Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Next »

CAS Proxying with Classic ASP

This article demonstrates using CAS authentication with classic ASP and then calling a second application via
a CAS proxy. You should read the article on the proxy CAS walkthrough Proxy CAS Walkthrough first as it explains
how CAS proxying works.

For an example of how to do CAS proxying with ASP.Net, see me other article CAS Proxying with ASP.Net Forms Authentication

Using the code I have sited below, it is really quite simple to call another CAS-enabled application as a proxy after the
main (Proxier) CAS application has already authenticated.

The basic steps using the CAS_Authenticator class are as follows:

  1. Call the ServiceValidate method from the main (Proxier) application for CAS authentication and include a pgtUrl attribute.

    About the pgtUrl

    The pgtUrl MUST be part of the same application as the CAS Proxier AND be on a secure server with a valid RSA or Verisign SSL Certificate

  2. The pgtUrl receives back from CAS the pgtIou/pgtId pair and stores them in an Application variable (e.g. Application(<value of pgtIou>) = <value of pgtId>)

    The use of Application variables

    Application variables MUST be used instead of Session variables. This is because of the extra trip CAS has to make to the pgtUrl. Your application would lose it's session variables otherwise. This is NOT true in basic CAS Authentication so, you will notice through out these examples that I chose to use Application variables instead of Session variables for this reason. Also, note the use of the name of the Application variable being the value of the pgtIou. This is important because the main (Proxier) application will need to retrieve the pgtId sent to the pgtUrl and the only value it will know is the proxyGrantingTicket IOU (pgtIou).

  3. The main (Proxier) application retrieves the pgtId value from the Application variable stored by the pgtUrl and then calls the RequestProxyTicket
    method passing in the pgtId and the proxy application complete Url
    The actual proxy application can be any CAS-enabled application that can call proxyValidate on the supplied proxyTicket and it does not have to reside
    on the same application server like the pgtUrl and main Proxier applications do.
  4. With the "real" proxyTicket in it's grasp, the main (Proxier) application now calls AddProxyArgument as many times as it needs to add the arguments
    the proxied application will need. At the bare minimum, the proxyTicket itself MUST be added as an argument.
    If you do not add the proxyTicket as an argument, the proxied application would not be able to call CAS with proxyValidate
  5. Finally, call the MakeWebRequest method passing in the Url to the CAS-enabled application to be proxied along with the http method (e.g. GET or POST)
    The MakeWebRequest method is sort of an ASP version of the System.Net.WebClient class in ASP.Net. You can call this method in any ASP page
    to make an http GET or POST request and receive an html or xml response depending on the request. This method works very well for CAS proxying
    because we are just going to Response.Write the returned html of the proxied application to the browser.

The examples I've outlined rely on two classes (source code at the end of this article) that must be included in an include file in order for them to work.
The first is a simple string class since ASP doesn't have the very useful StringBuilder that is always available in ASP.Net,
I created a vbscript mocked up version called clsString (see below). The second class is the CAS_Authenticator and does all the dirty work,
not just for basic CAS authentication with ASP but also supports CAS proxying which is what my examples will demonstrate.

VBScript Code

CASProxier.asp

<%@ Language=VBScript %>
<%Option Explicit %>

<!-- #Include File = "../Includes/Public.asp" -->
<HTML>
<HEAD>
<title>Test CAS Proxy Application</title>

</HEAD>
          <body>

<%
Dim objCAS, serviceUrl
Dim pgtId
Dim proxyTicket
Dim proxyAppUrl

'Initialize CAS Authenticator Class
Set objCAS = New CAS_Authenticator

'Set the CAS URL, change accordingly
objCAS.CASURL = "https://auth-test.berkeley.edu/cas"

'Set the current request page Url as the CAS service name
serviceUrl = GetRequestUrl()

If Request.ServerVariables.Item("REQUEST_METHOD") = "POST" Then
    'Get the pgtId, the proxy callback would have stored this as an application variable
    'with the key name as the pgtIou
    pgtId = Application(objCAS.ProxyGrantingTicketIOU)
         
    If IsEmpty(pgtId) Then
        Response.Write "No pgtId found, please make sure your pgtUrl is correct!"
        Response.Write "<BR>"
        Response.End
    End If
         
    'Send off the pgtId as well as the full Url to the CAS-enabled app to be proxied to the
    'RequestProxyTicket method. It will return the "real" proxy ticket to call the proxy with
    proxyAppUrl = "https://orimaging.berkeley.edu/ASP/Proxy/CASProxy.asp"
    proxyTicket = objCAS.RequestProxyTicket(pgtId, proxyAppUrl)
         
