This method is used to tell phpCAS to store the response of the
CAS server to PGT requests onto the filesystem.
| public static setPGTStorageFile ( string $path = '' ) : void | ||
| $path | string | the path where the PGT's should be stored |
| return | void | |
/**
* Initializes the authority objects based on an associative array of arguments
* @param array $args an associate array of arguments. The argument list is dependent on the authority
*
* General - Required keys:
* TITLE => The human readable title of the AuthorityImage
* INDEX => The tag used to identify this authority @see AuthenticationAuthority::getAuthenticationAuthority
*
* General - Optional keys:
* LOGGEDIN_IMAGE_URL => a url to an image/badge that is placed next to the user name when logged in
*
* CAS - Required keys:
* CAS_PROTOCOL => The protocol to use. Should be equivalent to one of the phpCAS constants, e.g. "2.0":
* CAS_VERSION_1_0 => '1.0', CAS_VERSION_2_0 => '2.0', SAML_VERSION_1_1 => 'S1'
* CAS_HOST => The host name of the CAS server, e.g. "cas.example.edu"
* CAS_PORT => The port the CAS server is listening on, e.g. "443"
* CAS_PATH => The path of the CAS application, e.g. "/cas/"
* CAS_CA_CERT => The filesystem path to a CA certificate that will be used to validate the authenticity
* of the CAS server, e.g. "/etc/tls/pki/certs/my_ca_cert.crt". If empty, no certificate
* validation will be performed (not recommended for production).
*
* CAS - Optional keys:
* ATTRA_EMAIL => Attribute name for the user's email adress, e.g. "email". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_FIRST_NAME => Attribute name for the user's first name, e.g. "givename". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_LAST_NAME => Attribute name for the user's last name, e.g. "surname". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_FULL_NAME => Attribute name for the user's full name, e.g. "displayname". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_MEMBER_OF => Attribute name for the user's groups, e.g. "memberof". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
*
* NOTE: Any subclass MUST call parent::init($args) to ensure proper operation
*
*/
public function init($args)
{
parent::init($args);
// include the PHPCAS library
if (empty($args['CAS_PHPCAS_PATH'])) {
require_once 'CAS.php';
} else {
require_once $args['CAS_PHPCAS_PATH'] . '/CAS.php';
}
if (empty($args['CAS_PROTOCOL'])) {
throw new KurogoConfigurationException('CAS_PROTOCOL value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_HOST'])) {
throw new KurogoConfigurationException('CAS_HOST value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PORT'])) {
throw new KurogoConfigurationException('CAS_PORT value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PATH'])) {
throw new KurogoConfigurationException('CAS_PATH value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PROXY_INIT'])) {
phpCAS::client($args['CAS_PROTOCOL'], $args['CAS_HOST'], intval($args['CAS_PORT']), $args['CAS_PATH'], false);
} else {
phpCAS::proxy($args['CAS_PROTOCOL'], $args['CAS_HOST'], intval($args['CAS_PORT']), $args['CAS_PATH'], false);
if (!empty($args['CAS_PROXY_TICKET_PATH'])) {
phpCAS::setPGTStorageFile('', $args['CAS_PROXY_TICKET_PATH']);
}
if (!empty($args['CAS_PROXY_FIXED_CALLBACK_URL'])) {
phpCAS::setFixedCallbackURL($args['CAS_PROXY_FIXED_CALLBACK_URL']);
}
}
if (empty($args['CAS_CA_CERT'])) {
phpCAS::setNoCasServerValidation();
} else {
phpCAS::setCasServerCACert($args['CAS_CA_CERT']);
}
// Record any attribute mapping configured.
if (!empty($args['ATTRA_EMAIL'])) {
CASUser::mapAttribute('Email', $args['ATTRA_EMAIL']);
}
if (!empty($args['ATTRA_FIRST_NAME'])) {
CASUser::mapAttribute('FirstName', $args['ATTRA_FIRST_NAME']);
}
if (!empty($args['ATTRA_LAST_NAME'])) {
CASUser::mapAttribute('LastName', $args['ATTRA_LAST_NAME']);
}
if (!empty($args['ATTRA_FULL_NAME'])) {
CASUser::mapAttribute('FullName', $args['ATTRA_FULL_NAME']);
}
// Store an attribute for group membership if configured.
