{"id":13463339,"url":"https://github.com/biola/rack-cas","last_synced_at":"2025-03-25T06:31:53.307Z","repository":{"id":5023247,"uuid":"6182029","full_name":"biola/rack-cas","owner":"biola","description":"Rack-CAS is simple Rack middleware to perform CAS client authentication.","archived":false,"fork":false,"pushed_at":"2024-01-16T19:10:44.000Z","size":133,"stargazers_count":149,"open_issues_count":12,"forks_count":76,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-05-12T11:43:35.083Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"tresata/spark-scalding","license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/biola.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2012-10-11T22:55:10.000Z","updated_at":"2024-06-18T17:11:32.569Z","dependencies_parsed_at":"2024-06-18T17:11:29.131Z","dependency_job_id":null,"html_url":"https://github.com/biola/rack-cas","commit_stats":{"total_commits":144,"total_committers":30,"mean_commits":4.8,"dds":0.6180555555555556,"last_synced_commit":"a7626614ae33d9b8dec1cf6b41bdb76b2ae55854"},"previous_names":[],"tags_count":29,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/biola%2Frack-cas","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/biola%2Frack-cas/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/biola%2Frack-cas/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/biola%2Frack-cas/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/biola","download_url":"https://codeload.github.com/biola/rack-cas/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222045604,"owners_count":16921980,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T13:00:51.378Z","updated_at":"2024-10-29T12:31:15.772Z","avatar_url":"https://github.com/biola.png","language":"Ruby","readme":"Rack-CAS [![Build Status](https://travis-ci.org/biola/rack-cas.svg?branch=master)](https://travis-ci.org/biola/rack-cas) [![Gem Version](https://badge.fury.io/rb/rack-cas.svg)](https://badge.fury.io/rb/rack-cas)\n========\nRack-CAS is simple [Rack](http://rack.github.com/) middleware to perform [CAS](http://en.wikipedia.org/wiki/Central_Authentication_Service) client authentication.\n\nFeatures\n========\n* __Rack based__\n* __Framework independent__\nWorks with, but doesn't depend on Rails, Sinatra, etc.\n* __Minimal dependencies__\nCurrent gem dependencies are [rack](http://rubygems.org/gems/rack), [addressable](http://rubygems.org/gems/addressable) and [nokogiri](http://rubygems.org/gems/nokogiri).\n* __Supports CAS extra attributes__\nExtra attributes are a mess though. So let me know if your brand of CAS server isn't supported.\n* __Single sign out__\nOne of the included session stores must be used.\n* __Rake tasks to prune stale sessions__\n`rack_cas:sessions:prune:active_record` and `rack_cas:sessions:prune:mongoid`\n\nRequirements\n============\n* Ruby \u003e= 2.0\n* A working [CAS server](http://casino.rbcas.com)\n* An app that [returns a `401 Unauthorized`](#integration) status when authentication is required\n\nInstallation\n============\n\nRails\n-----\n\nAdd `gem 'rack-cas'` to your [`Gemfile`](http://gembundler.com/gemfile.html) and run `bundle install`\n\nOnce the necessary gems have been installed, in your `config/application.rb` add:\n```ruby\nconfig.rack_cas.server_url = 'https://cas.example.com/'\n```\nIf the the server URL depends on your environment, you can define it in the according file: `config/environments/\u003cenv\u003e.rb`\n\n### Protocol\n\nSince protocol `p3` the protocol is prepended in certain urls. If you wish to use protocol `p3` set the following config variable\n\n`config.rack_cas.protocol = 'p3'`\n\n[For more info](http://jasig.github.io/cas/4.1.x/protocol/CAS-Protocol-Specification.html#cas-uris)\n\n### Single Logout ###\n\nIf you wish to enable [single logout](http://apereo.github.io/cas/4.0.x/installation/Logout-Single-Signout.html) you'll need to modify your configuration as below.