Log in
Forgot your password?
scenario.stx
CAS Usage Scenarios
By its nature - usage of external authentication server - CAS is not completely trivial to set up.
Here you will find some "recipes" on how to set up CAS authentication in some common cases.
Target: Zope admins / developpers
This document is what I would have liked to find when I started to mess with CAS on Zope and felt a bit alone in the dark ;-)
Standalone Zope Server - No cookie crumbler - auto-login on
This is the easy way. And is usefull for
- Authenticated only sites / intranets
- Testing purposes (you will like it)
Example Zope directory structure:
/acl_users [Standard UserFolder with admin user(s)]
/site/acl_users [ACASUserFolder]
/site/index_html [DTML or ZPT]
Do not forget to double check CAS auth with the test management tab.
Do not forget to turn on auto-login from your ACASUserFolder
Well, that's all, it works now, you can worry about your code & modules!
Standalone Zope Server - No cookie crumbler - auto-login off
This is a safe scenario for
- public server with mostly Anonymous visitors
In this case, you will have to tweak some sitewide pieces of dtml/zpt
Note: On session timeout you will have to rely on your own code to keep track of GET parameters as ACASUserFolder doesn't (currently) save it. However POST parameters are kept if the management option is turned on. Be aware that the usual behaviour is to default to BasicAuth provided by the upper BasicUserFolder when authentication is needed.
Example Zope directory structure:
/acl_users [Standard UserFolder with admin user(s)]
/site/acl_users [ACASUserFolder]
/site/index_html [DTML or ZPT]
You need to insert now a login url/button to allow CAS interaction.
For the demonstration we will insert the tags in index_html, but it should appear in portions of code (the same way as std_html_header) visible from every page.
DTML version (Zope & CAS server logout):
<dtml-if please_log_me_out>
<dtml-var expr="acl_users.cas_complete_logout(service=REQUEST.URL)">
</dtml-if>
<dtml-if expr="_.SecurityGetUser().getUserName() != 'Anonymous User'">
Hello Dear User <b><dtml-var expr="_.SecurityGetUser().getUserName()"></b><br/>
<a href="<dtml-var expr="REQUEST.URL">?please_log_me_out=1">CAS Logout</a>
<dtml-else>
<a href="<dtml-var expr="acl_users.cuf_login_url">?service=<dtml-var expr="REQUEST.URL">">CAS Login</a>
</dtml-if>
ZPT version (Zope & CAS server logout):
<span tal:condition="exists: request/please_log_me_out"
tal:replace="python: here.acl_users.cas_complete_logout(service=request.URL)"
/>
<span tal:condition="python: user.getUserName() != 'Anonymous User'">
Hello Dear <b><span tal:replace="user"/></b> <br/>
<a tal:attributes="href string:${request/URL}?please_log_me_out=1">
CAS Logout </a>
</span>
<span tal:condition="python: user.getUserName() == 'Anonymous User'">
<a tal:attributes="href string:${here/acl_users/cuf_login_url}?service=${request/URL}">
CAS Login </a>
</span>
ZPT version (Zope only logout):
<span tal:condition="exists: request/please_log_me_out">
<span tal:define="dummy python: here.acl_users.cas_local_logout(service=request.URL)" />
</span>
<span tal:condition="python: user.getUserName() != 'Anonymous User'">
Hello Dear <b><span tal:replace="user"/></b> <br/>
<a tal:attributes="href string:${request/URL}?please_log_me_out=1">
CAS Logout </a>
</span>
<span tal:condition="python: user.getUserName() == 'Anonymous User'">
<a tal:attributes="href string:${here/acl_users/cuf_login_url}?service=${request/URL}">
CAS Login </a>
</span>
Plone Site - Groups support - Cookie Crumbler - auto login off
This (recommended) scenario is for
- public web sites
- intranets where authentication is not always needed
- nearly no Plone config
Note: With default ACASUserFolder settings, GET and POST method parameters are kept upon session timeout, so there is no data loss. However for Plone versions < 2.1, GET parameters are lost and you may fix it with the small patch provided here
You will have to install the PloneCASLogin Product in order to have a zero-conf working site.
Example Zope directory structure:
/acl_users [Standard UserFolder with admin user(s)]
/plone [Plone Site]
/plone/acl_users [GroupUserFolder]
/plone/acl_users/Users01/acl_users [BasicUserFolder]
/plone/acl_users/Users02/acl_users [ACASUserFolder]
Install PloneCASLogin with the Plone QuickInstaller tool.
Now you will have Nice CAS Log-in buttons replacing the default portlets and login forms.
Note: Cookie Crumbler is deeply integrated into Plone 2.0.5 auth, so it is better to work with it to avoid trouble.
Plone Site - No Cookie Crumbler - Groups support - auto login on
This scenario is for
- Authenticated only sites / intranets
- Testing purposes (you will like it again)
Note: this is a little clumsy and logout button does not work correctly without some more tweakings.
Example Zope directory structure:
/acl_users [Standard UserFolder with admin user(s)]
/plone [Plone Site]
/plone/acl_users [GroupUserFolder]
/plone/acl_users/Users01/acl_users [BasicUserFolder]
/plone/acl_users/Users02/acl_users [ACASUserFolder]
/plone/cookie_authentication [CookieCrumbler **to delete**]
Do not forget to double check CAS auth with the test management tab.
Do not forget to turn on auto-login from your ACASUserFolder
When cookie_authentication is suppressed, you will have an authenticated only Plone site.
Standalone Zope Server - With Cookie Crumbler (standalone)
This scenario is for
- compatibility with applications that do need to keep cookies but wish to switch smoothly to CAS auth
Note that your mileage may vary for logout as I did not test it toroughly, but it is likely that users session/identity (_ZopeId related) will remain "usable" util their session timeout, even if they close their browser. Hummm, you said gruiiik?
ZPT version (Zope & CAS server logout):
/acl_users [Standard UserFolder with admin user(s)]
/site/acl_users [ACASUserFolder]
/site/login [Cookie Crumbler]
/site/login/login_form [we make some changes here]
Code to replace login_form with:
<dtml-var standard_login_header>
<h1 class="DesktopTitle">
Log in
</h1>
<dtml-let came_from="REQUEST.get('came_from', '')"
action_url="came_from or 'logged_in'">
<dtml-if came_from>
<form action="<dtml-var expr="acl_users.cuf_login_url">">
<input type="hidden" name="service" value="<dtml-var came_from>" />
<dtml-else>
<form action="&dtml-action_url;" method="POST">
</dtml-if>
<dtml-if expr="REQUEST.get('retry', 0)">
<font color="red">Please try again.</font>
</dtml-if>
<dtml-if came_from>
<input type="hidden" name="came_from" value="&dtml-came_from;">
</dtml-if>
<tr>
<td align="left" valign="top">
</td>
<td align="left" valign="top">
<input type="submit" name="submit" value=" CAS Login ">
</td>
</tr>
</table>
</form>
</dtml-let>
<p>
Having trouble logging in? Be sure to enable cookies in your web browser.
</p>
<p>Don't forget to logout or exit your browser when you're done.
</p>
<dtml-var standard_login_footer>
See Also
Author & Maintainer
Alexandre SAUVE < mr .dot. lex -at- free .dot. fr >