This is more pseudo code than anything and would need to be heavily tested. The ideas is that right after authentication with CAS (and before LDAP lookup or account creation), check if the user even needs to be logged in. Then if the user does not need to be logged in, set a cookie for the site's domain+path that tells varnish to always cache (ignore the unl_sso cookie).
In other words:
If the user tries to log in (gateway auth via SSO) do the following:
perform the gateway auth
if user has role
log them in as usual
if user has no role (or is an 'authenticated user')
do not log them in and set a cookie unlcms_force_varnish, when varnish can then use to force varnish caching even if the SSO cookie is set.
There is also some checking to see if the unl_access module is enabled or if the smart caching was disabled for the site in the configuration. This can 'smart checking' can be vastly improved, but it gets the point across.
I'm not sure if this is the best approach, or if I covered all the necessary cases. I also don't know how to configure varnish to check for the new cookie, but I'm guessing its possible.
How to configure varnish:
I haven't actually tried this yet, but I think it should work.
After all of the other checks to see if content should be not cached, we could add a check like this
if (req.http.Cookie ~ "(^|;\s*)(unlcms_force_varnish=true)(;|$)"){
//force varnish (bypass the unl_sso cookie), another alternative might be to unset the unl_sso cookie here
return(hash);
}
Questions
if the unlcms_force_varnish is set, how can we still force a login if we need it? (maybe just unsetting the unl_sso cookie would be better)
Not quite sure how to still allow a gateway auth on pages restricted by unl_access. Perhaps have those pages serve a custom header (x-allow-gateway) and then modify the the above varnish config to NOT force a cache if that header is set?
This is more pseudo code than anything and would need to be heavily tested. The ideas is that right after authentication with CAS (and before LDAP lookup or account creation), check if the user even needs to be logged in. Then if the user does not need to be logged in, set a cookie for the site's domain+path that tells varnish to always cache (ignore the unl_sso cookie).
In other words:
If the user tries to log in (gateway auth via SSO) do the following:
unlcms_force_varnish
, when varnish can then use to force varnish caching even if the SSO cookie is set.There is also some checking to see if the
unl_access
module is enabled or if the smart caching was disabled for the site in the configuration. This can 'smart checking' can be vastly improved, but it gets the point across.I'm not sure if this is the best approach, or if I covered all the necessary cases. I also don't know how to configure varnish to check for the new cookie, but I'm guessing its possible.
How to configure varnish:
I haven't actually tried this yet, but I think it should work.
After all of the other checks to see if content should be not cached, we could add a check like this
Questions
unlcms_force_varnish
is set, how can we still force a login if we need it? (maybe just unsetting the unl_sso cookie would be better)