\n\n#### Active Record ####\n\nSet the `session_store` in your `config/application.rb`:\n```ruby\nrequire 'rack-cas/session_store/active_record'\nconfig.rack_cas.session_store = RackCAS::ActiveRecordStore\n```\nEdit your `config/initializers/session_store.rb` file with the following:\n```ruby\nrequire 'rack-cas/session_store/rails/active_record'\nRails.application.config.session_store ActionDispatch::Session::RackCasActiveRecordStore\n```\nRun:\n```ruby\nrails generate cas_session_store_migration\nrake db:migrate\n```\n#### Mongoid ####\n\nSet the `session_store` in your `config/application.rb`:\n```ruby\nrequire 'rack-cas/session_store/mongoid'\nconfig.rack_cas.session_store = RackCAS::MongoidStore\n```\nEdit your `config/initializers/session_store.rb` file with the following:\n```ruby\nrequire 'rack-cas/session_store/rails/mongoid'\nYourApp::Application.config.session_store ActionDispatch::Session::RackCasMongoidStore\n```\n#### Redis ####\n\nSet the `session_store` in your `config/application.rb`:\n```ruby\nrequire 'rack-cas/session_store/redis'\nconfig.rack_cas.session_store = RackCAS::RedisStore\n```\nEdit your `config/initializers/session_store.rb` file with the following:\n```ruby\nrequire 'rack-cas/session_store/rails/redis'\nYourApp::Application.config.session_store ActionDispatch::Session::RackCasRedisStore\n```\nOptionally, Set the `redis_options` in your `config/application.rb`.\nYou can specify anything `Redis.new` allows.\nFor example:\n```ruby\nconfig.rack_cas.redis_options = {path: '/tmp/redis.sock',driver: :hiredis}\n```\nSinatra and Other Rack-Compatible Frameworks\n--------------------------------------------\n\nAdd `gem 'rack-cas'` to your [`Gemfile`](http://gembundler.com/gemfile.html) and run `bundle install`\n\nAdd the following to your `config.ru` file:\n```ruby\nrequire 'rack/cas'\nuse Rack::CAS, server_url: 'https://login.example.com/cas'\n```\nSee the [example Sinatra app](https://gist.github.com/adamcrown/a7e757759469033584c4) to get started.\n\n### Single Sign Out ###\n\nYou will need to store sessions in session store supported by Rack CAS.\n\n#### Active Record ####\nAdd a migration that looks roughly like\n\n    class AddSessionStore \u003c ActiveRecord::Migration\n    \tdef change\n    \t\tcreate_table :sessions do |t|\n    \t\t\tt.string :cas_ticket\n    \t\t\tt.string :session_id\n    \t\t\tt.text :data\n    \t\t\tt.datetime :created_at\n    \t\t\tt.datetime :updated_at\n    \t\tend\n    \tend\n    end\n\nThen use the middleware with\n\n    require 'rack-cas/session-store/rack/active_record'\n    use Rack::Session::RackCASActiveRecordStore\n\nConfiguration\n=============\n\nExtra Attributes\n----------------\n\nYou can whitelist which extra attributes to keep.\nIn your `config/application.rb`:\n```ruby\nconfig.rack_cas.extra_attributes_filter = %w(some_attribute some_other_attribute)\n```\n\nExcluding Paths\n---------------\n\nIf you have some parts of your app that should not be CAS authenticated (such as an API namespace), just pass `exclude_path` to the middleware. You can pass in a string that matches the beginning of the path, a regular expression or an array of strings and regular expressions.\n```ruby\nuse Rack::CAS, server_url: '...', exclude_path: '/api'\nuse Rack::CAS, server_url: '...', exclude_path: /\\.json/\nuse Rack::CAS, server_url: '...', exclude_paths: ['/api', /\\.json/]\n```\nThe same options can be passed to `FakeCAS`.\n```ruby\nuse Rack::FakeCAS, exclude_path: '/api'\n```\n\nExcluding Requests\n------------------\n\nIf the path exclusion is not suitable to ignore the CAS authentication in some parts of your app, you can pass\n`exclude_request_validator` to the middleware with a custom validator. You need to pass a `Proc` object that will accept\na `Rack::Request` object as a parameter.\n\n```ruby\nuse Rack::CAS, server_url: '...', exclude_request_validator: Proc.new { |req| req.env['HTTP_CONTENT_TYPE'] == 'application/json' }\n```\n\nService URL\n--------------------\n\nSometimes you need to force the `service=` attribute on login requests, and not just use the request url in an automatic way.