An Apache httpd module for integrating with Apereo CAS Server project.
Apache CAS Authentication Module for the JASIG/Apereo CAS Server.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
The purpose of this module is to allow an Apache web server to interact with an authentication server that conforms to the CAS version 1 or 2 protocol or SAML protocol as used by the JASIG/Apereo CAS Server. At the time of this writing, the CAS protocol specification is here:
modauthcas is available in most major Linux distributions, including Debian, Ubuntu, Fedora, and is available from EPEL for CentOS and RHEL.
The following development libraries and utilities must be installed: * OpenSSL - 0.9.8c or higher * Apache Portable Runtime - 1.5.0 or higher * Apache Portable Runtime Utilities - 1.3.0 or higher * Apache Web Server - 2.2.3 or higher * libcurl - 7.18.2 or higher * libpcre - 7.8 or higher
Download the distribution via git or tarball. Because git does not preserve timestamps, autoconf may determine it is necessary to bootstrap the project. If building from source, please start with:
Build is performed with the standard Autoconf incantation:
./configure && make && sudo make install
Edit your Apache configuration to load the modauthcas module:
LoadModule auth_cas_module /path/to/mod_auth_cas.so
Set a few required parameters in your Apache configuration:
CASCookiePath /var/cache/apache2/mod_auth_cas/ CASLoginURL https://login.example.org/cas/login CASValidateURL https://login.example.org/cas/serviceValidate
Protect a "Location" or "Directory" block in your Apache configuration:
Authtype CAS Require valid-user
If attribute-based authorization is also desired, specify cas-attribute name:value in your Require rule (please note: both attribute name and value are case-sensitive):
CASCookiePath /var/cache/apache2/mod_auth_cas/ CASLoginURL https://login.example.org/cas/login CASValidateURL https://login.example.org/cas/samlValidate CASValidateSAML On Authtype CAS Require cas-attribute edupersonaffiliation:staff
Both the CAS 2.0 and SAML 1.1 protocols support including additional attributes in the CAS validation response, which may also be added as HTTP headers (see CASAttributePrefix and CASAttributeDelimiter). This example uses the SAML protocol and requires that the 'edupersonaffiliation' attribute is set to 'staff'.
These limitations are known to exists in this release of the software:
CAS Proxy Validation is not implemented in this version.
CAS Ticket Validation can only be performed over an SSL connection. The CAS protocol does not explicitly require this, but to not do so leaves this system open to a man-in-the-middle attack.
CAS single sign out is currently not functional and disabled. It is only safe to use in the case where all requests are GET and not POST (the module inadvertently 'eats' some content of the POST request while determining if it should process it as a SAML logout request).
Reports of slow performance on some systems (particularly virtual machines) have been reported. This is related to the entropy that is gathered when creating a session cookie for the end user. To combat this, there are 3 solutions. The first is to upgrade the version of the Apache Portable Runtime on your system to >= 1.3.0. In that version, entropy is gathered from a nonblocking source. The second method would be to install a package such as rng-tools and feed random data from /dev/urandom to /dev/random("-r /dev/urandom"). The last way is to reduce the size of the CASCookieEntropy setting, reducing the demand on the pool.
Win32 support has been dropped (but not removed) due to lack of development resources, and seemingly minimal community usage. You are welcome to try it, but YMMV for success.
First, you must tell Apache to load the module. In your httpd.conf, add:
LoadModule authcasmodule /path/to/modauthcas.so
Then, in the location(s) you want to protect, use the following directive:
Be sure to set authorization parameters in the locations you are protecting(e.g. 'require valid-user', 'require group foo')
The following are valid configuration options and their default:
Directive: CASVersion Default: 2 Description: The version of the CAS protocol to adhere to (1 or 2). This affects whether Gateway mode is available and how the CAS validation response is parsed.
Directive: CASDebug Default: Off Description: Enable or disable debugging mode for troubleshooting. Please note that LogLevel must be set to Debug for the VirtualHost in order for these logs to be visible.
Directive: CASValidateDepth Default: 9 Description: This directive will set the maximum depth for chained certificate validation. The default (according to OpenSSL documentation) is 9.
Directive: CASCertificatePath Default: /etc/ssl/certs/ Description: The path to the X509 certificate of the Certificate Authority for the server in CASLoginURL and CASValidateURL. This may be either a file, or a directory containing the certificate files linked to by their hashed names.