    If IsEmpty(proxyTicket) Then
        Response.Write "The proxyTicket is Empty! " & objCAS.LastError
        Response.Write "<BR>"
        Response.End
    End If
         
    'Add arguments to send to proxy, proxyTicket is required as an argument!
    objCAS.AddProxyArgument "proxyTicket", proxyTicket
         
    'Make a request to the proxy and output the response
    Response.Write "Proxy Response:"
    Response.Write "<BR>"
    Response.Write objCAS.MakeWebRequest(proxyAppUrl, "POST")
Else
    If IsEmpty(Application("UID")) Then
        'Since this application will proxy other CAS-enabled apps, we will request
        'a pgtIou/pgtId pair from CAS by supplying a secure Url to our CAS Callback
        objCAS.CASpgtUrl = "https://orimaging.berkeley.edu/ASP/Proxy/ProxyCallback.asp"

        'Validate the URL of this application which will get assigned a ticket
        'unless it fails, in which case exit and explain why it failed
        If Not objCAS.ServiceValidate(serviceUrl) Then
            Response.Write objCAS.LastError
            Response.Write "<BR>"
            Response.Write "Service: " & serviceUrl
            Response.End
        EndIf
            'Set Application variables
            Application.Lock
            Application("UID") = objCAS.netID
            Application.UnLock
    End If
%>
<FORM action="Default.asp" method=post>
<TABLE align=center width="75%">
    <TR>
        <td valign=top align=left>
            <A href="../Logout.asp?url=<%=serviceUrl%>">Log out of CAS</A>
        </td>
    </TR>
    <TR>
        <td valign=top align=left>
            The current time is: <%=now()%>
        </td>
    </TR>
    <TR>
        <td valign=top align=left>
            <span style="FONT-SIZE: 14px; COLOR: teal; FONT-FAMILY: tahoma">
                Welcome <B><%=Application("UID")%></B>, you have successfully authenticated with CAS
            </span>
        </td>
    </TR>
    <TR>
        <td valign=top align=left>
            <INPUT type="submit" value="Test Call Proxy" id="btnCallProxy" name="btnCallProxy">
        </td>
    </TR>
</TABLE>
</FORM>
<%
End If
Set objCAS = Nothing
%>    
          </body>
</HTML>

pgtUrl

<%@ Language=VBScript %>
<%Option Explicit %>

<!-- #Include File = "../Includes/Public.asp" -->

<HTML>
<HEAD>
<title>CAS Proxy Callback App</title>
</HEAD>
            <body>           
<%

Dim pgtIou, pgtId

'Get pgtIou in Query String sent from CAS
pgtIou = Request.QueryString.Item("pgtIou")

'Get pgtId in Query String sent from CAS
pgtId = Request.QueryString.Item("pgtId")

'Check to see if they exist
If Len(pgtIou) = 0 OR Len(pgtId) = 0 Then
    Response.Write "No pgtIou/pgtId pair supplied!"
    Response.End
End If

'Store pgtId in application variable accessable from any page within this application
Application.Lock
Application(pgtIou) = pgtId
Application.UnLock

%>
            </BODY>
</HTML>

CAS Proxied Application

<%@ Language=VBScript %>
<%Option Explicit %>

<!-- #Include File = "../Includes/Public.asp" -->

<HTML>
<HEAD>
<title>Test CAS Proxy</title>
</HEAD>
            <body>

<%
Dim proxyArgKey
Dim proxyTicket
Dim objCAS

'Initialize CAS Authenticator Class
Set objCAS = New CAS_Authenticator

'Set the CAS URL, change accordingly
objCAS.CASURL = "https://auth-test.berkeley.edu/cas"

'proxy ticket should be in either the query string or the form post
proxyTicket = Request.Item("proxyTicket")

If Not IsEmpty(proxyTicket) Then
    ' validate the proxy application with CAS
    objCAS.ValidateProxy proxyTicket
   
    If NOT IsEmpty(objCAS.LastError) Then
        Response.Write objCAS.LastError
        Response.Write "<BR>"
        Response.End
    End If
   
            %>
            <P>     
            <span style="font-size: 14px;font-family: tahoma;color:teal">
                        Welcome <B><%=objCAS.netID%></B>, you have successfully authenticated with CAS
            </span>
            </P>
            <%

    '
    'Since this is the proxy application, we will check its arguments it was sent
    'Normally we would know if the arguments were sent in the query string or Form post
    'but for the purposes of this example, we will check both
    '

