[Building Sakai] Check CAS on initial access

Matthew Buckett matthew.buckett at oucs.ox.ac.uk
Sun Nov 15 03:23:20 PST 2009 

2009/11/13  <carl.hall at et.gatech.edu>:
> Is there a way to check a CAS ticket when a user first accesses a Sakai instance?  We're beginning to setup with a campus
> SSO and would like our users to not have to click login only to be rerouted to their own Workspace (assuming they've logged
> into some other campus service) but to be taken to their Workspace directly on first access or the guest Workspace if not
> authenticated.

Our campus SSO isn't CAS but we had a similar(ish) setup where we
didn't want people to have to click on the login link. We run two VLE
services behind one domain (weblearn.ox.ac.uk). The old Bodington
based one and the new Sakai one. They are both implemented in Java but
run on different worker nodes in our cluster and have different
sessions and session cookies.

We don't require everyone to login before visiting our VLE so we can't
just force people to login to start with. Our campus SSO solution is
WebAuth and we can't detect if someone has already successfully logged
through WebAuth to another service. But what we wanted was, once you'd
logged into one VLE you would get logged into the other.

Todo this we set a cookie when someone successfully logs in. In sakai
we wrote an extra filter for the login tool todo this:

http://git-repo.oucs.ox.ac.uk/cgi-bin/gitweb.cgi?p=repos/local-version/sakai/login.git;a=blob;f=login-tool/tool/src/java/org/sakaiproject/login/tool/WACookieFilter.java;h=7d54635112842b837c5adadaded1f6ebe9f4fa3d;hb=HEAD

Then we also have an additional filter which is applied to normal
requests (/access, /portal, /web) which checks to see if the current
user has a successfull login cookie and if they are not logged in
redirects them to the login tool.

http://git-repo.oucs.ox.ac.uk/cgi-bin/gitweb.cgi?p=repos/local-version/sakai/kernel.git;a=blob;f=api/src/main/java/org/sakaiproject/util/OptimisticLogin.java;h=6b7d5859c8f0e3b4fc8c64a1361eab68b84e3d7d;hb=refs/heads/kernel-1.0.x

We also have similar code in Bodington doing setting of a cookie after
login and checking all requests for the cookie and if good
redirecting.

We have some changes in the login tool so some of this might not work
on a standard Sakai deployment, but it might be an approach to look
into. I don't know if any of the CAS cookies are set on the
institutional domain and so accessible from a Sakai deployment. One
problem with setting cookies on the institutional domain is that any
webapp running in the institution will have both read/write access to
that cookie so they can't be used to store sensitive data.

-- 
  Matthew Buckett
  VLE Developer, LTG, Oxford University Computing Services

More information about the sakai-dev mailing list