view release on metacpan or  search on metacpan

lib/Apache2/AuthCASpbh.pm  view on Meta::CPAN

"/cas_pgt" on the server running AuthCASpbh; however, it could also be a fully
qualified URL to point it to an arbitrary location:

	AuthCAS_PGTCallback https://some.other.server/cas_pgt

The URL must be served by L<Apache2::AuthCASpbh::ProxyCB> or a compatible
mechanism that will store the proxy ticket information into the global
AuthCASpbh session.

=item C<AuthCAS_PGTIOU_TTL>

The amount of time in seconds that a proxy granting ticket IOU to proxy
granting ticket value mapping will be maintained in the AuthCASpbh global
session. By default it is 10 seconds, and it is unlikely that value would need
to be overridden in normal circumstances.


=item C<AuthCAS_ProxyAllow>

A list of proxy servers to allow access to the AuthCASpbh protected application
if proxied authentication is desired. Proxied authentication is only enabled
if at least one of AuthCAS_ProxyAllow or AuthCAS_ProxyAllowRE is configured for
the location being accessed. For example:

	AuthCAS_ProxyAllow https://my.frontend.server/cas

=item C<AuthCAS_ProxyAllowRE>

A list of regular expressions to be compared to connecting proxy server to
determine whether or not to allow access to the AuthCASpbh protected
application. Proxied authentication is only enabled if at least one of
AuthCAS_ProxyAllow or AuthCAS_ProxyAllowRE is configured for the location being
accessed. For example:

        AuthCAS_ProxyAllow ^https://[^/]+\.my\.domain/

=item C<AuthCAS_ProxyPath>

The URL component added after the AuthCAS_ServerURL value to access the CAS
proxy ticket issuing service; by default "/proxy".

=item C<AuthCAS_ProxyRequire>

If proxied authentication is enabled, only allow access via proxy credentials,
not direct access by a user; by default disabled.

=item C<AuthCAS_ProxyValidatePath>

The URL component added after the AuthCAS_ServerURL value to access the CAS
proxy ticket validation service; by default "/proxyValidate".
=item C<AuthCAS_RemoveServiceTicket>

Whether or not to remove the ticket parameter from the request arguments (eg,
query string) after it is processed; by default disabled. Note that the value
is only removed from the Apache args variable, not from the unparsed URI; if an
application directly accesses the unparsed URI it will still see the value.

=item C<AuthCAS_RequestPGT>

Whether or not to request a proxy granting ticket when a client service ticket
is validated; by default disabled.

=item C<AuthCAS_ServerURL>

The URL value to access the CAS authentication server; by default
"http://localhost/cas". For example:

	AuthCAS_ServerURL https://idp.my.domain/idp/profile/cas


=item C<AuthCAS_ServiceOverride>

A URL with which to override the computed service URL used when redirecting to
the CAS login page or validating a supplied service ticket. For example:

	AuthCAS_ServiceOverride https://my.service/cas-login


=item C<AuthCAS_ServiceValidatePath>

The URL component added after the AuthCAS_ServerURL value to access the CAS
ticket validation service; by default "/serviceValidate".


=item C<AuthCAS_SessionCleanupInterval>

How frequently (in seconds) to remove expired authentication sessions and
examine the global session to remove orphaned expired proxy ticket mappings; by
default 3600 seconds.

=item C<AuthCAS_SessionCookieName>

The name of the cookie sent to the client to store the AuthCASpbh session
identifier; by default "AuthCAS_Session".

=item C<AuthCAS_SessionCookiePath>

An optional path to include in the session cookie.

=item C<AuthCAS_SessionCookieSecure>

Whether or not to set the secure flag on the session cookie; by default
enabled.

=item C<AuthCAS_SessionDBName>

The filename of the sqlite database used to store session information; by
default "authcas_sessions.db". Prior to use of AuthCASpbh, the database must be
created and the schema created using the following command within sqlite:

	CREATE TABLE sessions (
		id char(32) not null primary key,
		a_session text
	);

In addition, the global state session must be created.  If using the default
SessionStateName value of "ABC123" this can be accomplished by:

	insert into sessions (id, a_session) values ('ABC123', '{"_session_id":"ABC123"}');

Finally, the service account used by the Apache web server must be granted