====================================================================
MOD_AUTH_CAS 1.0.7 README
====================================================================
Apache CAS Authentication Module

====================================================================
LICENSE
====================================================================
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

====================================================================
INTRODUCTION 
====================================================================
The purpose of this module is to allow an Apache web server to interact
with an authentication server that conforms to the CAS version 1 or 2
protocol as specified by Yale/JA-SIG.  At the time of this writing, the CAS
protocol specification is here:

http://www.ja-sig.org/products/cas/overview/protocol/index.html

====================================================================
NEW FEATURES AND FUNCTIONS IN THIS RELEASE 
====================================================================
* Improved Apache version detection based on the contents of
  ap_release.h
* Cookies are now stored in an XML format, making the data
  stored more easily extensible for possible future attribute
  delivery.
* (broken) support for CAS 3.1 server's single sign out via SAML
  logoutRequest
* CASCookieDomain directive
* CASHttpOnly directive
* Autoconf by Matt

====================================================================
BUG FIXES 
====================================================================
* When setting a VHOST-wide variable in both the global Apache
  config and then setting a variable inside a VirtualHost,
  configuration settings were reset to default inside the VHost.
  This is now fixed.

====================================================================
KNOWN LIMITATIONS
====================================================================
These limitations are known to exists in this release of the software:

* CAS Proxy Validation is not implemented in this version.

* CAS Ticket Validation can only be performed over an SSL connection.
  The CAS protocol does not explicitly require this, but to not do so
  leaves this system open to a man-in-the-middle attack.

* CAS single sign out is currently not functional and disabled.  It
  is only safe to use in the case where all requests are GET and not
  POST (the module inadvertently 'eats' some content of the POST
  request while determining if it should process it as a SAML logout
  request).

====================================================================
GETTING STARTED
====================================================================

SOFTWARE DEPENDENCIES
--------------------------------------------------------------------
The module was built and tested on the following libraries/versions:

OpenSSL - 0.9.8c
Apache Portable Runtime - 1.2.8
Apache Portable Runtime Utilities - 1.2.7
Apache Web Server - 2.2.3

Compatibility with other versions will depend on those other libraries.

INSTALLATION INSTRUCTIONS
--------------------------------------------------------------------
Ensure that the follow files are in the working directory:
mod_auth_cas.c
mod_auth_cas.h

COMPILE INSTRUCTIONS
--------------------------------------------------------------------
Use the APache eXtenSion tool (APXS) to compile and install this 
object as a dynamically shared object (DSO), by either:

apxs -i -c mod_auth_cas.c
or
apxs2 -i -c mod_auth_cas.c

depending on your Linux distribution.

This release of mod_auth_cas includes support for autoconf.  Use the
standard commands below to compile and install:

./configure; make; make install

configure can take an optional --with-apxs=/path/to/apxs argument to
specify the path to your APXS binary.

CONFIGURING THE SOFTWARE
--------------------------------------------------------------------
First, you must tell Apache to load the module.  In your httpd.conf,
add:

LoadModule auth_cas_module /path/to/mod_auth_cas.so

Then, in the location(s) you want to protect, use the following
directive:

AuthType CAS

Be sure to set authorization parameters in the locations you
are protecting(e.g. 'require valid-user', 'require group foo')

The following are valid configuration options and their default:

Valid Server/VirtualHost Directives
-----------------------------------
Directive: 	CASVersion
Default:	2
Description:	The version of the CAS protocol to adhere to (1 or 2).
		This affects whether Gateway mode is available and how
		the CAS validation response is parsed.

Directive: 	CASDebug
Default:	Off
Description:	Enable or disable debugging mode for troubleshooting.

Directive: 	CASValidateServer
Default:	On
Description:	If set to 'On', mod_auth_cas will validate that the certificate
		presented by the server specified in CASLoginURL is both
		signed by the Certificate Authority specified in CASCertificatePath
		and that the hostname matches the Common Name of the certificate.

Directive:	CASValidateDepth
Default:	9
Description:	This directive will set the maximum depth for chained certificate
		validation.  The default (according to OpenSSL documentation) is 9.

Directive:	CASAllowWildcardCert
Default:	Off
Description:	This directive determines whether a wildcard certificate can be trusted
		to verify the CAS server.  For instance, if the CAS server presents a
		certificate for *.example.com and the hostname portion of the CASValidateURL
		is 'cas.login.example.com', this directive (if enabled) will accept that
		certificate.

Directive: 	CASCertificatePath
Default:	/etc/ssl/certs/
Description:	The path to the X509 certificate of the Certificate Authority for
		the server in CASLoginURL and CASValidateURL.  This may be either
		a file, or a directory containing the certificate files linked to
		by their hashed names.

Directive: 	CASLoginURL
Default:	NULL
Description:	The URL to redirect users to when they attempt to access a CAS
		protected resource and do not have an existing session.  The
		'service', 'renew', and 'gateway' parameters will be appended to
		this by mod_auth_cas if necessary.  Include 'http[s]://...'

Directive: 	CASValidateURL
Default:	NULL
Description:	The URL to use when validating a ticket presented by a client in
		the HTTP query string (ticket=...).  Must include 'https://' and
		must be an HTTPS URL.

Directive: 	CASProxyValidateURL
Default:	NULL
Description:	The URL to use when performing a proxy validation.  This is currently
		an unimplemented feature, so setting this will have no effect.

