/cas url force login to cas.
Can you add a new url to force authentication check even if cas_check_first is false (or cas_check_frequency is NEVER) ?
Can you modify too cas_login_check() function by adding a parameter force_check (default to false) to force authentication check by code ?

CommentFileSizeAuthor
#11 1345824-followup.patch1.37 KBbfroehle
#10 cas.3.1.patch1.13 KBMarcElbichon
#5 cas_login_check-1345824-5-bad_indeting-v6.patch3.46 KBbfroehle
#4 cas_login_check-1345824-4-bad_indenting.patch3.45 KBbfroehle
#3 cas_login_check-1345824-3.patch9.99 KBbfroehle

Comments

metzlerd’s picture

metzlerd commented

Would like to know more about what you're trying to accomplish rather than how you're trying to accomplish it. In the Redirection settings under the cas settings page you can require authentication for specific pages and list any number of wild card masks for pages that you need people to go through cas to get to. Is this functionality not sufficient? If notwhat's the delta here?

MarcElbichon’s picture

MarcElbichon commented

Cause Varnish troubles, cas_check_first (or cas_check_frequency) is disabled in our sites.
So, to do sso between sites, i'd like to send a url to log user from cas in site B only if user is connected to site A.
/cas url force authentication, so if user is not connected to site A, cas login page is printed.
What i want is to do authentication checking rather then force authentication.

So, to do this, I want to test if url contains sso=true. If right, i'd like to send cas_login_check() function. But i can't because cas_check_first is false. This could be done by adding a parameter to the function like this : 

function cas_login_check($force_check = false) {
...
 if ($cas_force_login || $force_check || _cas_allow_check_for_login()) {
   ....
 }
}

An other way is adding a new url (like /cas) to check authentication even is cas_check_first is false.

bfroehle’s picture

bfroehle commented
Version: 6.x-3.1 » 7.x-1.x-dev
Status: Active » Needs review
StatusFileSize
new cas_login_check-1345824-3.patch9.99 KB

Abstracting from your request a bit, it seems that this issue (and the similar requests in the past) could be better dealt with by creating a more robust API for custom modules to interact with. As you describe, cas_login_check() should take some parameters, including "force authentication". I agree.

I've added a $force_authentication parameter to cas_login_check() and refactored cas_init():

@@ -27,152 +27,154 @@ function cas_init() {
-  cas_login_check();
+
+  $force_authentication = _cas_force_login();
+  $check_authentication = _cas_allow_check_for_login();
+  if ($force_authentication || $check_authentication) {
+    cas_login_check($force_authentication);
+  }

Attached patch is for 7.x-1.x. Backport to 6.x-3.x should be obvious. Thoughts?

bfroehle’s picture

bfroehle commented
StatusFileSize
new cas_login_check-1345824-4-bad_indenting.patch3.45 KB

Hmm, the patch in #3 is very hard to review. Instead please review this attached patch which is smaller because it does not dedent a large region of code.

bfroehle’s picture

bfroehle commented
Version: 7.x-1.x-dev » 6.x-3.x-dev
StatusFileSize
new cas_login_check-1345824-5-bad_indeting-v6.patch3.46 KB

And for 6.x-3.x, also with an easy-to-review patch leaving indenting broken. (We'll just clean up the indenting immediately prior to commit).

metzlerd’s picture

metzlerd commented
Status: Needs review » Reviewed & tested by the community

I reviewed and tested the 7.x version of this patch and it seems to perform as advertised. I was able to invoke cas_check_login from a helper module and get the desired behavior.

bfroehle’s picture

bfroehle commented
Status: Reviewed & tested by the community » Fixed

Committed to 7.x-1.x and 6.x-3.x. Thanks for the review Dave.

MarcElbichon’s picture

MarcElbichon commented

I don't understand why you 've refactored cas_init().
Now you check always "force login" and "check login" even if user is connected.

bfroehle’s picture

bfroehle commented
Status: Fixed » Active

Marc: Can you put a patch together for what you are thinking?

I agree that we should probably check if $user exists before calling those other two functions.

MarcElbichon’s picture

MarcElbichon commented
StatusFileSize
new cas.3.1.patch1.13 KB

Suggested patch (from 3.1 version).

bfroehle’s picture

bfroehle commented
Status: Active » Needs review
StatusFileSize
new 1345824-followup.patch1.37 KB

Follow-up fix:

Now you check always "force login" and "check login" even if user is connected.

bfroehle’s picture

bfroehle commented
Status: Needs review » Fixed

Committed to 6.x-3.x and 7.x-1.x.

MarcElbichon’s picture

MarcElbichon commented

Why don't you like my patch ???
Now you check if user is connected or url is "cas" in both cas_init() and cas_login_check().
Why not to do this only in cas_login_check ?

bfroehle’s picture

bfroehle commented

Hi Marc:

I certainly agree with the spirit but I think that making cas_login_check even more monolithic would be going in the wrong direction.

Instead you'll now be able to implement the check_cas path yourself in a custom module. Over time this will give other developers additional flexibility and we can include the most popular and versatile configurations back into the main CAS module.

For example:

/**
 * Check with the CAS server to see if the user is already logged in.
 */
function check_cas_init() {
  if (arg(0) == 'check_cas') {
    cas_login_check(FALSE);
  }
}

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) commented
Issue summary: View changes

Add more infos

  • Commit ecccf9c on 7.x-1.x, 8.x-1.x by bfroehle: 
    Issue #1345824 by bfroehle, MarcElbichon: Make cas_login_check() useful...
  • Commit 3e5d69c on 7.x-1.x, 8.x-1.x by bfroehle:
    Issue #1345824 followup by bfroehle: Avoid unnecessary checks if user...