CAS and Subversion (and other non-browser activities)

Mon Nov 13 20:37:52 EST 2006

  There have been a few messages lately about using CAS in non-browser interactions.  After fiddling with things just long enough to realize that extending CAS to the non-browser world is not easy (and, in most cases for us, simply not possible), we inverted our thinking.  Instead of trying to extend CAS outside of the browser environments, we decided to use a mechanism that works well in the non-browser environment, then use CAS to extend that mechanism into the browser environment.

  So, we are using Kerberos for the non-browser environments (including GSSAPI/SPNEGO for some HTTP transactions like SVN), then use CAS to extend our authentication to the browser environment (since SPNEGO is not widespread yet).  This works very well, giving us SSO (or more accurately, ISO) across the non-browser environment (via Kerberos) and also across the browser environment (via CAS).  Once I get around to configuring SPNEGO auth for our production CAS, we will have unified ISO across the non-browser & browser environments.

  Kerberos can also sit "behind" most common LDAP servers, providing credential verification for LDAP "simple binds".  While this is normally discouraged from a security perpsective, it does allow for those apps that only auth via LDAP.

  Soooo, I'd recommend investigating this type of approach for those looking at SSO for browser and non-browser activities.  Given that CAS employs mechanisms that are tailored for browsers (such as the 302 redirect), and handles browser environments *extremely* well, and given that there are other technologies (like Kerberos) that handle non-browser environments *extremely* well, I'd recommend deploying both (best tool for the job), and bridging them by having CAS authenticate against Kerberos.

HTH,
-Matt

-----Original Message-----
From:	cas-bounces at tp.its.yale.edu on behalf of Scott Beardsley
Sent:	Mon 2006-11-13 19:36
To:	cas at tp.its.yale.edu
Cc:	
Subject:	CAS and Subversion

So I saw a message about CAS and Subversion (aka SVN) a few days ago...
I'd like to get things working without using LDAP.

I'm using a *slightly* modified mod_cas from CASE[1] with a standard SVN
install. The web server is acting as the SVN server also and the only
way users can access our repo is via HTTPS. Previously we were using
mod_auth_mysql to authenticate SVN users. I'd like to move away from
mysql and start using CAS instead.

I want users (with CAS accounts) to be able to run the following:

$ svn co https://subversion.example.com/repo/somecoolproject/trunk

I have the following config that works though the web browser but fails
with the above command. The svn command doesn't like 302 redirects:

$ svn co https://subversion.example.com/repo/somecoolproject/trunk
svn: PROPFIND request failed on '/repo/somecoolproject/trunk'
svn: PROPFIND of '/repo/somecoolproject/trunk': 302 Found
(https://subversion.example.com)

I realize I might need to talk to the SVN folks but I wanted to stop
here first.

Here's my Apache2 config (that works great with trac BTW):

# the mod_cas stuff:
LoadModule cas_module    /usr/lib/apache2/modules/mod_cas.so

<IfModule mod_cas.c>
  CASTrustedCerts /etc/ssl/certs/ca.crt
  CASLoginURL https://cas.example.com:8443/cas/login
  CASHost cas.example.com
  CASPort 8443
  CASMethod GET
  CASValidate /cas/validate
</IfModule>

# the SVN stuff:
<Location /repo/somecoolproject>
	AuthType CAS
	AuthName "Cool Project"
	require valid-user
</Location>

# the trac stuff:
Alias /trac/somecoolproject "/usr/share/trac/cgi-bin/trac.cgi"
<Location "/trac/somecoolproject">
	SetEnv TRAC_ENV "/trac/somecoolproject"
</Location>
<Location "/trac/somecoolproject/login">
	AuthType CAS
	AuthName "TRAC"
	require valid-user
</Location>

Any ideas or pointers?

Scott
-----
[1] http://wiki.case.edu/Central_Authentication_Service#Using_Apache
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas