CAS Logoff.
Phil Ames
modauthcas at gmail.com
Wed Feb 27 12:44:03 EST 2008
We are currently working on integrating support for Single Sign Out in
mod_auth_cas. It will not be ready for our next release (we are running
into some difficulties with Apache and processing the POST request
non-destructively), but perhaps in the release after this one.
-Phil
On Wed, Feb 27, 2008 at 12:19 PM, Srikar Kummamuri <skummamuri at agentrics.com>
wrote:
> I know it falls bit out of CAS but want to know if any solution is there
> here.
>
> In my architecture, I am using the MOD_AUTH_CAS and also casifying
> individual applications. I have around 5 different app on different app
> servers that were casified.
>
>
>
> Now, when the user logs in, the CAS will authenticate user but each
> individual app will authorize individual user by creating a user session.
>
> Now, if the user logs off in one out of 5 applications, sure the CAS SSO
> session will get killed across the apps since it is Single Sign Out, but the
> individual user sessions in each app are still alive.
>
> Next time a different user logs in, the app shows the previous users info
> since that session is not killed when SSO log out happened.
>
>
>
> I can deal with this problem programmatically in the app, by the help of
> browser cookies by adding them in first login and removing them in logout
> and checking incoming request and decide if it is new request and all.
>
>
>
> My question is, there any type of method/way available which kills the app
> sessions also along with the SSO session kill??
>
>
>
>
>
> ..Srikar
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Thursday, January 10, 2008 6:10 PM
> *To:* 'cas at tp.its.yale.edu'
> *Subject:* RE: mod_auth_cas-1.0.6 released
>
>
>
> Ok. Resolved. And again here is what I did.
>
>
>
> <Location / >
>
> CASAuthNHeader on
>
> AuthType CAS
>
> Require valid-user
>
> </Location>
>
>
>
> And from headers, you can get the user from the header name "on"
>
> request.getHeader("on") will give the user name.
>
>
>
> Thanks
>
> Srikar.
>
>
>
>
> ------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Thursday, January 10, 2008 4:54 PM
> *To:* 'cas at tp.its.yale.edu'
> *Subject:* RE: mod_auth_cas-1.0.6 released
>
>
>
> I am trying to get the user from header by enabling CASAuthNHeader. But I
> am getting the error.
>
>
>
> "CASAuthNHeader not allowed here"
>
>
>
> My httpd.conf
>
>
>
> CASCookiePath cache/
>
> CASCertificatePath C:/ssl/cas_sslcrt/exported-pem.crt
>
> CASValidateServer on
>
> CASAuthNHeader on
>
> <Location /MGS-Reporting >
>
> AuthType CAS
>
> Require valid-user
>
> </Location>
>
>
>
> Any idea?
>
>
>
> Thanks
>
> Srikar.
> ------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Thursday, January 10, 2008 1:32 PM
> *To:* Srikar Kummamuri; 'cas at tp.its.yale.edu'
> *Subject:* RE: mod_auth_cas-1.0.6 released
>
>
>
> Matt,
>
> I did not deviate from the instruction except in the Operating System. I
> am on XP Pro.
>
> Other than that,
>
>
>
> Visual C++ 2008 Express Edition
>
> Apache_2.0.61-win32-x86-openssl-0.9.7m.msi
>
> Win32OpenSSL-0_9_8g.exe
>
>
>
> ..Srikar
>
>
> ------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Thursday, January 10, 2008 12:57 PM
> *To:* 'cas at tp.its.yale.edu'
> *Subject:* RE: mod_auth_cas-1.0.6 released
>
>
>
> Here is a small tutorial like post to resolve SSL issues on MOD_AUTH_CAS
>
>
>
> 1. Follow all the instructions given in the Mod_auth_Cas -1.0.6. In
> this, I followed the instruction in readme.win32 since I am working
> on windows.
> 2. Go to the CAS Server machine and export the crt file from the
> keystore. With the command keytool -export -alias tomcarcert -keystore
> keystore -file exported-der.crt
> 3. Now copy this exported-der.crt to the client machine where the
> Apache mod_auth_cas is running.
> 4. Open the open ssl. C:/openssl/bin and type openssl.
> 5. issue the command x509 -out C:\ssl\cas_sslcrt\exported-pem.crt-outform pem -in C:\ssl\cas_sslcrt\server-
> export.crt -inform der
> 6. Change the httpd.conf file and add this crt there.
