properties.stx
properties
What is an ACAS User Folder?
ACASUserFolder (Alternative CAS UserFolder) Objects are User Folder capable of Yale CAS Authentication (http://www.yale.edu/tp/auth/)
Users are generated "on the fly" and they have no way to authenticate otherwise than with a CAS ticket. In other words, this folder cannot validate an authentication with a user/password pair!
Form options:
- CAS Login URL
- URL for clients login. This is the one for the login button
- CAS Validation URL
- URL used internally for validating ST (service tickets)
- CAS Logout URL
- URL for logout & destroying the TGC (Ticket Granting Ticket)
- Retain POST data on session timeout
- when the Zope session expires, try to keep tracks of request POST data (if present). see security
- Activate CAS login redirect
- when the Zope session expires, try to login again on the CAS server and continue the session seamlessly. See section bellow.
- Activate User Persistence
- Users are stored into the ZODB, allowing to keep track of locally stored roles. This setting means there is a transaction for users that logs-in for the 1st time. So there is a small impact on performances with this setting on, notably when the number of users is important (more than 500). A drawback of locally stored user roles is that when the setting is changed, or if the ACASUserFolder is destroyed, your changes are discarded.
- Validate Tickets with ACTUAL_URL
- use REQUEST['ACTUAL_URL'] instead of REQUEST['URL'] which is a computed value. ACTUAL_URL works better but is only supported since Zope 2.7.4. ACASUserFolder use ACTUAL_URL by default since version 2.0.1.
Using the ACAS User Folder (ACUF)
- When the CAS login auto-redirect option is OFF
- The authentication is from the user initiative.
You have to insert/edit a "login button" and a "logout button" somewhere on your web site.
- Supposing that your Zope site is :
- http://portal.your.dom/index_html
- The login button may be an URL looking like this :
- http://cas.your.dom/login?service=http://portal.your.dom/index_html
The logout button may be an URL looking like this : http://cas.your.dom/logout
- When the CAS login auto-redirect option is ON
- Well, this is the simplest way to use ACASUserFolder, but in this case, users can only access the portal in CAS authenticated mode.
They are automagically redirected to the CAS login form if they have no session or if their session has expired.
WARNING: in this mode, the ACASUserFolder is a dead end, and no more user folder is used. Your are redirected forever to the CAS server if your credentials are not good. However as an anti-admin-lockout security, Basic authentication has precedence over CAS authentication.
TIP: in this case use the Group User Folder and put the ACASUserFolder as the last source for Users, so you can have a std UserFolder with at least one manager user and your local users.
See Also
Author & Maintainer
Alexandre SAUVE < mr .dot. lex -at- free .dot. fr >