Posted by: Wildan Maulana | September 8, 2009

symfony 1.2 and CAS Integration

Download phpCAS at [1]

Uncompress the package and put the folder on the project lib directory, as you see in Fig 1 :

Symfony CAS Integration

Symfony CAS Integration

create sfCASRequiredFilter class on application lib directory with the following content :

class sfCASRequiredFilter extends sfBasicSecurityFilter
  public function execute ($filterChain)
    if ($this->isFirstCall()) {

        phpCAS::client(CAS_VERSION_2_0,$this->getParameter('server_domain'), $this->getParameter('server_port'), $this->getParameter('server_path'));

        // no SSL validation for the CAS server

        $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} about to force auth');
        $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} auth is good');

        $this->getContext()->getUser()->setAttribute('username', phpCAS::getUser(), 'cas');

    # if not initially authorized, sfBasicSecurityFilter sets $controller->forward(sfConfig::get('sf_login_module'), sfConfig::get('sf_login_action'));
    # so we re-dispatch since we are already authorized
    # copied from sfFrontWebController's dispatch()
    $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} configs are ' . sfConfig::get('sf_login_module') . '/' . sfConfig::get('sf_login_action'));
    if ($this->getContext()->getModuleName() == sfConfig::get('sf_login_module')
            && $this->getContext()->getActionName() == sfConfig::get('sf_login_action')) {

        $request    = $this->getContext()->getRequest();
        $moduleName = $request->getParameter('module');
        $actionName = $request->getParameter('action');
        $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} forwarding to ' . $moduleName . '/' . $actionName);
        $this->getContext()->getController()->forward($moduleName, $actionName);

    // Execute next filter in the chain

Change security.yml on that application with this :

# for all modules
  # require authentication, which our CAS filter will provide
  is_secure: on
  # allow only 3 specific users
  # double brackets means "or", single brackets means "and"
  #credentials: [[username_d0501175, username_j0121968, username_l0004709]]
  credentials: [[username_wildan.maulana, username_burhan]]

# need this to prevent infinite internal forwarding (don't have to be secured to see the "you need to be secured" page)
  is_secure: off
  is_secure: off

And add sfCASRequiredFilter at filters.yml, before the security filter :

rendering: ~
  class: sfCASRequiredFilter
    server_domain: openthink-labs.wm
    server_port: 8444
    server_path: cas-server-webapp-3.3.3
security:  ~

# insert your own filters here

cache:     ~
common:    ~
execution: ~

You are done!

Now i have to investigate how can i pull group/permission information from the LDAP.

Update :

On CAS mailing list i found a link to this Spring JIRA ticket [2], i think it’s trivial to add something like this to the symfony.

Jasig CAS Login Page

Jasig CAS Login Page


Any comments would be appreciated.

Reference :
[1] phpCAS,
[2]Create UserDetailsService for CAS That Leverages SAML-based Attribute Release,


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: