{"id":13647892,"url":"https://github.com/apereo/mod_auth_cas","last_synced_at":"2025-05-16T18:11:02.449Z","repository":{"id":857620,"uuid":"2104470","full_name":"apereo/mod_auth_cas","owner":"apereo","description":"An Apache httpd module for integrating with Apereo CAS Server project.","archived":false,"fork":false,"pushed_at":"2024-10-17T20:25:08.000Z","size":1774,"stargazers_count":147,"open_issues_count":25,"forks_count":96,"subscribers_count":26,"default_branch":"master","last_synced_at":"2025-04-12T17:46:43.750Z","etag":null,"topics":["apache","authentication","cas","cas-server"],"latest_commit_sha":null,"homepage":"https://www.apereo.org/projects/cas","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/apereo.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2011-07-26T01:18:29.000Z","updated_at":"2025-01-20T10:02:52.000Z","dependencies_parsed_at":"2024-10-20T16:55:52.767Z","dependency_job_id":null,"html_url":"https://github.com/apereo/mod_auth_cas","commit_stats":{"total_commits":320,"total_committers":27,"mean_commits":"11.851851851851851","dds":0.5125,"last_synced_commit":"630f39a85aadf9f13d35f5b34f489dcc086b9fad"},"previous_names":[],"tags_count":26,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apereo%2Fmod_auth_cas","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apereo%2Fmod_auth_cas/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apereo%2Fmod_auth_cas/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apereo%2Fmod_auth_cas/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/apereo","download_url":"https://codeload.github.com/apereo/mod_auth_cas/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254582907,"owners_count":22095518,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache","authentication","cas","cas-server"],"created_at":"2024-08-02T01:03:49.376Z","updated_at":"2025-05-16T18:11:02.432Z","avatar_url":"https://github.com/apereo.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"========================================================================\nMOD_AUTH_CAS 1.2 README\n========================================================================\nApache CAS Authentication Module for the JASIG/Apereo CAS Server.\n\n========================================================================\nLICENSE\n========================================================================\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n https://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n========================================================================\nINTRODUCTION\n========================================================================\nThe purpose of this module is to allow an Apache web server to interact\nwith an authentication server that conforms to the CAS version 1 or 2\nprotocol or SAML protocol as used by the JASIG/Apereo CAS Server.\nAt the time of this writing, the CAS protocol specification is here:\n\nhttps://apereo.github.io/cas/development/protocol/CAS-Protocol-Specification.html\n\n========================================================================\nGetting Started\n========================================================================\n\n--------------------------------------------------------------------\nLinux Distribution Packaging\n--------------------------------------------------------------------\nmod_auth_cas is available in most major Linux distributions, including\nDebian, Ubuntu, Fedora, and is available from EPEL for CentOS and RHEL.\n\n\n--------------------------------------------------------------------\nBuilding from Source\n--------------------------------------------------------------------\n\nThe following development libraries and utilities must be installed:\n* OpenSSL - 0.9.8c or higher\n* Apache Portable Runtime - 1.5.0 or higher\n* Apache Portable Runtime Utilities - 1.3.0 or higher\n* Apache Web Server - 2.4 or higher\n* libcurl - 7.18.2 or higher\n* libpcre2 - 10 or higher\n\nDownload the distribution via git or tarball.  Because git does not\npreserve timestamps, autoconf may determine it is necessary to bootstrap\nthe project.  