anz.casclient 1.1.1

=====================
anz.casclient README
=====================

:author: jiangdongjin
:contact: eastxing@gmail.com
:date: 2010/09/25
:abstract: This is a Zope PAS plugin that authenticates users against a
CAS (Central Authentication Service) server.

.. contents::
.. sectnum::

Introduction
============
anz.casclient is a PAS plugin that authenticates users against a CAS
(Central Authentication Service) server.

Overview
========
anz.casclient implement a new PAS plugin 'Anz CAS Client'. It enabling you
to integrate your Zope sites into your CAS SSO solutions.

Credits
========
Thanks to those guys who developed the following products, without your
works anz.casclient will never happen.

- CAS_
- `JA-SIG CAS Client for Java 3.1`_
- CAS4PAS_

.. _CAS: http://www.jasig.org/cas
.. _`JA-SIG CAS Client for Java 3.1`: https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1
.. _CAS4PAS: http://plone.org/products/cas4pas

Comparison with CAS4PAS
=======================
CAS4PAS is the first(if not the only)CAS client used in Zope world, but it
has only implemented partial CAS
`protocol <http://www.jasig.org/cas/protocol>`_, so comes anz.casclient.

anz.casclient have some advantages:

- anz.casclient provides full CAS 1.0/2.0 protocol implementation.
- anz.casclient implemented Single-Sign-Out.
- anz.casclient provides a framework that similar as the official java
client implementation, this will make it easy to follow the evolution of
CAS client.

Requirements
============
- Plone 3 or Plone 4
- ZODB3>=3.8.3 (test under 3.8.3 only)
- zope.proxy>=3.4.1 (test under 3.4.1 only)
- zope.bforest

Installation
============
To install anz.casclient into the global Python environment (or a
workingenv), using a traditional Zope 2 instance, you can do this:

* When you're reading this you have probably already run
``easy_install anz.casclient``. Find out how to install setuptools
(and EasyInstall) here:
http://peak.telecommunity.com/DevCenter/EasyInstall

* Create a file called ``anz.casclient-configure.zcml`` in the
``/path/to/instance/etc/package-includes`` directory. The file
should only contain this::

<include package="anz.casclient" />

Alternatively, if you are using zc.buildout and the
plone.recipe.zope2instance recipe to manage your project, you can do this:

* Add ``anz.casclient`` to the list of eggs to install, e.g.:

::

[buildout]
...
eggs =
...
anz.casclient

* Tell the plone.recipe.zope2instance recipe to install a ZCML slug:

::

[instance]
recipe = plone.recipe.zope2instance
...
zcml =
anz.casclient

* Re-run buildout, e.g. with:

::