    If Request.QueryString.Count > 0 Then
        'get arguments from querystring object
        For Each proxyArgKey In Request.QueryString
            Response.Write proxyArgKey & "=" & Request.QueryString.Item(proxyArgKey) & "(query string)"
            Response.Write "<BR>"
        Next
    Else
        'get arguments from form object
        For Each proxyArgKey In Request.Form
            Response.Write proxyArgKey & "=" & Request.Form.Item(proxyArgKey) & "(form post)"
            Response.Write "<BR>"
        Next
    End If

    If Not IsEmpty(objCAS.Proxies) Then
        Response.Write "<BR>"
        Response.Write "CAS Proxies:"
        Response.Write "<BR>"
        Response.Write objCAS.Proxies
        Response.Write "<BR>"
    End If
Else
    Response.Write "No proxyTicket found in either the query string or the form post!"
    Response.Write "<BR>"
End If

Set objCAS = Nothing
%>

            </BODY>
</HTML>

clsString

'*****************************************************************
' clsString : A String Class helper to aid in string concatenation
'*****************************************************************

Class clsString
    Private m_intLength
    Private m_intCounter
    Private m_arrString()

    Private Sub Class_Initialize()
        'Dim an array and set position counter
         m_intCounter = 1
         m_intLength = 100
         Redim m_arrString(m_intLength)
    End Sub

    Public Sub Reset
        'Erase current array and recreate
         Erase m_arrString
         Call Class_Initialize()
    End Sub

    Public Property Get Value
         'Use Join function to create final string
         Value = Join(m_arrString,"")
    End Property

    Public Property Get Delim(ByVal delimeter)
         'Use Join function to create final string
         Redim Preserve m_arrString(Limit)
         Delim = Join(m_arrString,delimeter)
    End Property

    Public Property Get Element(ByVal n)
         'Use Join function to create final string
         Element = m_arrString(n)
    End Property    Public Property Get Limit
         'Use Join function to create final string
         Limit = m_intCounter - 1
    End Property

    Public Sub Add(byval strValue)
        Dim intArrLen
        'Add value to string array
        intArrLen = Ubound(m_arrString)
        If m_intCounter > intArrLen Then _
            Redim Preserve m_arrString(intArrLen + m_intLength)

            m_arrString(m_intCounter) = Cstr(strValue)
            'Increment position counter
            m_intCounter = m_intCounter + 1
    End Sub
End Class

'Start Public Functions
'This function is basically an ASP version of the ASP.Net - Request.Url.GetLeftPart(UriPartial.Path)
Public Function GetRequestUrl()
    Dim Port
    Dim Local_Addr
    Dim Path_Info  
    Dim Server_Name
    Dim Protocol

    Protocol = Request.ServerVariables("SERVER_PORT_SECURE")
    Server_Name = Request.ServerVariables("SERVER_NAME")
    Port = Request.ServerVariables("SERVER_PORT")
    Path_Info = Request.ServerVariables("PATH_INFO")

    If Port = 80 OR Port = 443 Then
        Port = ""
    Else
        Port = ":" & Port
    End If

    Local_Addr = Request.ServerVariables("LOCAL_ADDR")

    If Protocol = "" OR Protocol = "0" Then
        If Local_Addr = "127.0.0.1" Then
            Protocol = "http://"
        Else
            Protocol = "https://"
        End If
    Else
        Protocol = "https://"
    End If

    GetRequestUrl = Protocol & Server_Name & Port & Path_Info
End Function

CAS Authenticator

'***************************************************************************
' CAS_Authenticator : A Class wrapper that encapsulates authentication via CAS
'***************************************************************************

Class CAS_Authenticator
    '*********************************************************
    'Private Global variables
    '*********************************************************

    Private m_ErrorText
    Private m_CASURL
    Private m_netID
    Private objXML
    Private srvXmlHttp
    Private proxyArgHash
    Private m_pgtUrl
    Private m_pgtId
    Private m_Proxies
    Private queryCollection   

    Private Sub Class_Initialize()
        Set proxyArgHash = Server.CreateObject("Scripting.Dictionary")
        Set objXML = Server.CreateObject("Microsoft.XMLDOM")       

        'set async for XML Dom
        objXML.async = False      

        Set srvXmlHttp = Server.CreateObject("Msxml2.ServerXMLHTTP")
        Set queryCollection = Server.CreateObject("Scripting.Dictionary")
    End Sub

    Private Sub Class_Terminate()
        Set objXML = Nothing
        Set srvXMLHttp = Nothing
        Set proxyArgHash = Nothing
        Set queryCollection = Nothing
    End Sub

    Public Sub AddProxyArgument(ByVal name, ByVal value)
        If Not proxyArgHash.Exists(name) Then
            proxyArgHash.Add name,value
        EndIf
    End Sub  