If building from source, please start with:\n\n\tautoreconf -ivf\n\nBuild is performed with the standard Autoconf incantation:\n\n\t./configure \u0026\u0026 make \u0026\u0026 sudo make install\n\nEdit your Apache configuration to load the mod_auth_cas module:\n\n\tLoadModule auth_cas_module /path/to/mod_auth_cas.so\n\nSet a few required parameters in your Apache configuration:\n\n\tCASCookiePath /var/cache/apache2/mod_auth_cas/\n\tCASLoginURL https://login.example.org/cas/login\n\tCASValidateURL https://login.example.org/cas/serviceValidate\n\nProtect a \"Location\" or \"Directory\" block in your Apache\nconfiguration:\n\n\t\u003cLocation /secured\u003e\n\t\tAuthType CAS\n\t\tRequire valid-user\n\t\u003c/Location\u003e\n\nIf attribute-based authorization is also desired, specify cas-attribute\nname:value in your Require rule (please note: both attribute name and value are\ncase-sensitive):\n\n\tCASCookiePath /var/cache/apache2/mod_auth_cas/\n\tCASLoginURL https://login.example.org/cas/login\n\tCASValidateURL https://login.example.org/cas/samlValidate\n\tCASValidateSAML On\n\n\t\u003cLocation /secured\u003e\n\t\tAuthType CAS\n\t\tRequire cas-attribute edupersonaffiliation:staff\n\t\u003c/Location\u003e\n\nBoth the CAS 2.0 and SAML 1.1 protocols support including additional attributes\nin the CAS validation response, which may also be added as HTTP headers (see\nCASAttributePrefix and CASAttributeDelimiter). This example uses the SAML\nprotocol and requires that the 'edupersonaffiliation' attribute is set to\n'staff'.\n\n\n========================================================================\nNEW FEATURES AND FUNCTIONS IN THIS RELEASE\n========================================================================\n* OpenSSL 1.1 support.\n* CASv2 attributes.\n* CASPreserveTicket, which allows tickets to pass through when a valid session exists.\n* CASGatewayCookieDomain, to set the gateway cookie domain.\n* Use a dynamic buffer to store the CAS validation response.\n* Various bug and documentation fixes.\nhttps://github.com/apereo/mod_auth_cas/milestone/6?closed=1\n\n========================================================================\nKNOWN ISSUES\n========================================================================\n* Autoconf does not work well on code freshly checked out of git.  Autoconf\n artifacts must be rebuilt using `autoreconf -ivf` .\n\n========================================================================\nKNOWN LIMITATIONS\n========================================================================\nThese limitations are known to exists in this release of the software:\n\n* CAS Proxy Validation is not implemented in this version.\n\n* CAS Ticket Validation can only be performed over an SSL connection.\n  The CAS protocol does not explicitly require this, but to not do so\n  leaves this system open to a man-in-the-middle attack.\n\n* CAS single sign out is currently not functional and disabled.  It\n  is only safe to use in the case where all requests are GET and not\n  POST (the module inadvertently 'eats' some content of the POST\n  request while determining if it should process it as a SAML logout\n  request).\n\n* Reports of slow performance on some systems (particularly\n  virtual machines) have been reported.  This is related to the\n  entropy that is gathered when creating a session cookie for\n  the end user.  To combat this, there are 3 solutions.  The\n  first is to upgrade the version of the Apache Portable Runtime\n  on your system to \u003e= 1.3.0.  In that version, entropy is gathered\n  from a nonblocking source.  The second method would be to install\n  a package such as rng-tools and feed random data from /dev/urandom\n  to /dev/random(\"-r /dev/urandom\").  The  last way is to reduce\n  the size of the CASCookieEntropy setting, reducing the demand on\n  the pool.\n\n* Win32 support has been dropped (but not removed) due to lack of\n  development resources, and seemingly minimal community usage.\n  You are welcome to try it, but YMMV for success.\n\n\n\n========================================================================\nConfiguration\n========================================================================\nFirst, you must tell Apache to load the module.  In your httpd.conf,\nadd:\n\nLoadModule auth_cas_module /path/to/mod_auth_cas.so\n\nThen, in the location(s) you want to protect, use the following\ndirective:\n\nAuthType CAS\n\nBe sure to set authorization parameters in the locations you\nare protecting(e.g. 