$./bin/buildoutYoucanskiptheZCMLslugifyouaregoingtoexplicitlyincludethepackagefromanotherpackag{e}^{\prime }sconfigure.zcmlfile.Howtouseanz.casclient========================Creat{e}^{\prime }AnzCASClien{t}^{\prime }plugin------------------------------GointoZMI,yourplonesite{\text{acl}}_{u}sers,adda{n}^{\prime }AnzCASClien{t}^{\prime }instance,chooseanyIdyoulike,weinpu{t}^{\prime }an{z}_{c}asclien{t}^{\prime }forexample.Configur{e}^{\prime }AnzCASClien{t}^{\prime }plugin---------------------------------Gointoyourplonesite{\text{acl}}_{u}sers{\text{anz}}_{c}asclient,i{n}^{\prime }Activ{e}^{\prime }tabactiveallfourinterface.Clic{k}^{\prime }Authenticatio{n}^{\prime }toconfigur{e}^{\prime }AuthenticationPlugin{s}^{\prime },mov{e}^{\prime }an{z}_{c}asclien{t}^{\prime }tothetop.Clic{k}^{\prime }Challeng{e}^{\prime }toconfigur{e}^{\prime }ChallengePlugin{s}^{\prime },mov{e}^{\prime }an{z}_{c}asclien{t}^{\prime }tothetop.Clic{k}^{\prime }Extractio{n}^{\prime }toconfigur{e}^{\prime }ExtractionPlugin{s}^{\prime },mov{e}^{\prime }an{z}_{c}asclien{t}^{\prime }tothetop.Goint{o}^{\prime }Propertie{s}^{\prime }tabtoconfigureCASrelatedproperties.=======================================================================PropertyRequiredNoteserviceUrlFalseAnidentifyofcurrentservice.CASwillredirectstohereafterlogin.Setthisexplicitlybutnotdetermineitautomaticallyfromrequestmakesusgetmoresecurityassurance.See‘here<https://wiki.jasig.org/display/CASC/CASFilter>{‘}_{.}casServerUrlPrefixTrueThestartoftheCASserverURL.useSessionFalseWhethertostoretheAssertioninsessionornot.Ifsessionsarenotused,proxygrantingticketwillberequiredforeachrequest.DefaultsettoTrue.renewFalseIfsettoTrue,CASwillaskuserforcredentialsagaintoauthenticate,thismaybeusedforhigh-securityapplications.DefaultsettoFalse.gatewayFalseIfsettoTrue,CASwillnotasktheuserforcredentials.Iftheuserhasapre-existingsinglesign-onsessionwithCAS,orifasinglesign-onsessioncanbeestablishedthroughnon-interactivemeans(i.e.trustauthentication),CASMAYredirecttheclienttotheURLspecifiedbythe"service"parameter,appendingavalidserviceticket.(CASalsoMAYinterposeanadvisorypageinformingtheclientthataCASauthenticationhastakenplace.)Iftheclientdoesnothaveasinglesign-onsessionwithCAS,andanon-interactiveauthenticationcannotbeestablished,CASMUSTredirecttheclienttotheURLspecifiedbythe"service"parameterwithno"ticket"parameterappendedtotheURL.Ifthe"service"parameterisnotspecifiedand"gateway"isset,thebehaviorofCASisundefined.ItisRECOMMENDEDthatinthiscase,CASrequestcredentialsasifneitherparameterwasspecified.Thisparameterisnotcompatiblewiththe"renew"parameter.BehaviorisundefinedifbotharesettoTrue.Seedetails‘her{e}_{<}http://www.jasig.org/cas/client-integration/gateway>{‘}_{.}ticketValidationSpecificationTrueUsewhichCASprotocoltovalidateticket.oneof{[}^{\prime }CAS{1.0}^{\prime }{,}^{\prime }CAS{2.0}^{\prime }]proxyCallbackUrlPrefixFalseThestartoftheproxycallbackurl.Youshouldsetitpointtocurrentpluginwithprotoco{l}^{\prime }http{s}^{\prime }.Theresulturlwillb{e}^{\prime }proxyCallbackUrlPrefix/proxyCallbac{k}^{\prime }.Ifset,itmeansthisservicewillbeusedasaproxiertoaccessback-endserviceonbehalfofaparticularuser.acceptAnyProxyFalseWhetheranyproxyisOK.AllowedProxyChainsFalseAllowedproxychains.Eachacceptableproxychainshouldincludeaspace-separatedlistofURLs.TheseURLsareproxie{r}^{\prime }sproxyCallbackUrl.=======================================================================Exampleconfigures:-Se{t}^{\prime }serviceUr{l}^{\prime }t{o}^{\prime }http://myplonesitedomain:port/plon{e}^{\prime }-Se{t}^{\prime }casServerUrlPrefi{x}^{\prime }t{o}^{\prime }https://mycasserverdomain:port/ca{s}^{\prime }-Se{t}^{\prime }useSessio{n}^{\prime }toTrue-Se{t}^{\prime }rene{w}^{\prime }toFalse-Se{t}^{\prime }gatewa{y}^{\prime }toFalse-Se{t}^{\prime }ticketValidationSpecificatio{n}^{\prime }t{o}^{\prime }CAS{2.0}^{\prime }-Se{t}^{\prime }proxyCallbackUrlPrefi{x}^{\prime }t{o}^{\prime }https://myplonesitedomain:port/plone/ac{l}_{u}sers/an{z}_{c}asclien{t}^{\prime }-Se{t}^{\prime }acceptAnyProx{y}^{\prime }toFalse-Se{t}^{\prime }AllowedProxyChain{s}^{\prime }toNoneConfigur{e}^{\prime }CASlogi{n}^{\prime }entrance------------------------------Ifyouus{e}^{\prime }Logi{n}^{\prime }linkattheupper-rightofthePlonepagetologin,youshouldhidethestockPlon{e}^{\prime }Logi{n}^{\prime }actionfirst.Thenaddanewonename{d}^{\prime }CASlogi{n}^{\prime }there,setURL(Expression)to\ast {\ast }^{\prime }string:${globals_view/navigationRootUrl}/caslogin'**

Then add a Script(Python) named '**caslogin**' into 'portal_skins/custom',
its contents looks like:

::

## Script (Python) "caslogin"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=
##title=CAS Login
##
request = container.REQUEST

portal = context.portal_url.getPortalObject()
plugin = portal.acl_users.anz_casclient

if plugin.casServerUrlPrefix:
url = plugin.getLoginURL() + '?service=' + plugin.getService()
if plugin.renew:
url += '&renew=true'
if plugin.gateway:
url += '&gateway=true'

request.RESPONSE.redirect( url, lock=1 )

If you use 'login portlet' to login, you should remove the stock Plone
'login portlet' first so as not to confuse users. Then you should write a
new 'CAS login portlet' to authenticate users against CAS or customize
collective.castle_ to work with anz.casclient.

