phpCAS::getUser());
    }

    # if not initially authorized, sfBasicSecurityFilter sets $controller->forward(sfConfig::get('sf_login_module'), sfConfig::get('sf_login_action'));
    # so we re-dispatch since we are already authorized
    # copied from sfFrontWebController's dispatch()
    $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} configs are ' . sfConfig::get('sf_login_module') . '/' . sfConfig::get('sf_login_action'));
    if ($this->getContext()->getModuleName() == sfConfig::get('sf_login_module')
            && $this->getContext()->getActionName() == sfConfig::get('sf_login_action')) {

        $request    = $this->getContext()->getRequest();
        $moduleName = $request->getParameter('module');
        $actionName = $request->getParameter('action');
        $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} forwarding to ' . $moduleName . '/' . $actionName);
        $this->getContext()->getController()->forward($moduleName, $actionName);
    }

    // Execute next filter in the chain
    $filterChain->execute();
  }
}
?>

Change security.yml on that application with this :

# for all modules
default:
  # require authentication, which our CAS filter will provide
  is_secure: on
  # allow only 3 specific users
  # double brackets means "or", single brackets means "and"
  #credentials: [[username_d0501175, username_j0121968, username_l0004709]]
  credentials: [[username_wildan.maulana, username_burhan]]

# need this to prevent infinite internal forwarding (don't have to be secured to see the "you need to be secured" page)
login:
  is_secure: off
secure:
  is_secure: off

And add sfCASRequiredFilter at filters.yml, before the security filter :

rendering: ~
cas_required:
  class: sfCASRequiredFilter
  param:
    # https://auth.mydomain.edu/cas/
    server_domain: openthink-labs.wm
    server_port: 8444
    server_path: cas-server-webapp-3.3.3
security:  ~

# insert your own filters here

cache:     ~
common:    ~
execution: ~

You are done!

Now i have to investigate how can i pull group/permission information from the LDAP.

Update :

On CAS mailing list i found a link to this Spring JIRA ticket [2], i think it’s trivial to add something like this to the symfony.

Jasig CAS Login Page

Jasig CAS Login Page

cas-symfony-success-login

Any comments would be appreciated.

Reference :
[1] phpCAS, http://www.ja-sig.org/wiki/display/CASC/phpCAS
[2]Create UserDetailsService for CAS That Leverages SAML-based Attribute Release, http://jira.springsource.org/browse/SEC-1228
[3] http://refineweb.co.uk/2009/08/11/central-authentication-system-cas-integration-into-symfony/


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: