search

rubycas / rubycas-server

Provides single sign-on authentication for web applications, implementing the server-end of Jasig's CAS protocol.
http://rubycas.github.com
Other
628 stars 270 forks source link

Restrict multi-authenticators with a Regexp #251

Closed lucaspiller closed 3 years ago

lucaspiller commented 8 years ago

This adds a username_regexp option to the authenticator configuration, which if specified will be used to decide if a username can be authenticated via an authenticator. This can be used to prevent credentials being leaked to third party services. If the option isn't present the authenticator will behave as before, trying whatever credentials are given to it.

Assuming your users login with their email address, this configuration will authenticate GMail addresses via Google, and company addresses via LDAP:

authenticator:
  -
    class: CASServer::Authenticators::Google
    username_regexp: !ruby/regexp /@g(oogle)?mail\.com\Z/i
  -
    class: CASServer::Authenticators::ActiveDirectoryLDAP
    username_regexp: !ruby/regexp /@mycompany\.com\Z/i

Additionally the internal API adds a #can_validate? method to the authenticator base class. This can be used to do the same thing, but at the authenticator level rather than in configuration. So you could for example write an OpenID authenticator, that only accepts usernames that are URIs.

vjt commented 3 years ago

sad to see this go, I'll try to opensource our internal version that has this and many other goodies!