Andreas/tracks
1
0
Fork 0
mirror of https://github.com/TracksApp/tracks.git synced 2025-12-16 23:30:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

This allows CAS to work side by side with other Auth methods.

Browse source 
This is at least one issue with this

to logout of CAS you need session information but the logout method blows this away so I do the cas log out before the session is killed so the session persistest in rails.  Because I needed to move the CAS before filters into login_cas and out of the application to make it work side by side.   The user will still be logined into tracks even though their CAS session is closed as the session will still be there.

 def logout
    @user.forget_me if logged_in?
    cookies.delete :auth_token
    session['user_id'] = nil
    if ( SITE_CONFIG['authentication_schemes'].include? 'cas')  && session[:cas_user]
      CASClient::Frameworks::Rails::Filter.logout(self)
    else
      reset_session
      notify :notice, "You have been logged out of Tracks."
      redirect_to_login
    end
  end

The other issue I have with this is that:
I could not find a use case for having mixed auth when using CAS. The reason to move to CAS is that all your users use CAS all the time. Even for admin accounts. Moodle is a good example of this in that when you activate CAS the default is that you can now only access moodle via CAS. By allowing mixed auth and self signup you end up with a anyone (the public) being able to sign up for accounts.
This commit is contained in:
Erik Ordway 2009-12-29 12:22:44 -08:00 committed by Eric Allen
parent d5c16db975
commit 5b431ef50a
10 changed files with 113 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

22
app/controllers/application_controller.rb
View file

@ -29,19 +29,7 @@ class ApplicationController < ActionController::Base
layout proc{ |controller| controller.mobile? ? "mobile" : "standard" }
exempt_from_layout /\.js\.erb$/
if ( SITE_CONFIG['authentication_schemes'].include? 'cas')
# This will allow the user to view the index page without authentication
# but will process CAS authentication data if the user already
# has an SSO session open.
if (CASClient rescue nil)
# Only require sub-library if gem is installed and loaded
require 'casclient/frameworks/rails/filter'
before_filter CASClient::Frameworks::Rails::GatewayFilter, :only => :login
# This requires the user to be authenticated for viewing all other pages.
before_filter CASClient::Frameworks::Rails::Filter, :except => [:login , :calendar]
end
end
before_filter :set_session_expiration
before_filter :set_time_zone
before_filter :set_zindex_counter
@ -238,6 +226,14 @@ class ApplicationController < ActionController::Base
self.class.cas_enabled?
end
def self.prefered_auth?
Tracks::Config.prefered_auth?
end
def prefered_auth?
self.class.prefered_auth?
end
private
def parse_date_per_user_prefs( s )
@ -280,6 +276,8 @@ class ApplicationController < ActionController::Base
def set_time_zone
Time.zone = current_user.prefs.time_zone if logged_in?
locale = params[:locale] || 'en-US'
I18n.locale = locale
end
def set_zindex_counter

68
app/controllers/login_controller.rb
View file

@ -6,6 +6,19 @@ class LoginController < ApplicationController
skip_before_filter :login_required
before_filter :login_optional
before_filter :get_current_user
if ( SITE_CONFIG['authentication_schemes'].include? 'cas')
# This will allow the user to view the index page without authentication
# but will process CAS authentication data if the user already
# has an SSO session open.
if (CASClient rescue nil)
# Only require sub-library if gem is installed and loaded
require 'casclient/frameworks/rails/filter'
before_filter CASClient::Frameworks::Rails::GatewayFilter, :only => :login_cas
# This requires the user to be authenticated for viewing all other pages.
before_filter CASClient::Frameworks::Rails::Filter, :only => [:login_cas ]
end
end
def login
if cas_enabled?
@ -18,6 +31,7 @@ class LoginController < ApplicationController
login_cas
else
@page_title = "TRACKS::Login"
cookies[:preferred_auth] = prefered_auth? unless cookies[:preferred_auth]
case request.method
when :post
if @user = User.authenticate(params['user_login'], params['user_password'])
@ -55,10 +69,10 @@ class LoginController < ApplicationController
@user.forget_me if logged_in?
cookies.delete :auth_token
session['user_id'] = nil
reset_session
if ( SITE_CONFIG['authentication_schemes'].include? 'cas')
if ( SITE_CONFIG['authentication_schemes'].include? 'cas') && session[:cas_user]
CASClient::Frameworks::Rails::Filter.logout(self)
else
reset_session
notify :notice, "You have been logged out of Tracks."
redirect_to_login
end
@ -85,6 +99,33 @@ class LoginController < ApplicationController
end
end
def login_cas
# If checkbox on login page checked, we don't expire the session after 1 hour
# of inactivity and we remember this user for future browser sessions
session['noexpiry'] ||= params['user_noexpiry']
if session[:cas_user]
if @user = User.find_by_login(session[:cas_user])
session['user_id'] = @user.id
msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire."
notify :notice, "Login successful: session #{msg}"
cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }
unless should_expire_sessions?
@user.remember_me
cookies[:auth_token] = { :value => @user.remember_token, :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }
end
#redirect_back_or_home
else
notify :warning, "Sorry, no user by that CAS username exists (#{session[:cas_user]})"
redirect_to signup_url ; return
end
else
notify :warning, result.message
end
redirect_back_or_home
end
private
def redirect_to_login
@ -125,26 +166,5 @@ class LoginController < ApplicationController
end
end
def login_cas
# If checkbox on login page checked, we don't expire the session after 1 hour
# of inactivity and we remember this user for future browser sessions
session['noexpiry'] ||= params['user_noexpiry']
if session[:cas_user]
if @user = User.find_by_login(session[:cas_user])
session['user_id'] = @user.id
msg = (should_expire_sessions?) ? "will expire after 1 hour of inactivity." : "will not expire."
notify :notice, "Login successful: session #{msg}"
cookies[:tracks_login] = { :value => @user.login, :expires => Time.now + 1.year, :secure => SITE_CONFIG['secure_cookies'] }
unless should_expire_sessions?
@user.remember_me
cookies[:auth_token] = { :value => @user.remember_token, :expires => @user.remember_token_expires_at, :secure => SITE_CONFIG['secure_cookies'] }
end
redirect_back_or_home
else
notify :warning, "Sorry, no user by that CAS username exists (#{session[:cas_user]})"
end
else
notify :warning, result.message
end
end
end