>
>
>
> I followed the steps to convert the crt file t PEM from here
> http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips
>
>
>
> My httpd.conf file
>
>
>
> CASCookiePath cache/
>
> CASCertificatePath C:/ssl/cas_sslcrt/exported-pem.crt
>
> CASValidateServer on
>
>
>
> <Location /secured >
>
> AuthType CAS
>
> Require valid-user
>
> </Location>
>
>
>
> So when I give the url patter /secured/.. u get redirected to CAS login
> and everything works fine.
>
>
>
> Thanks to Matt, Scott, Phillip and all for the help.
>
>
>
> Srikar
>
>
>
>
> ------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Thursday, January 10, 2008 12:25 PM
> *To:* 'cas at tp.its.yale.edu'
> *Subject:* RE: mod_auth_cas-1.0.6 released
>
>
>
> Got it.
>
> Changed the CASCookiePath.
>
> CASCookiePath cache/
>
>
>
> Thanks a lot to Matt and Scott and others for the help. I really
> appreciate the help.
>
> ..Srikar
>
>
> ------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Thursday, January 10, 2008 12:15 PM
> *To:* 'cas at tp.its.yale.edu'
> *Subject:* RE: mod_auth_cas-1.0.6 released
>
>
>
> Ok,
>
> Now, I used the export option to export the crt form key store on the
> server and followed the same steps as described bellow. Seems like one step
> forward.
>
>
>
> Now the log is,
>
> [error] [client 10.6.2.145] MOD_AUTH_CAS: Unable to clean cache entry
> 'C:/ssl/cas_sslcrt'
>
> [Thu Jan 10 12:11:15 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS:
> Unable to clean cache entry 'C:/ssl/certs'
>
> [Thu Jan 10 12:11:15 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS:
> Unable to clean cache entry 'C:/ssl/cookie'
>
>
>
> I believe, this is not SSL now. Will post the progress again.
>
>
>
> We may turn all this in to a nice documents later.
>
>
>
> Thanks
>
> Srikar.
>
>
>
>
>
>
> ------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Thursday, January 10, 2008 11:57 AM
> *To:* 'cas at tp.its.yale.edu'
> *Subject:* RE: mod_auth_cas-1.0.6 released
>
>
>
> Here is what I did with no success.
>
>
>
> Went on to CAS Server machine, taken (copied) the server.crt file that was
> generated for the CAS Server mehine using keytool to the client machine.
>
>
>
> Came back to the client machine. Openend the OpenSSL prompt.
>
>
>
> OpenSSL> x509 -noout -text -in C:\ssl\cas_sslcrt\server.crt -inform
> der
>
> Certificate:
>
> Data:
>
> Version: 1 (0x0)
>
> Serial Number: 1193950368 (0x472a3ca0)
>
> Signature Algorithm: md5WithRSAEncryption
>
> Issuer: C=US, ST=VA, L=Alx, O=Agentrics, OU=Development, CN=
> alx-dev-wrk04.wwre.org
>
> Validity
>
> Not Before: Nov 1 20:52:48 2007 GMT
>
> Not After : Jan 30 20:52:48 2008 GMT
>
> Subject: C=US, ST=VA, L=Alx, O=Agentrics, OU=Development, CN=
> alx-dev-wrk04.wwre.org
>
> Subject Public Key Info:
>
> Public Key Algorithm: rsaEncryption
>
> RSA Public Key: (1024 bit)
>
> Modulus (1024 bit):
>
> 00:93:94:15:eb:da:b2:82:4e:9e:7b:06:0d:3a:eb:
>
> a9:a8:84:87:72:f5:f1:de:bc:5b:b9:f6:db:a6:ea:
>
> ef:45:33:e0:87:bd:29:30:17:56:6e:72:be:8c:b5:
>
> b1:47:d6:e1:4c:d4:5f:02:39:4b:81:4e:a1:75:41:
>
> 2c:34:8e:87:97:e8:55:96:8a:b5:ec:e1:7f:66:4b:
>
> 28:61:7c:84:ca:28:f7:9f:f0:2a:91:49:62:12:13:
>
> fa:44:2d:de:23:7f:3f:fb:61:f7:6e:29:5c:38:cc:
>
> f5:6a:63:ce:1d:80:0d:64:b5:29:31:f2:7d:83:42:
>
> 1c:af:28:ea:e4:9c:e4:4b:25
>
> Exponent: 65537 (0x10001)
>
> Signature Algorithm: md5WithRSAEncryption
>
> 5c:e5:64:8f:ea:d8:ff:eb:3d:ae:1d:57:ce:13:fe:1c:a6:4a:
>
> 11:6f:b6:21:41:2b:bf:ba:8a:2d:ce:f8:d5:23:1b:09:1b:09:
>
> 3d:cf:97:fb:de:10:12:9a:60:8b:d3:ff:c1:3a:7f:c6:a7:26:
>
> 8a:35:cf:30:d6:70:ae:f7:7d:e0:a8:aa:c2:56:02:d2:61:f5:
>
> 72:2b:36:fe:63:6e:9b:73:f5:f7:4d:4b:f8:8d:ed:91:fb:00:
>
> 2e:fa:d5:d5:a4:11:6a:c8:77:17:32:7b:0f:ef:2d:92:c5:a2:
>
> fb:25:13:6a:b2:18:c6:e6:c0:bb:54:a1:c6:31:aa:d5:21:a5:
>
> 1a:7a
>
> OpenSSL>
>
>
>
> The above shows the correct information of the cas server"
> alx-dev-wrk04.wwre.org"
>
>
>
> Now I converted it to PEM format.