'require valid-user', 'require group foo')\n\nThe following are valid configuration options and their default:\n\nValid Server/VirtualHost Directives\n-----------------------------------\nDirective: \tCASVersion\nDefault:\t2\nDescription:\tThe version of the CAS protocol to adhere to (1 or 2).\n\t\tThis affects whether Gateway mode is available and how\n\t\tthe CAS validation response is parsed.\n\nDirective: \tCASDebug\nDefault:\tOff\nDescription:\tEnable or disable debugging mode for troubleshooting.  Please\n\t\tnote that LogLevel must be set to Debug for the VirtualHost in\n\t\torder for these logs to be visible.\n\nDirective:\tCASValidateDepth\nDefault:\t9\nDescription:\tThis directive will set the maximum depth for chained certificate\n\t\tvalidation.  The default (according to OpenSSL documentation) is 9.\n\nDirective: \tCASCertificatePath\nDefault:\t/etc/ssl/certs/\nDescription:\tThe path to the X509 certificate of the Certificate Authority for\n\t\tthe server in CASLoginURL and CASValidateURL.  This may be either\n\t\ta file, or a directory containing the certificate files linked to\n\t\tby their hashed names.\n\nDirective: \tCASLoginURL\nDefault:\tNULL\nDescription:\tThe URL to redirect users to when they attempt to access a CAS\n\t\tprotected resource and do not have an existing session.  The\n\t\t'service', 'renew', and 'gateway' parameters will be appended to\n\t\tthis by mod_auth_cas if necessary.  Include 'http[s]://...'\n\nDirective: \tCASValidateURL\nDefault:\tNULL\nDescription:\tThe URL to use when validating a ticket presented by a client in\n\t\tthe HTTP query string (ticket=...).  Must include 'https://' and\n\t\tmust be an HTTPS URL.\n\nDirective: \tCASProxyValidateURL\nDefault:\tNULL\nDescription:\tThe URL to use when performing a proxy validation.  This is currently\n\t\tan unimplemented feature, so setting this will have no effect.\n\nDirective: \tCASRootProxiedAs\nDefault:\tNULL\nDescription:\tThis URL represents the URL that end users may see in the event that\n\t\taccess to this Apache server is proxied.  This will override the\n\t\tautomatic generation of service URLs and construct them using this\n\t\tprefix.  As an example: If the site being protected is http://example.com/\n\t\tand the Apache instance of this server is http://internal.example.com:8080,\n\t\tsetting CASRootProxiedAs to http://example.com would result in proper\n\t\tservice parameter generation.\n\nDirective: \tCASCookiePath\nDefault:\t/dev/null\nDescription:\tWhen users first authenticate to mod_auth_cas with a valid service ticket,\n\t\ta local session is established.  Information about this session (the\n\t\tusername, time of creation, last activity time, the resource initially\n\t\trequested, and whether or not the credentials were renewed) is stored\n\t\tin this directory.  This location should be writable by the web server ONLY.\n\t\tAny user that can write to this location can falsify authentication information\n\t\tby creating a fake data file.\n\t\tNOTE : Some distributions purge the contents of /tmp/ on a reboot, including\n\t\tuser created directories.  This will prevent mod_auth_cas from storing\n\t\tcookie information until that directory is created.  To avoid this, try\n\t\tusing a different location, such as /var/cache/apache2/mod_auth_cas/\n\nDirective: \tCASCookieEntropy\nDefault:\t32\nDescription:\tWhen creating a local session, this many random bytes are used to\n\t\tcreate a unique session identifier.  Using large values for this\n\t\tfield may result in delays when generating session IDs if not\n\t\tenough entropy is available.\n\nDirective: \tCASTimeout\nDefault:\t7200 (2 hours)\nDescription:\tThis is the hard limit, in seconds, for a mod_auth_cas session (whether\n\t\tit is idle or not).  When a session has reached this age and a new\n\t\trequest is made, the user is redirected to the CASLoginURL to\n\t\tobtain a new service ticket.  When this new ticket is validated,\n\t\tthey will be assigned a new mod_auth_cas session.  Set this value to '0'\n\t\tin order to allow a non-idle session to not expire.\n\nDirective: \tCASIdleTimeout\nDefault:\t3600 (1 hour)\nDescription:\tThis is a limit, in seconds, of how long a mod_auth_cas session can be idle.\n\t\tWhen a request comes in, if it has been inactive for CASIdleTimeout\n\t\tseconds, the user is redirected to the CASLoginURL to obtain a new\n\t\tservice ticket.\n\nDirective: \tCASCacheCleanInterval\nDefault:\t1800 (30 minutes)\nDescription:\tThis is the minimum amount of time that must pass inbetween cache\n\t\tcleanings.  