18
app/controllers/users_controller.rb
View file

@ -27,6 +27,13 @@ class UsersController < ApplicationController
# GET /users/new
def new
@auth_types = []
unless session[:cas_user]
Tracks::Config.auth_schemes.each {|auth| @auth_types << [auth,auth]}
else
@auth_types << ['cas','cas']
end
if User.no_users_yet?
@page_title = "TRACKS::Sign up as the admin user"
@heading = "Welcome to TRACKS. To get started, please create an admin account:"
@ -68,7 +75,9 @@ class UsersController < ApplicationController
user = User.new(params['user'])
if Tracks::Config.auth_schemes.include?('cas')
user.auth_type = "cas" #since CAS will be doing all the auth we may as well set it for everyone when CAS in enabled
if user.auth_type.eql? "cas"
user.crypted_password = "cas"
end
end
unless user.valid?
@ -79,9 +88,6 @@ class UsersController < ApplicationController
first_user_signing_up = User.no_users_yet?
user.is_admin = true if first_user_signing_up
if Tracks::Config.auth_schemes.include?('cas')
user.auth_type = "cas" #since CAS will be doing all the auth we may as well set it for everyone when CAS in enabled
end
if user.save
@user = User.authenticate(user.login, params['user']['password'])
@user.create_preference
@ -102,8 +108,8 @@ class UsersController < ApplicationController
return
end
user = User.new(params[:request])
if Tracks::Config.auth_schemes.include?('cas')
user.auth_type = "cas" #since CAS will be doing all the auth we may as well set it for everyone when CAS in enabled
if Tracks::Config.auth_schemes.include?('cas') && session[:cas_user]
user.auth_type = "cas" #if they area cas user
end
user.password_confirmation = params[:request][:password]
if user.save

2
app/models/user.rb
View file

@ -153,7 +153,7 @@ class User < ActiveRecord::Base
if Tracks::Config.auth_schemes.include?('ldap')
return candidate if candidate.auth_type == 'ldap' && SimpleLdapAuthenticator.valid?(login, pass)
end
if Tracks::Config.auth_schemes.include?('cas')
if Tracks::Config.auth_schemes.include?('cas') && candidate.auth_type.eql?("cas")
return candidate #because we can not auth them with out thier real password we have to settle for this
end
return nil

2
app/views/layouts/standard.html.erb
View file

@ -54,7 +54,7 @@
<div id="minilinks">
<%= link_to("Toggle notes", "#", {:accesskey => "S", :title => "Toggle all notes", :id => "toggle-notes-nav"}) %>
&nbsp;|&nbsp;
<%= link_to "Logout (#{current_user.display_name}) »", logout_path %>
<%= link_to "Logout (#{current_user.display_name}) »", logout_path %> <p>cas user<%=session[:cas_user]%></p></p>
</div>
<div id="navcontainer">
<ul class="sf-menu">