.. _collective.castle: http://plone.org/products/collective.castle/

Configure 'CAS logout' entrance
-------------------------------
If you use 'Log out' link at the upper-right of the Plone page to logout,
you should hide the stock Plone 'Log out' action first. Then add a new one
named 'CAS log out' there, set URL(Expression) to
**'string:${globals_view/navigationRootUrl}/caslogout'**

Then add a Script(Python) named '**caslogout**' into 'portal_skins/custom',
its contents looks like:

::

## Script (Python) "caslogout"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=
##title=CAS Logout
##
from Products.CMFCore.utils import getToolByName

request = container.REQUEST
portal = context.portal_url.getPortalObject()
cas_client_plugin = portal.acl_users.anz_casclient

mt = getToolByName( context, 'portal_membership' )
mt.logoutUser( REQUEST=request )

request.RESPONSE.redirect( cas_client_plugin.casServerUrlPrefix + '/logout' )

How to use proxy authentication
===============================
Proxy authentication is added by CAS 2.0, for the reason why do we need
it, you can see the details `here. <http://www.jasig.org/cas/proxy-authentication>`_


1. Create two plone sites in one Zope instance, called them **plone** and
**backend**.
2. Create and configure 'Anz CAS Client' plugin on them(make sure both sites
can authenticate users against your CAS server).
3. anz.casclient carried a simple example to show how to use it, but it need
you to do a little customization. Open
**anz.casclient\anz\casclient\proxyauthexample\view.py** with your
favorite editor, find **__init__** method and modify it to suit your
situation:

::

def __init__( self, context, request ):
super(ProxyAuthExampleView, self).__init__( context, request )

# eg. http://xx.xx.xx.xx:8080/backend
self.BACK_END_SERVICE_URL = 'http://{domain of your zope instance}:{port}/backend'

# eg. /plone/acl_users/anz_casclient
self.PATH_TO_PROXIER_PLUGIN = '/plone/acl_users/anz_casclient'

# eg. /backend/acl_users/anz_casclient
self.PATH_TO_BACK_END_PLUGIN = '/backend/acl_users/anz_casclient'

4. After that restart your Zope, open a browser and login into site
**plone** ( suppose user name is **tom** ).
5. Modify location in your browser to
**http://{domain of your zope instance}:{port}/plone/@@proxyAuthExample/getUserInfoFromTargetService**
and click Enter, if all things goes well, you'll see:

::

Hello, tom!


SAML service ticket validation
==============================
From version 1.1, the server is able to connect to a CAS server 3.x and above
and validate the service ticket (ST) against the CAS server using SAML, in order
to retrieve the extra fields for the authenticated user that the CAS server may
be providing. To use his feature, it's required to configure the plugin to use
the SAML validation by configuring the **SAMLValidate** property to ``True``.

In order to do something with the retrieved properties an event
``ISAMLPropertiesExist`` is emmited for a subscriber to be hooked into it.


ToDo
====
* Add automation tests ( I really don't know how to automation test this
kind of package :) )

Changelog
=========

1.1.1 (2015-08-06)
----------------

- Fix release.


1.1 (2015-08-06)
----------------
- Fixed a problem in Plone 4.3 that forces to cast the resultant username to an
str before passing it to plone.session for session creation. It's needed to
cast username which is an unicode type to an str as plone.session does a
direct concatenation of unicode username and other string types that leads to
an UnicodeDecode error otherwise. It's needed to address plone.session to do
not so. Meanwhile, casting the username assumes that there are non ascii
chars in it [sneridagh]

- Fixed a problem when used in a Zope/ZEO environment with multiple Zope
clients. Make it work using the default Plone session factory solved the
problem. [sneridagh]

- Clean paster plugins in setup.py [sneridagh]

- Add an extra validation for CAS2.0 service ticket via SAML. This enables the
extraction of extra user properties. [sneridagh]

1.0.1
-----

- Update to support Plone4.

Note: When used under Plone3, please pin products version like this::

ZODB3==3.8.3
zope.proxy==3.4.1

1.0
---

- Initial release