if (!empty($args['ATTRA_MEMBER_OF'])) {
CASUser::mapAttribute('MemberOf', $args['ATTRA_MEMBER_OF']);
}
}
function setup()
{
//Only setup if we haven't already
global $PHPCAS_CLIENT;
if (!is_object($PHPCAS_CLIENT)) {
phpCAS::setDebug("/var/www/campus/dev.intranet.campusforchrist.org/cas.log");
phpCAS::proxy(SITE_CAS_VERSION, SITE_CAS_HOSTNAME, SITE_CAS_PORT, SITE_CAS_PATH, SITE_CAS_SESSION);
phpCAS::setFixedCallbackURL(SITE_CAS_CALLBACK);
//No SSL
phpCAS::setNoCasServerValidation();
phpCAS::setPGTStorageFile('xml', SITE_CAS_PGT_STORE);
//session_save_path());
return true;
}
return false;
}
$_SESSION['phpCAS']['service_cookies'] = array();
}
$sm = $_SESSION['ovd-client']['sessionmanager'];
foreach ($sm->get_cookies() as $k => $v) {
$cookie = array('domain' => parse_url($sm->get_base_url(), PHP_URL_HOST), 'path' => '/', 'secure' => false, 'name' => $k, 'value' => $v);
$_SESSION['phpCAS']['service_cookies'][] = $cookie;
}
}
$port = parse_url($CAS_server_url, PHP_URL_PORT);
if (is_null($port)) {
if (parse_url($CAS_server_url, PHP_URL_SCHEME) == 'https') {
$port = 443;
} else {
$port = 80;
}
}
$path = !parse_url($CAS_server_url, PHP_URL_PATH) ? '' : parse_url($CAS_server_url, PHP_URL_PATH);
phpCAS::proxy(CAS_VERSION_2_0, parse_url($CAS_server_url, PHP_URL_HOST), $port, $path, false);
phpCAS::setNoCasServerValidation();
phpCAS::setPGTStorageFile(CAS_PGT_STORAGE_FILE_FORMAT_PLAIN, session_save_path());
phpCAS::setFixedCallbackURL($CAS_callback_url);
//HTTPS required, and Apache's CRT must be added in Tomcat's keystore (CAS server)
phpCAS::forceAuthentication();
if (!phpCAS::serviceWeb($_SESSION['ovd-client']['sessionmanager_url'] . '/start', $errno, $output)) {
$_SESSION['ovd-client']['from_SM_start_XML'] = 'ERROR';
finish();
die;
}
$_SESSION['ovd-client']['from_SM_start_XML'] = $output;
finish();
die;
require_once $phpcas_path . '/CAS.php';
// Enable debugging
phpCAS::setDebug();
// Enable verbose error messages. Disable in production!
phpCAS::setVerbose(true);
// Initialize phpCAS
phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
// For production use set the CA certificate that is the issuer of the cert
// on the CAS server and uncomment the line below
// phpCAS::setCasServerCACert($cas_server_ca_cert_path);
// For quick testing you can disable SSL validation of the CAS server.
// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
phpCAS::setNoCasServerValidation();
// set PGT storage to file in plain format in the same directory as session files
phpCAS::setPGTStorageFile(session_save_path());
// force CAS authentication
phpCAS::forceAuthentication();
// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().
// moreover, a PGT was retrieved from the CAS server that will
// permit to gain accesses to new services.
