| Warning |
|---|
NOTE: A vulnerability was discovered in the mod_cas Apache module. It is recommend that ALL deployers upgrade to mod_auth_cas immediately. mod_auth_cas is not affected by the vulnerability and is the currently supported Apache module. |
The Yale CAS client distribution includes modules for Apache which serve as a CAS 1.0 casclient. See AuthCAS for an alternative implementation of an Apache (mod_perl) module for CAS authentication which offers additional features.
...
Starting with the Case mod_cas distribution as a base ~ceharris Carl Harris wrote a modification to support the XML objects returned by CAS 2 and up. It was also modified to support a chain of trusted CA certificates, rather than a single certificate. The attached mod_cas-VATECH.tar.gz can be used with the instructions posted on the Case wiki to produce the improved mod_cas. The CASTrustedCerts directive can now point to a file containing a trusted CA cert chain.
For a documented sample Apache configuration file, Andrew Ralph Feller has provided a base for new and experienced deployers to use; see the mod_cas-VATECH.conf attachment.
TODO: The ssl_verify.c module in mod_cas is rather monolithic and inelegant. It could really stand to be significantly refactored.
TODO: OpenSSL has options for getting the trusted CA cert chain as a single file or as a directory. The directory option is not currently implemented in mod_cas-VATECH, but should be added.
When not to use MOD_CAS
(Per Scott Lundgren's email).
- mod_cas not should not be used with pages that use frames
- directories of images files should be moved out from under mod_cas protection because browsers (IE 6 & Firefox 1.06) do not know how to handle the redirects for the requests for images embedded in an HTML page
- directories of CSS files should be moved out from under mod_cas protection for the same reasons
- mod_cas cannot be used with server generated images where scripts return an image stream