>
> OpenSSL> x509 -out exported-pem.crt -outform pem -in
> C:\ssl\cas_sslcrt\server.crt -inform der
>
>
>
> I changed the httpd.conf
>
> CASCertificatePath C:/ssl/cas_sslcrt/exported-pem.crt
>
>
>
> Now the error.log is not compligning saying that it can not load the crt
> file but still HandShake is failing.
>
> [Thu Jan 10 11:49:56 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS: Could
> not perform SSL handshake with alx-dev-wrk04.wwre.org (check
> CASCertificatePath)
>
>
>
>
>
> …Srikar
>
>
>
>
>
>
>
>
> ------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Thursday, January 10, 2008 10:41 AM
> *To:* 'cas at tp.its.yale.edu'
> *Subject:* RE: mod_auth_cas-1.0.6 released
>
>
>
> Scott,
>
> I tried to place the exact file in the path of CASCertificatePath. Now I
> gaeve the crt file directly in the path.
>
>
>
> CASCookiePath C:/ssl/
>
> CASCertificatePath C:/ssl/cas_sslcrt/server.crt
>
> CASValidateServer on
>
>
>
> And the error is,
>
>
>
> [Thu Jan 10 10:37:05 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS: Could
> not load CA certificate file: C:/ssl/cas_sslcrt/server.crt
>
> [Thu Jan 10 10:37:05 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS: Could
> not create an SSL connection to alx-dev-wrk04.wwre.org
>
>
>
>
>
> ..Srikar
> ------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Thursday, January 10, 2008 10:05 AM
> *To:* 'cas at tp.its.yale.edu'
> *Subject:* RE: mod_auth_cas-1.0.6 released
>
>
>
> Matt,
>
> I change the httpd.conf and problem still continues. Let me tell you what
> I did exactly. On the Apache (Mod_auth_cas) machine, I generated a CRT file
> with the keytool (given the CAS Server name in the first , last names
> argument of Keytool) same way that I did on the cas server. Now as you
> noted, I modified the httpd.conf file in both way with relative path and
> absolute path.
>
>
>
> CASCertificatePath C:\ssl\cas_sslcrt (In this directory crt file and
> .keystore were there)
>
>
>
> But the problem continues. My doubt is, Is this method (Generating the crt
> file with Keytool) is good for the apacge (Mod_auth_Cas) ???? Or do I need
> to look into certificate generation methods of OpenSsl??
>
>
>
> Any documents/links/help??
>
>
>
> Thanks a lot.
>
> Srikar.
>
>
>
>
> ------------------------------
>
> *From:* Srikar Kummamuri
> *Sent:* Wednesday, January 09, 2008 5:32 PM
> *To:* 'cas at tp.its.yale.edu'
> *Subject:* RE: mod_auth_cas-1.0.6 released
>
>
>
> When the request comes back to Apache from the CAS server with the ticket
> (using mod_auth_cas), apache is throwing error.
>
>
>
> "Could not perform SSL handshake with alx-dev-wrk04.wwre.org (check
> CASCertificatePath)"
>
>
>
> In my config, httpd.conf calls the ssl.conf and the ssl.conf has the
> following line.
>
>
>
> SSLCertificateFile conf/sslcrt/server.crt
>
>
>
> Now the serer.crt is the file generated for the CAS Server by the key tool
> (with the cas server machine name).
>
>
>
> What am I doing wrong here? Do I need to import this crt into something
> else? Or can same body give me the clue to get this certificate into JVM on
> the apache server having mod_auth_cas? I resolved the same issue on a
> tomcat server running the CAS client but on this Apache (MOD_AUTH_CAS) I am
> not getting the idea of where to configure the self signed certificate.
>
>
>
> Thanks a lot
>
> Srikar.
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080227/b985844e/attachment.html
More information about the cas
mailing list