Directive: 	CASCookiePath
Default:	/dev/null
Description:	When users first authenticate to mod_auth_cas with a valid service ticket,
		a local session is established.  Information about this session (the
		username, time of creation, last activity time, the resource initially
		requested, and whether or not the credentials were renewed) is stored
		in this directory.  This location should be writable by the web server ONLY.
		Any user that can write to this location can falsify authentication information
		by creating a fake data file.
		NOTE : Some distributions purge the contents of /tmp/ on a reboot, including
		user created directories.  This will prevent mod_auth_cas from storing
		cookie information until that directory is created.  To avoid this, try
		using a different location, such as /var/cache/apache2/mod_auth_cas/

Directive: 	CASCookieEntropy
Default:	32
Description:	When creating a local session, this many random bytes are used to
		create a unique session identifier.  Using large values for this
		field may result in delays when generating session IDs if not
		enough entropy is available.

Directive: 	CASTimeout
Default:	7200 (2 hours)
Description:	This is the hard limit, in seconds, for a mod_auth_cas session (whether
		it is idle or not).  When a session has reached this age and a new
		request is made, the user is redirected to the CASLoginURL to
		obtain a new service ticket.  When this new ticket is validated,
		they will be assigned a new mod_auth_cas session.

Directive: 	CASIdleTimeout
Default:	3600 (1 hour)
Description:	This is a limit, in seconds, of how long a mod_auth_cas session can be idle.
		When a request comes in, if it has been inactive for CASIdleTimeout
		seconds, the user is redirected to the CASLoginURL to obtain a new
		service ticket.

Directive: 	CASCacheCleanInterval
Default:	1800 (30 minutes)
Description:	This is the minimum amount of time that must pass inbetween cache
		cleanings.  When a new ticket is issued, or when an expired session
		is presented, the time of the last cache clean is compared against
		this value.  If CASCacheCleanInterval seconds have passed since the
		last cleaning, then all files in CASCookiePath are examined and if
		they have expired, they are removed.  This is merely to prevent the
		file system from becoming excessively cluttered.

Directive:	CASCookieDomain
Default:	NULL
Description:	Specify the value for the 'Domain=' parameter in the Set-Cookie header.

Directive:	CASCookieHttpOnly
Default:	Off
Description:	Set the optional 'HttpOnly' flag for cookies issues by mod_auth_cas.
		This parameter may break RFC compliance since HttpOnly is not defined
		in RFC 2109.  See http://msdn2.microsoft.com/en-us/library/ms533046.aspx
		for more information.  Please note this feature is not honored by all
		browsers.

Valid Directory/.htaccess Directives
------------------------------------
Directive:	CASScope
Default:	Off	
Description:	Use this directive with an argument as a relative path (e.g. /application/) to specify
		the scope for which a mod_auth_cas cookie is valid.  This is beneficial to prevent
		additional round trips to the CAS server.  Assume someone authenticates to /application/subdir/
		and then browses to /application/ - without CASScope set, each request would result in
		a round trip to the CAS server and a new cookie being created (one for each directory).
		CASScope would set one cookie, which will be presented on access to both directories.
		Note that if someone accessed /application/ and then /application/subdir/ this would not
		be an issue, but that order of access can not be guaranteed.  To disable this feature,
		the special argument 'Off' will return to per-directory cookie paths for this directory
		and subdirectories.

Directive: 	CASRenew
Default:	Off
Description:	Use this directive with an argument as a relative path (e.g. /application/secure/
		for http://www.example.com/application/secure/*) to force a user to renew their
		credentials when accessing that directory.  The argument MUST be a relative path.
		To disable this requirement, the special argument 'Off' will disable this requirement
		for this directory and subdirectories.

Directive: 	CASGateway
Default:	Off
Description:	Use this directive with an argument as a relative path (e.g. /application/insecure/
		for http://www.example.com/application/insecure/*) to allow anonymous access to that directory.
		The argument MUST be a relative path. To disable this feature, the special argument 'Off'
		will reinstate the requirement for authentication.

Directive: 	CASCookie
Default:	MOD_AUTH_CAS
Description:	The name of the cookie used to store the session ID over HTTP connections.
		It should be changed if it will interfere with the application protected
		by mod_auth_cas.

Directive: 	CASSecureCookie
Default:	MOD_AUTH_CAS_S
Description:	The name of the cookie used to store the session ID over HTTPS connections.
		It should be changed if it will interfere with the application protected
		by mod_auth_cas.

Directive: 	CASGatewayCookie
Default:	MOD_AUTH_CAS_G
Description:	The name of the cookie used to store whether or not the user has attempted
		to access this resource before.  It should be changed if it will interfere
		with the application protected by mod_auth_cas.

Directive:	CASAuthNHeader
Default:	None
Description:	If enabled, this will store the user returned by CAS in an HTTP header
		accessible to your web applications.

====================================================================
CONTRIBUTORS 
====================================================================  
Author:
Phil Ames 	<modauthcas [at] gmail [dot] com>

Designers:
Phil Ames 	<modauthcas [at] gmail [dot] com>
Matt Smith 	<matt [dot] smith [at] uconn [dot] edu>

Portions of this module are based on code from a CAS module by Yale.
See comments in mod_auth_cas.c

====================================================================
CONTACT INFORMATION AND WEBSITE
====================================================================
We welcome your feedback, suggestions and contributions. Contact us
via email if you have questions, feedback, code submissions, 
and bug reports.

====================================================================