    Public Property Get ProxyGrantingTicketIOU
        ProxyGrantingTicketIOU = Application("pgtIou")
    End Property

    Public Property Get Proxies
        Proxies = m_Proxies
    End Property  

    Public Property Get netID
        netID = m_netID
    End Property

    Public Property Get LastError
        LastError = m_ErrorText
    End Property        

    Public Property Let CASpgtUrl(ByVal vNewValue)
        m_pgtUrl = vNewValue
    End Property

    Public Property Let CASURL(ByVal vNewValue)
        m_CASURL = vNewValue
    End Property  

    Public Sub LogOut(ByVal url)
        Session.Abandon()
        Response.Redirect m_CASURL & "/logout?url=" & url
    End Sub        

    Public Function MakeWebRequest(ByVal requestUrl, ByVal httpMethod)
        OnError Resume Next
        Err.Clear                  

        Select Case httpMethod
            Case "GET"
                'request method is a GET
                'Check the proxy arguments
                If proxyArgHash.Count > 0 Then
                    requestUrl = requestUrl & "?" & CollectionToQueryString(proxyArgHash)
                End If
               
                srvXmlHttp.open"GET", requestUrl, false
                srvXmlHttp.send()                  

            Case "POST"
                'request method is a POST
                srvXmlHttp.open"POST", requestUrl, false
                srvXmlHttp.setRequestHeader"Content-Type", "application/x-www-form-urlencoded"

                'Check the proxy arguments
                If proxyArgHash.Count > 0 Then
                    srvXmlHttp.send CollectionToQueryString(proxyArgHash)
                Else
                    srvXmlHttp.send()
                End If                 

            Case Else
                'Return error
                m_ErrorText = "Expecting either 'GET' OR 'POST' http method!"
                MakeWebRequest = Empty
                Exit Function                 

        End Select

        If Err <> 0 Then
            m_ErrorText = Err.Description
            MakeWebRequest = Empty
            Exit Function
        End If      

        If srvXmlHttp.Status <> 200 Then
            m_ErrorText = srvXmlHttp.Status & "- " & srvXmlHttp.StatusText
            MakeWebRequest = Empty
            Exit Function
        End If      

        MakeWebRequest = srvXmlHttp.responseText
    End Function        

    Private Function CollectionToQueryString(ByVal srcCollection)
        Dim srcKey
        Dim strCollItems

        Set strCollItems = New clsString
        For Each srcKey insrcCollection.Keys
            strCollItems.Add srcKey & "=" & srcCollection.Item(srcKey)
        Next                 

        CollectionToQueryString = Mid(strCollItems.Delim("&"), 2)
        Set strCollItems = Nothing
    End Function

    Private Function CASRequest(ByValvalidateurl)
        Dim proxyNodeText
        Dim objCASResponse
        Dim objCASAuthenticationNode
        Dim objCASUser
        Dim objCASProxies
        Dim objCASpgt
        Dim objCASProxy
        Dim objCASproxyTicket
        Dim objProxyList
        Dim htmlResponse
        Dim i

        validateUrl = validateUrl & "?" & CollectionToQueryString(queryCollection)      

        htmlResponse = MakeWebRequest(validateUrl, "GET")                 

        If IsEmpty(htmlResponse) Then
            CASRequest = False
            Exit Function
        End If      

        If objXML.LoadXml(htmlResponse) Then

            'Get reference to cas:serviceResponse XML Node
            Set objCASResponse = objXML.getElementsByTagName("cas:serviceResponse")
            If objCASResponse.length = 0 then
                m_ErrorText = "cas:serviceResponse XML Node is Empty!"
                CASRequest = False
                Exit Function
            End If                                    

            Set objCASAuthenticationNode = objCASResponse.item(0).firstChild
            Select Case objCASAuthenticationNode.nodeName
                Case "cas:authenticationSuccess"

                    'Get CAS user nodeText
                    Set objCASUser = objCASAuthenticationNode.getElementsByTagName("cas:user")
                    If objCASUser.length = 0 then
                        m_ErrorText = "cas:user element NOT present in source CAS XML!"
                        CASRequest = False
                        Exit Function
                    End If                                                        

                    m_netID = objCASUser.item(0).nodeTypedValue

                    'Get CAS proxies nodeText
                    Set objCASProxy = objCASAuthenticationNode.getElementsByTagName("cas:proxies")
                    If objCASProxy.length > 0 then
                        Set objProxyList = New clsString
                        Set objCASProxies = objCASProxy.item(0).childNodes                                                         