When a new ticket is issued, or when an expired session\n\t\tis presented, the time of the last cache clean is compared against\n\t\tthis value.  If CASCacheCleanInterval seconds have passed since the\n\t\tlast cleaning, then all files in CASCookiePath are examined and if\n\t\tthey have expired, they are removed.  This is merely to prevent the\n\t\tfile system from becoming excessively cluttered.\n\nDirective:\tCASCookieDomain\nDefault:\tNULL\nDescription:\tSpecify the value for the 'Domain=' parameter in the Set-Cookie header.\n\nDirective:\tCASCookieSameSite\nDefault:\tNULL\nDescription:\tSpecify the value for the 'SameSite=' parameter in the Set-Cookie header.\n\t\tAllowed values are 'None', 'Lax', and 'Strict'.\n\nDirective:\tCASCookieHttpOnly\nDefault:\tOn\nDescription:\tSet the optional 'HttpOnly' flag for cookies issues by mod_auth_cas.\n\t\tSet the HttpOnly flag as described in in RFC 6265.  This flag prevents the\n\t\tmod_auth_cas cookies from being accessed by client side Javascript.\n\nDirective:\tCASCookieSecure\nDefault:\tAuto\nDescription:\tSet the optional 'Secure' attribute for cookies issued by mod_auth_cas.\n\t\tSet the Secure attribute as described in in RFC 6265. This flag prevents the\n\t\tmod_auth_cas cookies from being sent over an unencrypted HTTP connection.\n\t\tBy default, mod_auth_cas sets the 'Secure' attribute depending on information about\n\t\tthe connection (the 'Auto' option). The options 'On' and 'Off' can be used to override\n\t\tthe automatic behaviour.\n\nDirective:\tCASAuthoritative\nDefault:\tOff\nDescription:\tThis directive determines whether an optional authorization directive\n\t\t(see 'Require cas-attribute') is authoritative and thus binding or\n\t\tif other authorization modules will also be applied.\n\t\t'On' means authoritative, 'Off' means not authoritative.\n\t\tNOTE: This directive is unavailable with Apache 2.4. See the RequireAny,\n\t\tRequireNone, and RequireAll directives instead.\n\nDirective:\tCASValidateSAML\nDefault:\tOff\nDescription:\tIf enabled, the response from the CAS Server will be parsed for SAML\n\t\tattributes which will be associated with the user.  Requires setting\n\t\tCASValidateURL appropriately; typical URLs are of the form\n\t\thttps://login.example.org/cas/samlValidate.\n\nDirective:\tCASAttributePrefix\nDefault:\tCAS_ (Apache \u003c 2.4)\n\t\tCAS- (Apache 2.4)\nDescription:\tThe prefix to use when adding CAS or SAML attributes to the HTTP headers,\n\t\twhich will be named \u003cCASAttributePrefix\u003e\u003cattr_name\u003e.  CASAuthNHeader\n\t\tmust be set for this directive to be used.\n\t\tNOTE: In Apache 2.4 and newer, headers containing \"invalid\" characters\n\t\t(including underscores) are silently dropped, so you must set this to\n\t\ta \"valid\" name containing only alphabetic characters and hyphens.\n\nDirective:\tCASAttributeDelimiter\nDefault:\t,\nDescription:\tmod_auth_cas will set the value of the attribute header (as described\n\t\tin CASAttributePrefix) to \u003cattrvalue\u003e\u003cCASAttributeDelimiter\u003e\u003cattrvalue\u003e\n\t\tin the case of multiple attribute values.\n\nDirective:\tCASPreserveTicket\nDefault:\tOff\nDescription:\tThis directive leaves CAS ticket parameters intact when a valid\n\t\tsession cookie exists. This helps prevent infinite redirect loops when\n\t\tCAS protection is being used at multiple levels.\n\nDirective:\tCASGatewayCookieDomain\nDefault:\tNULL\nDescription:\tSpecify the value for the 'Domain=' parameter in the Set-Cookie header\n\t\twhen setting the CASGatewayCookie.\n\nValid Directory/.htaccess Directives\n------------------------------------\nDirective:\tCASScope\nDefault:\tOff\nDescription:\tUse this directive with an argument as a relative path (e.g. /application/) to specify\n\t\tthe scope for which a mod_auth_cas cookie is valid.  This is beneficial to prevent\n\t\tadditional round trips to the CAS server.  Assume someone authenticates to /application/subdir/\n\t\tand then browses to /application/ - without CASScope set, each request would result in\n\t\ta round trip to the CAS server and a new cookie being created (one for each directory).\n\t\tCASScope would set one cookie, which will be presented on access to both directories.\n\t\tNote that if someone accessed /application/ and then /application/subdir/ this would not\n\t\tbe an issue, but that order of access can not be guaranteed.  