This allows CAS to work side by side with other Auth methods.

This is at least one issue with this to logout of CAS you need session information but the logout method blows this away so I do the cas log out before the session is killed so the session persistest in rails. Because I needed to move the CAS before filters into login_cas and out of the application to make it work side by side. The user will still be logined into tracks even though their CAS session is closed as the session will still be there. def logout @user.forget_me if logged_in? cookies.delete :auth_token session['user_id'] = nil if ( SITE_CONFIG['authentication_schemes'].include? 'cas') && session[:cas_user] CASClient::Frameworks::Rails::Filter.logout(self) else reset_session notify :notice, "You have been logged out of Tracks." redirect_to_login end end The other issue I have with this is that: I could not find a use case for having mixed auth when using CAS. The reason to move to CAS is that all your users use CAS all the time. Even for admin accounts. Moodle is a good example of this in that when you activate CAS the default is that you can now only access moodle via CAS. By allowing mixed auth and self signup you end up with a anyone (the public) being able to sign up for accounts.
2026-02-08 00:34:19 +01:00 · 2009-12-29 12:22:44 -08:00 · 2009-12-29 12:22:44 -08:00 · 5b431ef50a
commit 5b431ef50a
parent d5c16db975
10 changed files with 113 additions and 56 deletions
--- a/app/controllers/login_controller.rb
+++ b/app/controllers/login_controller.rb
@ -6,6 +6,19 @@ class LoginController < ApplicationController
  skip_before_filter :login_required
  before_filter :login_optional
  before_filter :get_current_user
+  if ( SITE_CONFIG['authentication_schemes'].include? 'cas')
+    # This will allow the user to view the index page without authentication
+    # but will process CAS authentication data if the user already
+    # has an SSO session open.
+    if (CASClient rescue nil)
+      # Only require sub-library if gem is installed and loaded
+      require 'casclient/frameworks/rails/filter'
+      before_filter CASClient::Frameworks::Rails::GatewayFilter, :only => :login_cas
+
+      # This requires the user to be authenticated for viewing all other pages.
+      before_filter CASClient::Frameworks::Rails::Filter, :only => [:login_cas ]
+    end
+  end

  def login
    if cas_enabled?
@ -18,6 +31,7 @@ class LoginController < ApplicationController
      login_cas
    else
      @page_title = "TRACKS::Login"
+      cookies[:preferred_auth] = prefered_auth? unless cookies[:preferred_auth]
      case request.method
        when :post
          if @user = User.authenticate(params['user_login'], params['user_password'])
@ -55,10 +69,10 @@ class LoginController < ApplicationController
    @user.forget_me if logged_in?
    cookies.delete :auth_token
    session['user_id'] = nil
-    reset_session
-    if ( SITE_CONFIG['authentication_schemes'].include? 'cas')
+    if ( SITE_CONFIG['authentication_schemes'].include? 'cas')  && session[:cas_user]
      CASClient::Frameworks::Rails::Filter.logout(self)
    else
+      reset_session
      notify :notice, "You have been logged out of Tracks."
      redirect_to_login
    end
@ -83,6 +97,33 @@ class LoginController < ApplicationController
    respond_to do |format|
      format.js
    end
+  end
+
+    def login_cas
+    # If checkbox on login page checked, we don't expire the session after 1 hour
+    # of inactivity and we remember this user for future browser sessions
+
+    session['noexpiry'] ||= params['user_noexpiry']
+    if session[:cas_user]
+      if @user = User.find_by_login(session[:cas_user])
+        session['user_id'] = @user.id
+        msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire."
+        notify :notice, "Login successful: session #{msg}"
+        cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }
+        unless should_expire_sessions?
+          @user.remember_me
+          cookies[:auth_token] = { :value => @user.remember_token, :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }
+        end
+        #redirect_back_or_home
+      else
+        notify :warning, "Sorry, no user by that CAS username exists (#{session[:cas_user]})"
+        redirect_to signup_url ; return
+      end
+    else
+      notify :warning, result.message
+    end
+    redirect_back_or_home 
+
  end
  
  private
@ -125,26 +166,5 @@ class LoginController < ApplicationController
    end
  end

-  def login_cas
-    # If checkbox on login page checked, we don't expire the session after 1 hour
-    # of inactivity and we remember this user for future browser sessions
-    session['noexpiry'] ||= params['user_noexpiry']
-    if session[:cas_user]
-      if @user = User.find_by_login(session[:cas_user])
-        session['user_id'] = @user.id
-        msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire."
-        notify :notice, "Login successful: session #{msg}"
-        cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }
-        unless should_expire_sessions?
-          @user.remember_me
-          cookies[:auth_token] = { :value => @user.remember_token, :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }
-        end
-        redirect_back_or_home
-      else
-        notify :warning, "Sorry, no user by that CAS username exists (#{session[:cas_user]})"
-      end
-    else
-      notify :warning, result.message
-    end
-  end
+
 end