?>
<html>
<head>
<title>phpCAS proxy example with PGT storage to file</title>
<link rel="stylesheet" type='text/css' href='example.css'/>
</head>
<body>
<h1>phpCAS proxy example with PGT storage to file</h1>
<?php
private function setPTGStorage()
{
switch (strtolower($this->pgt_storage_mode)) {
case 'file':
phpCAS::setPGTStorageFile(session_save_path());
break;
case 'db':
$dbconfig = ConfService::getConfStorageImpl();
/**
* support only for mySQL
*/
if ($dbconfig instanceof sqlConfDriver) {
if (!empty($dbconfig->sqlDriver["username"])) {
$db_username = $dbconfig->sqlDriver["username"];
$db_password = $dbconfig->sqlDriver["password"];
$db_database = "mysql:" . "dbname=" . $dbconfig->sqlDriver["database"] . ";host=" . $dbconfig->sqlDriver["host"];
$db_table = "ajxp_cas_pgt";
AJXP_Logger::info(__CLASS__, __FUNCTION__, $db_database);
phpCAS::setPGTStorageDB($db_database, $db_username, $db_password, $db_table, "");
}
}
break;
default:
break;
}
}
/**
* Initialize CAS client
*
*/
private function cas_init() {
if (!$this->cas_inited) {
// retrieve configurations
$cfg = rcmail::get_instance()->config->all();
// include phpCAS
require_once('/usr/share/php/CAS/CAS.php');
phpCAS::setDebug('/var/log/lcs/casdebug.log');
// initialize CAS client
if ($cfg['cas_proxy']) {
phpCAS::proxy(CAS_VERSION_2_0, $cfg['cas_hostname'], $cfg['cas_port'], $cfg['cas_uri'], false);
// set URL for PGT callback
phpCAS::setFixedCallbackURL($this->generate_url(array('action' => 'pgtcallback')));
// set PGT storage
#phpCAS::setPGTStorageFile('xml', $cfg['cas_pgt_dir']);
phpCAS::setPGTStorageFile($cfg['cas_pgt_dir']);
}
else {
phpCAS::client(CAS_VERSION_2_0, $cfg['cas_hostname'], $cfg['cas_port'], $cfg['cas_uri'], false);
}
// set service URL for authorization with CAS server
phpCAS::setFixedServiceURL($this->generate_url(array('action' => 'login', 'task' => 'mail')));
// set SSL validation for the CAS server
if ($cfg['cas_validation'] == 'self') {
phpCAS::setCasServerCert($cfg['cas_cert']);
}
else if ($cfg['cas_validation'] == 'ca') {
phpCAS::setCasServerCACert($cfg['cas_cert']);
}
else {
phpCAS::setNoCasServerValidation();
}
// set login and logout URLs of the CAS server
phpCAS::setServerLoginURL($cfg['cas_login_url']);
phpCAS::setServerLogoutURL($cfg['cas_logout_url']);
$this->cas_inited = true;
}
}
include_once 'config.php';
// Load the CAS lib
include_once $phpcas_path . '/CAS.php';
// Uncomment to enable debugging
phpCAS::setDebug();
// Initialize phpCAS
phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
// For production use set the CA certificate that is the issuer of the cert
// on the CAS server and uncomment the line below
// phpCAS::setCasServerCACert($cas_server_ca_cert_path);
// For quick testing you can disable SSL validation of the CAS server.
// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
phpCAS::setNoCasServerValidation();
// set PGT storage to file in plain format in the same directory as session files
phpCAS::setPGTStorageFile('plain', session_save_path());
// force CAS authentication
phpCAS::forceAuthentication();
// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().
// moreover, a PGT was retrieved from the CAS server that will
// permit to gain accesses to new services.
?>
<html>
<head>
<title>phpCAS proxy example with PGT storage to file</title>
<link rel="stylesheet" type='text/css' href='example.css'/>
</head>
<body>
<h1>phpCAS proxy example with PGT storage to file</h1>
<?php
/**
* Initializes the authority objects based on an associative array of arguments
* @param array $args an associate array of arguments. The argument list is dependent on the authority
*
* General - Required keys:
* TITLE => The human readable title of the AuthorityImage
* INDEX => The tag used to identify this authority @see AuthenticationAuthority::getAuthenticationAuthority
*
* General - Optional keys:
* LOGGEDIN_IMAGE_URL => a url to an image/badge that is placed next to the user name when logged in
*
* CAS - Required keys:
* CAS_PROTOCOL => The protocol to use. Should be equivalent to one of the phpCAS constants, e.g. "2.0":
* CAS_VERSION_1_0 => '1.0', CAS_VERSION_2_0 => '2.0', SAML_VERSION_1_1 => 'S1'
* CAS_HOST => The host name of the CAS server, e.g. "cas.example.edu"
* CAS_PORT => The port the CAS server is listening on, e.g. "443"
* CAS_PATH => The path of the CAS application, e.g. "/cas/"
* CAS_CA_CERT => The filesystem path to a CA certificate that will be used to validate the authenticity
* of the CAS server, e.g. "/etc/tls/pki/certs/my_ca_cert.crt". If empty, no certificate
* validation will be performed (not recommended for production).
*
* CAS - Optional keys:
* ATTRA_EMAIL => Attribute name for the user's email adress, e.g. "email". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_FIRST_NAME => Attribute name for the user's first name, e.g. "givename". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_LAST_NAME => Attribute name for the user's last name, e.g. "surname". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_FULL_NAME => Attribute name for the user's full name, e.g. "displayname". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
* ATTRA_MEMBER_OF => Attribute name for the user's groups, e.g. "memberof". This only applies if your
* CAS server returns attributes in a SAML-1.1 or CAS-2.0 response.
