Allow specifying SSL context information for CAS authority

NUBIC / aker

A flexible security framework for Rack (and Rails) apps. Good for integration with legacy systems, CAS SSO (including proxying), machine and interactive authentication, and much more.

MIT License

1 stars 2 forks source link

Allow specifying SSL context information for CAS authority #23

Open rsutphin opened 11 years ago

rsutphin commented 11 years ago

The CAS authority needs to communicate with CAS servers which are generally SSL-protected. Provide a mechanism where Aker's CAS authority can be configured with:

An OpenSSL verify mode,
An OpenSSL-compatible ca_file, an/or
An OpenSSL-compatible ca_path

hannahwhy commented 11 years ago

Proposal:

Aker.configure do
  cas_parameters :ssl => { :verify_mode => OpenSSL::SSL::VERIFY_PEER, :ca_file => some_file }
  ...
 end

We could also do

Aker.configure do
  ssl_parameters :verify_mode => OpenSSL::SSL::VERIFY_PEER, :ca_file => some_file #, ...
  ...
end

and just let whatever authorities/modes need an SSL context use it, but that may be assuming too much about the uniformity of SSL deployments.

rsutphin commented 11 years ago

but that may be assuming too much about the uniformity of SSL deployments

I had the same thought — we'd want to make it overrideable per authority, so at best we'd need to support both. I say just do the cas_parameters one for now. If an app needs to share the parameters between two different authorities (or whatever), it can just do:

ssl_opts = { ... }
Aker.configure do
  cas_parameters :ssl => ssl_opts
  whatever_parameters :ssl_context => ssl_opts
end