You are not logged in Log in Join
You are here: Home » Members » mrlex's Home » ACUF » hlp » properties.stx
Log in
Name

Password

 
Link icon Forgot your password?
Print

properties.stx

properties

What is an ACAS User Folder?

ACASUserFolder (Alternative CAS UserFolder) Objects are User Folder capable of Yale CAS Authentication (http://www.yale.edu/tp/auth/)

Users are generated "on the fly" and they have no way to authenticate otherwise than with a CAS ticket. In other words, this folder cannot validate an authentication with a user/password pair!

Form options:

CAS Login URL
URL for clients login. This is the one for the login button
CAS Validation URL
URL used internally for validating ST (service tickets)
CAS Logout URL
URL for logout & destroying the TGC (Ticket Granting Ticket)
Retain POST data on session timeout
when the Zope session expires, try to keep tracks of request POST data (if present). see security
Activate CAS login redirect
when the Zope session expires, try to login again on the CAS server and continue the session seamlessly. See section bellow.
Activate User Persistence
Users are stored into the ZODB, allowing to keep track of locally stored roles. This setting means there is a transaction for users that logs-in for the 1st time. So there is a small impact on performances with this setting on, notably when the number of users is important (more than 500). A drawback of locally stored user roles is that when the setting is changed, or if the ACASUserFolder is destroyed, your changes are discarded.
Validate Tickets with ACTUAL_URL
use REQUEST['ACTUAL_URL'] instead of REQUEST['URL'] which is a computed value. ACTUAL_URL works better but is only supported since Zope 2.7.4. ACASUserFolder use ACTUAL_URL by default since version 2.0.1.

Using the ACAS User Folder (ACUF)

When the CAS login auto-redirect option is OFF
The authentication is from the user initiative.

You have to insert/edit a "login button" and a "logout button" somewhere on your web site.

Supposing that your Zope site is :
http://portal.your.dom/index_html
The login button may be an URL looking like this :
http://cas.your.dom/login?service=http://portal.your.dom/index_html

The logout button may be an URL looking like this : http://cas.your.dom/logout

When the CAS login auto-redirect option is ON
Well, this is the simplest way to use ACASUserFolder, but in this case, users can only access the portal in CAS authenticated mode.

They are automagically redirected to the CAS login form if they have no session or if their session has expired.

WARNING: in this mode, the ACASUserFolder is a dead end, and no more user folder is used. Your are redirected forever to the CAS server if your credentials are not good. However as an anti-admin-lockout security, Basic authentication has precedence over CAS authentication.

TIP: in this case use the Group User Folder and put the ACASUserFolder as the last source for Users, so you can have a std UserFolder with at least one manager user and your local users.

See Also

ACASUserFolder Properties

Plone integration

ACASUserFolder users listing

CAS usage scenarios

Security

Zope API

Author & Maintainer

Alexandre SAUVE < mr .dot. lex -at- free .dot. fr >
Copyright (c) 2011 Zope Foundation. All rights reserved. Legal | Contact
If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)