Directive: CASLoginURL Default: NULL Description: The URL to redirect users to when they attempt to access a CAS protected resource and do not have an existing session. The 'service', 'renew', and 'gateway' parameters will be appended to this by modauthcas if necessary. Include 'http[s]://...'
Directive: CASValidateURL Default: NULL Description: The URL to use when validating a ticket presented by a client in the HTTP query string (ticket=...). Must include 'https://' and must be an HTTPS URL.
Directive: CASProxyValidateURL Default: NULL Description: The URL to use when performing a proxy validation. This is currently an unimplemented feature, so setting this will have no effect.
Directive: CASRootProxiedAs Default: NULL Description: This URL represents the URL that end users may see in the event that access to this Apache server is proxied. This will override the automatic generation of service URLs and construct them using this prefix. As an example: If the site being protected is http://example.com/ and the Apache instance of this server is http://internal.example.com:8080, setting CASRootProxiedAs to http://example.com would result in proper service parameter generation.
Directive: CASCookiePath Default: /dev/null Description: When users first authenticate to modauthcas with a valid service ticket, a local session is established. Information about this session (the username, time of creation, last activity time, the resource initially requested, and whether or not the credentials were renewed) is stored in this directory. This location should be writable by the web server ONLY. Any user that can write to this location can falsify authentication information by creating a fake data file. NOTE : Some distributions purge the contents of /tmp/ on a reboot, including user created directories. This will prevent modauthcas from storing cookie information until that directory is created. To avoid this, try using a different location, such as /var/cache/apache2/modauthcas/
Directive: CASCookieEntropy Default: 32 Description: When creating a local session, this many random bytes are used to create a unique session identifier. Using large values for this field may result in delays when generating session IDs if not enough entropy is available.
Directive: CASTimeout Default: 7200 (2 hours) Description: This is the hard limit, in seconds, for a modauthcas session (whether it is idle or not). When a session has reached this age and a new request is made, the user is redirected to the CASLoginURL to obtain a new service ticket. When this new ticket is validated, they will be assigned a new modauthcas session. Set this value to '0' in order to allow a non-idle session to not expire.
Directive: CASIdleTimeout Default: 3600 (1 hour) Description: This is a limit, in seconds, of how long a modauthcas session can be idle. When a request comes in, if it has been inactive for CASIdleTimeout seconds, the user is redirected to the CASLoginURL to obtain a new service ticket.
Directive: CASCacheCleanInterval Default: 1800 (30 minutes) Description: This is the minimum amount of time that must pass inbetween cache cleanings. When a new ticket is issued, or when an expired session is presented, the time of the last cache clean is compared against this value. If CASCacheCleanInterval seconds have passed since the last cleaning, then all files in CASCookiePath are examined and if they have expired, they are removed. This is merely to prevent the file system from becoming excessively cluttered.
Directive: CASCookieDomain Default: NULL Description: Specify the value for the 'Domain=' parameter in the Set-Cookie header.
Directive: CASCookieSameSite Default: NULL Description: Specify the value for the 'SameSite=' parameter in the Set-Cookie header. Allowed values are 'None', 'Lax', and 'Strict'.
Directive: CASCookieSecure Default: Auto Description: Set the optional 'Secure' attribute for cookies issued by modauthcas. Set the Secure attribute as described in in RFC 6265. This flag prevents the modauthcas cookies from being sent over an unencrypted HTTP connection. By default, modauthcas sets the 'Secure' attribute depending on information about the connection (the 'Auto' option). The options 'On' and 'Off' can be used to override the automatic behaviour.
Directive: CASAuthoritative Default: Off Description: This directive determines whether an optional authorization directive (see 'Require cas-attribute') is authoritative and thus binding or if other authorization modules will also be applied. 'On' means authoritative, 'Off' means not authoritative. NOTE: This directive is unavailable with Apache 2.4. See the RequireAny, RequireNone, and RequireAll directives instead.
Directive: CASValidateSAML Default: Off Description: If enabled, the response from the CAS Server will be parsed for SAML attributes which will be associated with the user. Requires setting CASValidateURL appropriately; typical URLs are of the form https://login.example.org/cas/samlValidate.
