[11:22:12 CDT(-0500)] <foxnesn> hey atilling
[11:27:21 CDT(-0500)] <foxnesn> i got one of the cas clients to work with checkall in my webflow
[11:27:24 CDT(-0500)] <foxnesn> so making progress
[11:37:19 CDT(-0500)] <atilling> very nice
[12:35:32 CDT(-0500)] <codehotter> hi. Can I use mod_cas and only allow access if the user is a member of an LDAP group?
[12:36:08 CDT(-0500)] <serac> First, you want to use mod_auth_cas. mod_cas is deprecated. (and I believe has security issues)
[12:36:43 CDT(-0500)] <codehotter> ok
[12:37:35 CDT(-0500)] <codehotter> duly noted
[12:37:35 CDT(-0500)] <serac> I have a patch for that functionality.
[12:37:57 CDT(-0500)] <serac> We use it here at Virginia Tech, but it's not officially supported. There may be a Jira issue for it. One sec.
[12:38:40 CDT(-0500)] <serac> Actually, I'm conflating matters.
[12:38:58 CDT(-0500)] <serac> You can mix/match Apache directives to do what you want.
[12:39:09 CDT(-0500)] <serac> Use m-a-c for authentication, then mod_authnz_ldap for authorization.
[12:39:41 CDT(-0500)] <serac> Alternatively....
[12:40:10 CDT(-0500)] <serac> you could leverage the attribute release feature of CAS to send back attributes that it looks up about a user from LDAP and use that to authorize the user via m-a-c.
[12:40:30 CDT(-0500)] <serac> https://issues.jasig.org/browse/MAS-60 is the issue for that approach on the Apache side.
[12:42:34 CDT(-0500)] <codehotter> serac: Alright. Answers my question perfectly.
[12:43:00 CDT(-0500)] <serac> Good deal. I know Apache configuration just to be dangerous, but hopefully it's enough in this case to point you in the right direction.
[12:43:41 CDT(-0500)] <atilling> Seeing as your quick on that one, do you know mod_jk well?
[12:44:17 CDT(-0500)] <serac> Probably even more dangerous there.
[12:44:32 CDT(-0500)] <serac> The first question I ask when mod_jk comes up is why the hell do you have Apache in the mix?
[12:44:56 CDT(-0500)] <serac> Which is a pretty poor answer, I know.
[12:45:20 CDT(-0500)] <atilling> lol, have a folder, served by Tomcat, through apache and mod_jk and I need security on that folder
[12:46:00 CDT(-0500)] <atilling> but not all the folders/pages served by that war
[12:46:14 CDT(-0500)] <serac> Fair enough.
[12:47:17 CDT(-0500)] <atilling> I tried defining normal apache security to the folder and it seems it's being served by tomcat before apache checks the security context
[12:48:42 CDT(-0500)] <atilling> from what I see on tomcat it's an all or nothing approach on an app by app basis
[12:49:04 CDT(-0500)] <atilling> basically the app needs to be public and it's admin secure
[12:50:21 CDT(-0500)] <serac> I'd be surprised if the apache request pipeline put mod_jk before security constraints.
[12:50:28 CDT(-0500)] <serac> But I've been surprised before.
[12:53:01 CDT(-0500)] <atilling> surprised me as well, thought I was all slick and that apache would come to my security reascue but no dice
[12:57:46 CDT(-0500)] <serac> Cite the part of httpd.conf that's for mod_jk.
[13:17:27 CDT(-0500)] <atilling> http://www.pastie.org/2794661
[13:24:36 CDT(-0500)] <serac> Let's see the uriworkermap.properties file. The URI mappings are the interesting part.
[13:47:48 CDT(-0500)] <foxnesn> [INFO] WEB-INF/web.xml already added, skipping
[13:47:53 CDT(-0500)] <foxnesn> what does that mean?
[13:47:56 CDT(-0500)] <foxnesn> added to what?
[13:48:10 CDT(-0500)] <foxnesn> i made a change in the web.xml file and the build says that
[13:48:11 CDT(-0500)] <serac> That in the cas log file?
[13:48:21 CDT(-0500)] <foxnesn> just in the build output
[13:48:29 CDT(-0500)] <foxnesn> after mvn clean package
[13:48:58 CDT(-0500)] <serac> I would imagine it means that you're overlaying a custom web.xml, so there's no need to copy the one that's in the cas-server-webapp dependency.
[13:49:18 CDT(-0500)] <foxnesn> ahh that makes sense
[13:49:37 CDT(-0500)] <foxnesn> always wondered what it was referring to
[13:49:54 CDT(-0500)] <atilling> http://www.pastie.org/2794838
[13:50:32 CDT(-0500)] <serac> What's an example path you want served by Apache?
[13:51:41 CDT(-0500)] <atilling> in this case I want apache security to protect index.cfm under the path /CFIDE
[13:52:24 CDT(-0500)] <serac> But you mapped /*.cfm to tomcat.
[13:53:47 CDT(-0500)] <atilling> that was the point having apache protect certain folders but have the app still mapped to tomcat
[13:54:14 CDT(-0500)] <serac> I'm thinking that mapping is too broad.
[13:54:42 CDT(-0500)] <atilling> we have hundreds of *.cfm files, we only want the ones under a particular folder to be secure
[13:55:08 CDT(-0500)] <serac> Understood.
[13:55:13 CDT(-0500)] <serac> You may need an exception.
[13:55:20 CDT(-0500)] <atilling> basically cfm is like jsp
[13:55:41 CDT(-0500)] <serac> I know cfm.
[13:55:42 CDT(-0500)] <atilling> all the jsp files needs to be handled by tomcat
[13:55:45 CDT(-0500)] <atilling> ok
[13:55:46 CDT(-0500)] <serac> Here's the docs:
[13:55:47 CDT(-0500)] <serac> Inside the URI pattern three special characters can be used, '', '?' and '|'. The character '' is a wildchar that matches any number of arbitrary characters in the URI
[13:55:57 CDT(-0500)] <serac> I read that as * matches / characters as well.
[13:56:08 CDT(-0500)] <atilling> right
[13:56:56 CDT(-0500)] <atilling> I can't set the /cfide folder to not be mapped to tomcat still need the CFM processed
[13:56:56 CDT(-0500)] <serac> So a file like /CFIDE/index.cfm would be covered by that mapping.
[13:57:12 CDT(-0500)] <serac> I see.
[13:57:52 CDT(-0500)] <serac> The behavior you're seeing indicates you can't do both.
[13:58:01 CDT(-0500)] <serac> I was thinking this was static content served by Apache.
[13:58:31 CDT(-0500)] <atilling> the /CFIDE folder contains the coldfusion server settings
[13:59:57 CDT(-0500)] <atilling> but the server settings themselves are a cfm page(s)
[14:00:15 CDT(-0500)] <serac> And you need them interpreted by Cold Fusion.
[14:00:59 CDT(-0500)] <serac> You may want to consider switching to mod_proxy_ajp, which I believe would support this use case.
[14:01:02 CDT(-0500)] <atilling> Coldfusion has password protection for the server admin but it's fairly weak and I wanted to put mod_auth_cas in front of that folder
[14:04:02 CDT(-0500)] <serac> You might post to users@tomcat.apache.org to find out whether it's possible to apply Apache security directives to URIs that are mapped to Tomcat. While it would be surprising if you can't, I can imagine that's the case.
[14:04:20 CDT(-0500)] <atilling> thanks