MOD_CAS (Deprecated)

Owned by Andrew Petro
Last updated: Aug 16, 2009 by ScottSVersion comment
3 min read

NOTE: A vulnerability was discovered in the mod_cas Apache module. It is recommend that ALL deployers upgrade to mod_auth_cas immediately. mod_auth_cas is not affected by the vulnerability and is the currently supported Apache module.

The Yale CAS client distribution includes modules for Apache which serve as a CAS 1.0 casclient. See AuthCAS for an alternative implementation of an Apache (mod_perl) module for CAS authentication which offers additional features.

Esup-portail also distributes a modified version of MOD_CAS.

A version of MOD_CAS is also distribued as RPM Modules.

Case Western also has some excellent documentation including MOD_CAS information.

We now have a mod_cas patch below for apache2 that contributes support for apache directives for all configuration items. It also contains some changes to logging. mod_cas now has the capability of logging to the apache logs. All that needs to be done, is for someone to turn on the debug directive.

You may also want to try the RPMs. There is a pre-built one for RH AS3, and one that will build mod_cas from source for you. See the attachments below.

Please note this is not extensively tested at this time. I believe there is still a little bit of work to be done. We plan on testing this here at Athabasca University within the next little while (currently May 27th, 2005). This modification was written by Trenton D. Adams and anonymous. If someone knows who anonymous is, let me know. I will search my email soon to see if I can find out who it was that helped me. We will soon contribute a binary RPM as well as a source RPM, which will automatically suck down the patch, and build against it.

Starting with the Case mod_cas distribution as a base Carl Harris wrote a modification to support the XML objects returned by CAS 2 and up. It was also modified to support a chain of trusted CA certificates, rather than a single certificate. The attached mod_cas-VATECH.tar.gz can be used with the instructions posted on the Case wiki to produce the improved mod_cas. The CASTrustedCerts directive can now point to a file containing a trusted CA cert chain.

For a documented sample Apache configuration file, Andrew Ralph Feller has provided a base for new and experienced deployers to use; see the mod_cas-VATECH.conf attachment. 

TODO: The ssl_verify.c module in mod_cas is rather monolithic and inelegant. It could really stand to be significantly refactored.
TODO: OpenSSL has options for getting the trusted CA cert chain as a single file or as a directory. The directory option is not currently implemented in mod_cas-VATECH, but should be added.

When not to use MOD_CAS

(Per Scott Lundgren's email).

  • mod_cas not should not be used with pages that use frames
  • directories of images files should be moved out from under mod_cas protection because browsers (IE 6 & Firefox 1.06) do not know how to handle the redirects for the requests for images embedded in an HTML page
  • directories of CSS files should be moved out from under mod_cas protection for the same reasons
  • mod_cas cannot be used with server generated images where scripts return an image stream