Directive: CASAttributePrefix Default: CAS_ (Apache < 2.4) CAS- (Apache 2.4) Description: The prefix to use when adding CAS or SAML attributes to the HTTP headers, which will be named . CASAuthNHeader must be set for this directive to be used. NOTE: In Apache 2.4 and newer, headers containing "invalid" characters (including underscores) are silently dropped, so you must set this to a "valid" name containing only alphabetic characters and hyphens.
Directive: CASAttributeDelimiter Default: , Description: modauthcas will set the value of the attribute header (as described in CASAttributePrefix) to in the case of multiple attribute values.
Directive: CASPreserveTicket Default: Off Description: This directive leaves CAS ticket parameters intact when a valid session cookie exists. This helps prevent infinite redirect loops when CAS protection is being used at multiple levels.
Directive: CASGatewayCookieDomain Default: NULL Description: Specify the value for the 'Domain=' parameter in the Set-Cookie header when setting the CASGatewayCookie.
Directive: CASScope Default: Off Description: Use this directive with an argument as a relative path (e.g. /application/) to specify the scope for which a modauthcas cookie is valid. This is beneficial to prevent additional round trips to the CAS server. Assume someone authenticates to /application/subdir/ and then browses to /application/ - without CASScope set, each request would result in a round trip to the CAS server and a new cookie being created (one for each directory). CASScope would set one cookie, which will be presented on access to both directories. Note that if someone accessed /application/ and then /application/subdir/ this would not be an issue, but that order of access can not be guaranteed. To disable this feature, the special argument 'Off' will return to per-directory cookie paths for this directory and subdirectories.
Directive: CASRenew Default: Off Description: Use this directive with an argument as a relative path (e.g. /application/secure/ for http://www.example.com/application/secure/*) to force a user to renew their credentials when accessing that directory. The argument MUST be a relative path. To disable this requirement, the special argument 'Off' will disable this requirement for this directory and subdirectories.
Directive: CASGateway Default: Off Description: Use this directive with an argument as a relative path (e.g. /application/insecure/ for http://www.example.com/application/insecure/*) to allow anonymous access to that directory. The argument MUST be a relative path. To disable this feature, the special argument 'Off' will reinstate the requirement for authentication.
Directive: CASCookie Default: MODAUTHCAS Description: The name of the cookie used to store the session ID over HTTP connections. It should be changed if it will interfere with the application protected by modauthcas.
Directive: CASSecureCookie Default: MODAUTHCASS Description: The name of the cookie used to store the session ID over HTTPS connections. It should be changed if it will interfere with the application protected by modauth_cas.
Directive: CASGatewayCookie Default: MODAUTHCASG Description: The name of the cookie used to store whether or not the user has attempted to access this resource before. It should be changed if it will interfere with the application protected by modauth_cas.
Directive: CASAuthNHeader Default: None Description: If enabled, this will store the user returned by CAS in the specified HTTP header accessible to your web applications, and any additional attributes received in headers named according to CASAttributePrefix. This is in addition to the REMOTE_USER environment variable, which is always set to the CAS user.
Directive: CASSSOEnabled Default: Off Description: If enabled, this activates support for Single Sign Out within the CAS protocol. Please note that this feature is currently experimental and may mangle POST data.
Directive: CASScrubRequestHeaders Default: Off Description: modauthcas will strip request inbound request headers that may have special meaning, such as those set with the CASAttributePrefix or the CASAuthNHeader value.
Directive: Require cas-attribute : Default: NULL Description: Use this directive to authorize based on CAS or SAML attributes returned via the session validation call. Multiple directives are OR-ed. If directive is present with no attributes defined, the request is declined. If value has spaces, wrap the pair in quotes. See also CASAuthoritative.
Directive: Require cas-attribute ~ Default: NULL Description: Use this form of the directive to authorize based on CAS or SAML attributes returned via the session validation call. Multiple directives are OR-ed. If directive is present with no attributes defined, the request is declined. The value is interpreted as a Perl-Compatible Regular Expression (PCRE) using case-sensitive matching. See also CASAuthoritative.
We welcome your feedback, suggestions and contributions. Contact us via email if you have questions, feedback, code submissions, and bug reports. To reach the development team, send an e-mail to:
cas-user [at] apereo [dot] org
Google Group link: