search

google-code-export / rubycas-client

Automatically exported from code.google.com/p/rubycas-client
1 stars 1 forks source link

Can't use ActiveResource while using CAS #34

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Hello there,

A) I have a rubycas-server using the SQLAuthlogic authenticator
B) I have a rails app that uses AuthLogic to manage the CAS users
C) I have a client app prototype which uses rubycas-client

Both A and B share the same DB.

Everything works well (even single-sign-out) as long as I'm not trying to
use some ActiveResources.

C has one ActiveResource model set to access to B's users table with a
single_access_token (which is provided with quantipay-authlogic_haapi for
AuthLogic)

But everytime I try to access B through ActiveResource the CAS filter stops
me like this :
ActiveResource::Redirection: Failed with 302 Found  =>
http://localhost:443/login?service=http%3A%2F%2Flocalhost%3A3001%2Fusers.xml

And this happens even in a script/console !

Something funny is that, while searching for a workaround, I tried forging
a request to B this way :
Net::HTTP.get(URI.parse("http://localhost:3000/users.xml"))
And it works ! I can reach B without being caught by the CAS. 

Any idea ?

( a bit of code here : http://pastie.org/866265 )

Original issue reported on code.google.com by frere.je...@gmail.com on 12 Mar 2010 at 9:21

GoogleCodeExporter commented 9 years ago 
Have a look at http://code.google.com/p/rubycas-client/issues/detail?id=35 and 
at 
this delta http://github.com/gunark/rubycas-
client/commit/06148ff37a8db6e20c82b1c2aa03c637c8499876

You should now get a 402 Unauthorized response when you try to access an .xml 
resource with ActiveResource.

CAS authentication for REST clients is actually kind of problematic. Probably 
the 
"right" way to do it is via proxy ticketing. Alternatively I am told there is 
now a 
RESTful CAS API, implemented in the JA-SIG server, but I haven't had a chance 
to look 
into this yet.

The last part of what you're saying is kind of alarming -- the CAS filter 
shouldn't 
just be letting you through to .xml resources without authentication. Maybe 
it's an 
AuthLogic thing? I dunno. I can't imagine how the CAS client could be 
differentiating 
between URIs that do or do not end in .xml. There was no such code in the 
client 
until that most recent commit from Roberto Klein.

Original comment by matt.zuk...@gmail.com on 13 Apr 2010 at 5:13