CASAuthNHeader bizzare behaviour
Trenton D. Adams
trenta at athabascau.ca
Wed Feb 13 14:26:36 EST 2008
I added some extra debug information. I'm printing out hostnames of the configs that are coming into mod_auth_cas and such, so that I can understand what is happening. The config I'm getting is my virtual host configuration (as expected). I hadn't realized that mod_auth_cas accepted different configurations per virtual host. mod_cas used to work when I stick a default config in modules.d/. But apparently mod_auth_cas requires the default configuration items to be in each virtual host as well, and I didn't know that.
So, I would recommend adding something that checks to see if the login URL has been changed from login.example.com. If it has not, then an error should be reported to the log, as well as an internal server error being reported to the user. That will be a quick help to the user. Especially those users coming from mod_cas, where this behaviour is not expected.
Anyhow, what is still bizarre to me is that this only happens when I add a CASAuthNHeader directive to my "Location" directive. I just don't understand why that would change which virtual host configuration I'm loading. Perhaps it takes the default, unless you specify CAS options, at which times it creates a new one with defaults? If that is the case, that may be a good reason to combine the dir configs with the server configs, and merging them as appropriate. I know mod_example shows it being done this way. But, it would end up taking up a little more memory, because then the server configuration items would be recreated for each and every "Location|Directory" directive. But, it'll probably only be a few bytes anyhow.
Anyhow, something *roughly* like this at the top of the cas_authenticate() function would be nice.
if (strcmp(getCASLoginURL(r,c), CAS_DEFAULT_LOGIN_URL) == 0)
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "MOD_AUTH_CAS: loginURL: %s", getCASLoginURL(r,c));
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, "MOD_AUTH_CAS: The login URL is not configured correctly. Please ensure that you have your virtual host configured correctly.");
return HTTP_INTERNAL_SERVER_ERROR;
}
Any thoughts?
----- "Trenton D. Adams" <trenta at athabascau.ca> wrote:
> I added the following debug code...
>
> ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
> "MOD_AUTH_CAS: attempting to configure the header");
> c->CASAuthNHeader = (add->CASAuthNHeader != CAS_DEFAULT_AUTHN_HEADER
> ? add->CASAuthNHeader : base->CASAuthNHeader);
> ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
> "MOD_AUTH_CAS: configuration complete: %s-%s-%s-%s",
> c->CASAuthNHeader, add->CASAuthNHeader,
> CAS_DEFAULT_AUTHN_HEADER,base->CASAuthNHeader);
>
> And hardcoded the default value to "x_cas_user". And got...
>
> [Tue Feb 12 10:17:45 2008] [error] MOD_AUTH_CAS: attempting to
> configure the header
> [Tue Feb 12 10:17:45 2008] [error] MOD_AUTH_CAS: configuration
> complete: on-on-x_cas_user-x_cas_user
> [Tue Feb 12 10:17:45 2008] [error] MOD_AUTH_CAS: attempting to
> configure the header
> [Tue Feb 12 10:17:45 2008] [error] MOD_AUTH_CAS: configuration
> complete: on-on-x_cas_user-x_cas_user
>
> In other words, the header configuration seems to be working just
> fine. But, the question is why doesn't it work.
>
> I noticed that setting any of the directives that are declared in
> cas_cmds as using "ap_set_string_slot" have the exact same behaviour.
> i.e. they mess up the redirect, and send it to login.example.com.
>
> ----- "Trenton D. Adams" <trenta at athabascau.ca> wrote:
> > Hi Matt,
> >
> > Okay, where do I file bug reports? It definitely happens with
> 1.0.6
> > as well.
> >
> > ----- "Matt Smith" <matt.smith at uconn.edu> wrote:
> > > Trenton-
> > >
> > > For now, don't use the 1.0.7 series ... there is a
> content-eating
> > > bug introduced by trying to handle the SAML Logout POST.
> > > If this happens with 1.0.6, please file a bug report. This
> > feature
> > > has not been thoroughly exercised, so they may still be some
> > > wrinkles.
> > >
> > > Thanks,
> > > -Matt
> > >
> > > -----Original Message-----
> > > From: cas-bounces at tp.its.yale.edu on behalf of Trenton D. Adams
> > > Sent: Mon 2008-02-11 17:40
> > > To: Yale CAS mailing list
> > > Subject: CASAuthNHeader bizzare behaviour
> > >
> > > Hi Guys,
> > >
> > > I'm trying to use the special user header feature of
> mod_auth_cas,
> > and
> > > I'm getting extremely odd behaviour. Whenever I try to set it, I
> > get
> > > redirected to login.example.com....., which is the default login
> > site
> > > if you haven't configured one. When I comment out the
> > CASAuthNHeader
> > > line, everything works just fine.
> > >
> > > I took a quick look at the code, and I couldn't see anything
> > obviously
> > > wrong.
> > >
> > > I'm using RC2 of 1.0.7
> > >
> > > Any ideas?
> > >
> > > __
> > > This communication is intended for the use of the recipient
> to
> > > whom it
> > > is addressed, and may contain confidential, personal, and or
> > > privileged
> > > information. Please contact us immediately if you are not the
> > > intended
> > > recipient of this communication, and do not copy, distribute,
> > or
> > > take
> > > action relying on it. Any communications received in error,
> or
> > > subsequent reply, should be deleted or destroyed.
> > > ---
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
More information about the cas
mailing list