                        For i = 0 To objCASProxies.length - 1
                            objProxyList.Add(objCASProxies.item(i).nodeTypedValue)
                        Next                                                        
                        m_Proxies = objProxyList.Delim(vbcrlf)
                        Set objProxyList = Nothing
                    End If

                    'Get CAS proxyGT nodeText
                    Set objCASpgt = objCASAuthenticationNode.getElementsByTagName("cas:proxyGrantingTicket")
                    If objCASpgt.length > 0 Then
                        Application.Lock
                        Application("pgtIou") = objCASpgt.item(0).nodeTypedValue
                        Application.UnLock
                    End If

                Case "cas:authenticationFailure"
                    m_ErrorText = objCASAuthenticationNode.nodeTypedValue
                    CASRequest = False
                    Exit Function

                Case "cas:proxySuccess"
                    'Sample success returned from CAS
                    '<cas:proxySuccess xmlns:cas="http://www.yale.edu/tp/cas">
                    '   <cas:proxyTicket>
                    '       ST-1625-6YBqesAL6ywgfCwOPQYcK72G6ikQIHc6lab-aws-p1
                    '   </cas:proxyTicket>
                    '</cas:proxySuccess>                                        

                    Set objCASproxyTicket = objCASAuthenticationNode.getElementsByTagName("cas:proxyTicket")
                    If objCASproxyTicket.length > 0 Then
                        m_pgtId = objCASproxyTicket.item(0).nodeTypedValue
                    End If

                Case "cas:proxyFailure"
                    'Sample error returned from CAS
                    '<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
                    '   <cas:proxyFailure code="INVALID_TICKET">
                    '       ticket 'TGT-3053-jqon6B5AIUQ4A6Pb2RlgykerJ99PhUrF0ON-aws-p1' not recognized
                    '   </cas:proxyFailure>
                    '</cas:serviceResponse>

                    m_ErrorText = objCASAuthenticationNode.nodeTypedValue
                    CASRequest = False
                    Exit Function                                        

                Case Else
                    m_ErrorText = "Undefined CAS error!"
                    CASRequest = False
                    Exit Function
            End Select
        Else
            m_ErrorText = "XML Failed to load<XMP>" & htmlResponse & "</XMP>"
            CASRequest = False
            Exit Function
        End If

        'CAS is Authenticated
        CASRequest = True
    End Function        

    Public Function ServiceValidate(ByVal serviceUrl)
        Dim tkt
        Dim URLToValidate                  

        tkt = Request.QueryString.Item("ticket")
        URLToValidate = m_CASURL & "/serviceValidate"

        If IsEmpty(tkt) Then
            'if no ticket in URL then send user to CAS to get one
            Response.Redirect(m_CASURL & "/login?service=" & serviceUrl)
            ServiceValidate = True
            Exit Function
        End If                                       

        ' Second time (back from CAS) there is a ticket= to validate
        queryCollection.RemoveAll
        queryCollection.Add "ticket", tkt
        queryCollection.Add "service", serviceUrl

        If NOT IsEmpty(m_pgtUrl) Then
            queryCollection.Add "pgtUrl", m_pgtUrl
        EndIf

        If NOT CASRequest(URLToValidate) Then
            ServiceValidate = False
            Exit Function
        EndIf

        ' If there was a problem, leave the message on the screen. Otherwise, return to original page.
        If IsEmpty(netID) Then
            m_ErrorText = "CAS returned to this application, but then refused to validate your identity."
            ServiceValidate = False
            Exit Function
        End If                 

        ServiceValidate = True
    End Function        

    Public Function RequestProxyTicket(ByVal pgtId, ByVal proxyAppUrl)
        Dim validateurl
        validateurl = m_CASURL & "/proxy"
       
        queryCollection.RemoveAll
        queryCollection.Add "targetService", proxyAppUrl
        queryCollection.Add "pgt", pgtId                  

        If Not CASRequest(validateurl) Then
            RequestProxyTicket = Empty
            Exit Function
        End If

        RequestProxyTicket = m_pgtId
    End Function  

    Public Sub ValidateProxy(ByVal proxyTicket)
        Dim validateurl

        ' Validate proxy ticket
        validateurl = m_CASURL & "/proxyValidate"            

        queryCollection.RemoveAll
        queryCollection.Add "ticket", proxyTicket
        queryCollection.Add "service", GetRequestUrl()

        If Not CASRequest(validateurl) Then
            Exit Sub
        End If

        ' If there was a problem, leave the message on the screen. Otherwise, return to original page.
        If IsEmpty(m_netID) Then
            m_ErrorText = "CAS returned to this application, but then refused to validate your identity."
            Exit Sub
        End If
    End Sub  

End Class

  • No labels