33
app/views/login/login.html.erb
View file

@ -9,9 +9,10 @@
<%= render_flash %>
<h3>Please log in to use Tracks:</h3>
<p>auth method <%=cookies[:preferred_auth]%></p></p>
<p>cas user<%=session[:cas_user]%></p></p>
<% if show_database_form %>
<div id="database_auth_form" style="display:block">
<div id="database_auth_form" style="display:<%=(@prefered_auth.eql?('database')) ? "block" : "none"%>">
<% form_tag :action=> 'login' do %>
<table>
<tr>
@ -36,7 +37,7 @@
<% end %>
<% if show_openid_form %>
<div id="openid_auth_form" style="display:none">
<div id="openid_auth_form" style="display:<%=(@prefered_auth.eql?('openid')) ? "block" : "none"%>">
<% form_tag :action=> 'login' do %>
<table>
<tr>
@ -57,7 +58,7 @@
<% end %>
<% if show_cas_form %>
<div id="cas_auth_form" style="display:block">
<div id="cas_auth_form" style="display:<%=(@prefered_auth.eql?('cas')) ? "block" : "none"%>">
<table>
<tr>
<td>
@ -70,7 +71,7 @@
<%end%>
</p>
<% else %>
<p>You are not yet authenticated. <%= link_to("Login", @login_url) %>
<p><%= link_to("CAS Login", login_cas_url) %> </p>
<% end %>
</td>
</tr>
@ -81,20 +82,22 @@
</div>
<% if show_openid_form %><p id="alternate_auth_openid" class="alternate_auth">or, <a href="#" onclick="Login.showOpenid();return false;">login with an OpenId</a></p><% end %>
<% if show_database_form %><p id="alternate_auth_database" class="alternate_auth">or, <a href="#" onclick="Login.showDatabase();return false;">go back to the standard login</a></p><% end %>
<% if show_cas_form %><p id="alternate_auth_cas" class="alternate_auth">or, <a href="#" onclick="Login.showCAS();return false;">go to the CAS</a></p><% end %>
<script type="text/javascript">
function showPreferredAuth() {
var preferredAuth = $.cookie('preferred_auth');
var casEnabled = <%= show_cas_form ? 'true' : 'false' %>;
var databaseEnabled = <%= show_database_form ? 'true' : 'false' %>;
var openidEnabled = <%= show_openid_form ? 'true' : 'false' %>;
if (preferredAuth && preferredAuth == 'openid' && openidEnabled) {
Login.showOpenid();
}
else if (databaseEnabled) {
else if (preferredAuth && preferredAuth == 'database' && databaseEnabled) {
Login.showDatabase();
}
else if (openidEnabled) {
Login.showOpenid();
else if (preferredAuth && preferredAuth == 'cas' && casEnabled) {
Login.showCAS();
}
}
$(document).ready(showPreferredAuth);
@ -104,7 +107,8 @@ var Login = {
$('#database_auth_form').hide();
$('#openid_auth_form').show();
$('#alternate_auth_openid').hide();
$('#alternate_auth_database').show();
$('#alternate_auth_database').show(); ;
$('#alternate_auth_cas').show();
$('#openid_url').focus();
$('#openid_url').select();
$.cookie('preferred_auth', 'openid');
@ -115,10 +119,21 @@ var Login = {
$('#database_auth_form').show();
$('#alternate_auth_database').hide();
$('#alternate_auth_openid').show();
$('#alternate_auth_cas').show();
$('#user_login').focus();
$('#user_login').select();
$.cookie('preferred_auth', 'database');
},
showCAS: function(container) {
$('#database_auth_form').hide();
$('#openid_auth_form').hide();
$('#cas_auth_form').show();
$('#alternate_auth_cas').hide();
$('#alternate_auth_openid').show();
$('#alternate_auth_database').show();
$.cookie('preferred_auth', 'cas');
}
}
</script>

9
app/views/users/new.html.erb
View file

@ -8,7 +8,8 @@
<h3><%= @heading -%></h3>
<table>
<%if Tracks::Config.auth_schemes.include?('cas')%>
<table>
<%if Tracks::Config.auth_schemes.include?('cas') && session[:cas_user]%>
<tr>
<td><label for="user_login">With your CAS username:</label></td>
<td> "<%= session[:cas_user]%>" </td>
@ -19,7 +20,7 @@
<td><%= password_field "user", "password_confirmation", :size => 20, :value => "fakebecauseweusecas" %></td>
</tr>
<%else%>
<tr>
<tr>
<td><label for="user_login">Desired login:</label></td>
<td> <%= text_field "user", "login", :size => 20 %></td>
</tr>
@ -31,6 +32,10 @@
<td><label for="user_password_confirmation">Confirm password:</label></td>
<td><%= password_field "user", "password_confirmation", :size => 20 %></td>
</tr>
<tr>
<td><label for="user_auth_type">Authentication Type:</label></td>
<td><%= select("user", "auth_type", @auth_types, { :include_blank => false })%></td>
</tr>
<%end%>
<tr>
<td></td>

1
config/routes.rb
View file

@ -1,6 +1,7 @@
ActionController::Routing::Routes.draw do |map|
map.with_options :controller => 'login' do |login|
login.login 'login', :action => 'login'
login.login_cas 'login_cas', :action => 'login_cas'
login.formatted_login 'login.:format', :action => 'login'
login.logout 'logout', :action => 'logout'
login.formatted_logout 'logout.:format', :action => 'logout'

4
config/site.yml.tmpl
View file

@ -12,6 +12,10 @@ authentication_schemes:
# - "cas"
#set the prefered authentication scheme to display first on the login page
#prefered_auth: database
# Uncomment if using cas
#cas_server: "https://cas.demo.edu/cas"
#cas_server_logout: "https://cas.demo.edu/cas/logout"

8
lib/tracks/config.rb
View file

@ -15,5 +15,13 @@ module Tracks
def self.cas_enabled?
auth_schemes.include?('cas')
end
def self.prefered_auth?
if SITE_CONFIG['prefered_auth']
SITE_CONFIG['prefered_auth']
else
auth_schemes.first
end
end
end
end