\n\n```ruby\nuse Rack::CAS, service: 'http://anotherexample.com'\n```\n\nIgnore 401 Intercept\n--------------------\n\nFor some requests you might want to ignore the 401 intercept made by the middleware. For example when we want CAS to\nauthenticate API requests but leave the redirect handling to the client. For this you can use the\n`ignore_intercept_validator`. You need to pass a `Proc` object that will accept a `Rack::Request` object as a parameter.\n\n```ruby\nuse Rack::CAS, server_url: '...', ignore_intercept_validator: Proc.new { |req| req.env['HTTP_CONTENT_TYPE'] == 'application/json' }\nuse Rack::CAS, server_url: '...', ignore_intercept_validator: Proc.new { |req| req.env['PATH_INFO'] =~ 'api' }\n```\n\nSSL Cert Verification\n---------------------\n\nIf you're working in development or staging your CAS server may not have a legit SSL cert. You can turn off SSL Cert verification by adding the following to `config/application.rb`.\n\n```ruby\nconfig.rack_cas.verify_ssl_cert = false\n```\n\nCAS Login Renew Flag\n--------------\n\nThe CAS standard allows for a `renew=true` parameter to be passed to the CAS server which will force the user to re-login every time CAS authentication is performed, for added security. To enable this for your application, add the following to `config/application.rb`.\n\n```ruby\nconfig.rack_cas.renew = true\n```\n\nIntegration\n===========\nYour app should __return a [401 status](http://httpstatus.es/401)__ whenever a request is made that requires authentication. Rack-CAS will catch these responses and attempt to authenticate via your CAS server.\n\nOnce authentication with the CAS server has completed, Rack-CAS will set the following session variables:\n```ruby\nrequest.session['cas']['user'] #=\u003e johndoe\nrequest.session['cas']['extra_attributes'] #=\u003e { 'first_name' =\u003e 'John', 'last_name' =\u003e ... }\n```\n__NOTE:__ `extra_attributes` will be an empty hash unless they've been [configured on your CAS server](http://casino.rbcas.com/docs/configuration/#ldap).\n\nTesting\n=======\n\nController Tests\n----------------\nTesting your controllers and such should be as simple as setting the session variables manually in a helper.\n```ruby\ndef set_current_user(user)\n  session['cas'] = { 'user' =\u003e user.username, 'extra_attributes' =\u003e {} }\nend\n```\nIntegration Tests\n-----------------\nIntegration testing using something like [Capybara](http://jnicklas.github.com/capybara/) is a bit trickier because the session can't be manipulated directly. So for integration tests, I recommend using the provided `Rack::FakeCAS` middleware instead of `Rack::CAS`.\n```ruby\nrequire 'rack/fake_cas'\nuse Rack::FakeCAS\n```\nIn addition you can pass a Hash to configure extra attributes for predefined\nusernames.\n```ruby\nuse Rack::FakeCAS, {}, {'john' =\u003e {'name' =\u003e 'John Doe'}}\n```\nIf you are using Rails, FakeCAS is automatically used in the test environment by default. If you would like to activate it in any other environment, add the following to the corresponding `config/environments/\u003cenv\u003e.rb`:\n```ruby\nconfig.rack_cas.fake = true\n```\nYou can also configure extra attribute mappings through the Rails config:\n```ruby\nconfig.rack_cas.fake_attributes = { 'john' =\u003e { 'name' =\u003e 'John Doe' } }\n```\nThen you can simply do the following in your integration tests in order to log in.\n```ruby\nvisit '/restricted_path'\nfill_in 'username', with: 'johndoe'\nfill_in 'password', with: 'any password'\nclick_button 'Login'\n```\n__NOTE:__ The FakeCAS middleware will authenticate any username with any password and so should never be used in production.\n","funding_links":[],"categories":["Security","Middlewares"],"sub_categories":["Rails Authentication"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbiola%2Frack-cas","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbiola%2Frack-cas","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbiola%2Frack-cas/lists"}