*
* NOTE: Any subclass MUST call parent::init($args) to ensure proper operation
*
*/
public function init($args)
{
parent::init($args);
// include the PHPCAS library
if (empty($args['CAS_PHPCAS_PATH'])) {
require_once 'CAS.php';
} else {
require_once $args['CAS_PHPCAS_PATH'] . '/CAS.php';
}
if (!empty($args['CAS_DEBUG_LOG'])) {
phpCAS::setDebug($args['CAS_DEBUG_LOG']);
}
if (empty($args['CAS_PROTOCOL'])) {
throw new KurogoConfigurationException('CAS_PROTOCOL value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_HOST'])) {
throw new KurogoConfigurationException('CAS_HOST value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PORT'])) {
throw new KurogoConfigurationException('CAS_PORT value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PATH'])) {
throw new KurogoConfigurationException('CAS_PATH value not set for ' . $this->AuthorityTitle);
}
if (empty($args['CAS_PROXY_INIT'])) {
phpCAS::client($args['CAS_PROTOCOL'], $args['CAS_HOST'], intval($args['CAS_PORT']), $args['CAS_PATH'], false);
} else {
phpCAS::proxy($args['CAS_PROTOCOL'], $args['CAS_HOST'], intval($args['CAS_PORT']), $args['CAS_PATH'], false);
if (!empty($args['CAS_PROXY_TICKET_PATH']) && !empty($args['CAS_PROXY_TICKET_DB_DSN'])) {
throw new KurogoConfigurationException('Only one of CAS_PROXY_TICKET_PATH or CAS_PROXY_TICKET_DB_DSN may be set for ' . $this->AuthorityTitle);
}
if (!empty($args['CAS_PROXY_TICKET_PATH'])) {
if (version_compare(PHPCAS_VERSION, '1.3', '>=')) {
phpCAS::setPGTStorageFile($args['CAS_PROXY_TICKET_PATH']);
} else {
phpCAS::setPGTStorageFile('', $args['CAS_PROXY_TICKET_PATH']);
}
}
if (!empty($args['CAS_PROXY_TICKET_DB_DSN'])) {
$user = $pass = $table = $driver_opts = '';
if (!empty($args['CAS_PROXY_TICKET_DB_USER'])) {
$user = $args['CAS_PROXY_TICKET_DB_USER'];
}
if (!empty($args['CAS_PROXY_TICKET_DB_PASS'])) {
$pass = $args['CAS_PROXY_TICKET_DB_PASS'];
}
if (!empty($args['CAS_PROXY_TICKET_DB_TABLE'])) {
$table = $args['CAS_PROXY_TICKET_DB_TABLE'];
}
if (!empty($args['CAS_PROXY_TICKET_DB_DRIVER_OPTS'])) {
$driver_opts = $args['CAS_PROXY_TICKET_DB_DRIVER_OPTS'];
}
phpCAS::setPGTStorageDb($args['CAS_PROXY_TICKET_DB_DSN'], $user, $pass, $table, $driver_opts);
}
if (!empty($args['CAS_PROXY_FIXED_CALLBACK_URL'])) {
phpCAS::setFixedCallbackURL($args['CAS_PROXY_FIXED_CALLBACK_URL']);
}
}
if (empty($args['CAS_CA_CERT'])) {
phpCAS::setNoCasServerValidation();
} else {
phpCAS::setCasServerCACert($args['CAS_CA_CERT']);
}
// Record any attribute mapping configured.
if (!empty($args['ATTRA_EMAIL'])) {
CASUser::mapAttribute('Email', $args['ATTRA_EMAIL']);
}
if (!empty($args['ATTRA_FIRST_NAME'])) {
CASUser::mapAttribute('FirstName', $args['ATTRA_FIRST_NAME']);
}
if (!empty($args['ATTRA_LAST_NAME'])) {
CASUser::mapAttribute('LastName', $args['ATTRA_LAST_NAME']);
}
if (!empty($args['ATTRA_FULL_NAME'])) {
CASUser::mapAttribute('FullName', $args['ATTRA_FULL_NAME']);
}
// Store an attribute for group membership if configured.
if (!empty($args['ATTRA_MEMBER_OF'])) {
CASUser::mapAttribute('MemberOf', $args['ATTRA_MEMBER_OF']);
}
}
