[cas-dev] Decoupling CAS' AuthN and Ticketing (Was Re: SPNEGO)

[Stephen A. Cochran]

On Jun 14, 2006, at 1:38 PM, Scott Battaglia wrote:

> Thanks  for those detailed instructions!  Just a note that as of CAS
> 3.0.5 RC1, the jar file for the adaptor-trusted should be included in
> the Maven repository.
>
> CAS 3.0.6 will also include SPNEGO support (it was contributed by
> someone who modified the code I had).  As soon as 3.0.5 is out the  
> door,
> I'll start working on supporting SPNEGO natively.

During some further testing, there at least one major problem with  
the setup I described. The mod_auth_kerb module won't allow a browser  
without a kerberos ticket to proceed to CAS to use PKi or the web  
form. WIthout going into all the details, the problem is that apache  
(and browsers) don't support any kind of optional authentication  
method. So when apache tells the browser it supports Negotiate, if  
the browser doesn't have a kerberos ticket, it won't try and connect  
again so the server cant' do anything else.

Tomorrow I'm going to try and see if I can make a hack a separate URL  
for kerberos auth and redirects assuming the REMOTE_USER var will  
move with the redirect. By using a special error page reference I can  
also pass failed browsers to the direct cas/login page.

Looks like the the spnego code inside CAS is going to be the only way  
to go for right now.

Steve Cochran
Dartmouth College

PS. Thinking about it some more, we might run into the same problem  
with using SPNEGO inside CAS. The only auth method that supports an  
"optional" quality is certs using an SSL connection, but the optional  
works only because there is a connection negotiation process where it  
can figure that out. With the rejection/try again model of spnego,  
how would CAS recognize a new browser from one that is attempting  
again but doesn't support spnego. And for that matter how would the  
browser know to try again when the server asks for Negotiate and it  
knows it can't provide a kerberos ticket?