To disable this feature,\n\t\tthe special argument 'Off' will return to per-directory cookie paths for this directory\n\t\tand subdirectories.\n\nDirective: \tCASRenew\nDefault:\tOff\nDescription:\tUse this directive with an argument as a relative path (e.g. /application/secure/\n\t\tfor http://www.example.com/application/secure/*) to force a user to renew their\n\t\tcredentials when accessing that directory.  The argument MUST be a relative path.\n\t\tTo disable this requirement, the special argument 'Off' will disable this requirement\n\t\tfor this directory and subdirectories.\n\nDirective: \tCASGateway\nDefault:\tOff\nDescription:\tUse this directive with an argument as a relative path (e.g. /application/insecure/\n\t\tfor http://www.example.com/application/insecure/*) to allow anonymous access to that directory.\n\t\tThe argument MUST be a relative path. To disable this feature, the special argument 'Off'\n\t\twill reinstate the requirement for authentication.\n\nDirective: \tCASCookie\nDefault:\tMOD_AUTH_CAS\nDescription:\tThe name of the cookie used to store the session ID over HTTP connections.\n\t\tIt should be changed if it will interfere with the application protected\n\t\tby mod_auth_cas.\n\nDirective: \tCASSecureCookie\nDefault:\tMOD_AUTH_CAS_S\nDescription:\tThe name of the cookie used to store the session ID over HTTPS connections.\n\t\tIt should be changed if it will interfere with the application protected\n\t\tby mod_auth_cas.\n\nDirective: \tCASGatewayCookie\nDefault:\tMOD_AUTH_CAS_G\nDescription:\tThe name of the cookie used to store whether or not the user has attempted\n\t\tto access this resource before.  It should be changed if it will interfere\n\t\twith the application protected by mod_auth_cas.\n\nDirective:\tCASAuthNHeader\nDefault:\tNone\nDescription:\tIf enabled, this will store the user returned by CAS in the specified\n\t\tHTTP header accessible to your web applications, and any additional\n\t\tattributes received in headers named according to CASAttributePrefix.\n\t\tThis is in addition to the REMOTE_USER environment variable, which is\n\t\talways set to the CAS user.\n\nDirective:\tCASSSOEnabled\nDefault:\tOff\nDescription:\tIf enabled, this activates support for Single Sign Out within the CAS\n\t\tprotocol.  Please note that this feature is currently experimental and\n\t\tmay mangle POST data.\n\nDirective:\tCASScrubRequestHeaders\nDefault:\tOff\nDescription:\tmod_auth_cas will strip request inbound request headers that may have\n\t\tspecial meaning, such as those set with the CASAttributePrefix or the\n\t\tCASAuthNHeader value.\n\nDirective:\tRequire cas-attribute \u003cattribute\u003e:\u003cvalue\u003e\nDefault:\tNULL\nDescription:\tUse this directive to authorize based on CAS or SAML attributes\n\t\treturned via the session validation call. Multiple directives\n\t\tare OR-ed. If directive is present with no attributes defined,\n\t\tthe request is declined. If value has spaces, wrap the pair in quotes.\n\t\tSee also CASAuthoritative.\n\nDirective:\tRequire cas-attribute \u003cattribute\u003e~\u003cvalue\u003e\nDefault:\tNULL\nDescription:\tUse this form of the directive to authorize based on CAS or SAML\n\t\tattributes returned via the session validation call. Multiple\n\t\tdirectives are OR-ed. If directive is present with no attributes\n\t\tdefined, the request is declined. The value is interpreted as a\n\t\tPerl-Compatible Regular Expression (PCRE) using case-sensitive\n\t\tmatching. See also CASAuthoritative.\n\n========================================================================\nCONTACT INFORMATION AND WEBSITE\n========================================================================\nWe welcome your feedback, suggestions and contributions. Contact us\nvia email if you have questions, feedback, code submissions,\nand bug reports.  To reach the development team, send an e-mail to:\n\ncas-user [at] apereo [dot] org\n\nGoogle Group link:\n\nhttps://groups.google.com/a/apereo.org/forum/#!forum/cas-user\n\n========================================================================\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapereo%2Fmod_auth_cas","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapereo%2Fmod_auth_cas","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapereo%2Fmod_auth_cas/lists"}