Symfony CAS Client

To CASify a Symfonyapplication, first install phpCAS. Then, in your application's lib folder, create sfCASRequiredFilter.class.php with this:

<?php
class sfCASRequiredFilter extends sfSecurityFilter
{
  public function execute ($filterChain)
  {
    if ($this->isFirstCall()) {
        require_once('phpCAS/CAS.php');
        // phpCAS::setDebug();

        phpCAS::client(CAS_VERSION_2_0,$this->getParameter('server_domain'), $this->getParameter('server_port'), $this->getParameter('server_path'));

        $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} about to force auth');
        phpCAS::forceAuthentication();
        $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} auth is good');

        $this->getContext()->getUser()->setAuthenticated(true);
        $this->getContext()->getUser()->setAttribute('username', phpCAS::getUser(), 'cas');
        $this->getContext()->getUser()->addCredential('username_'.phpCAS::getUser());
    }

    # if not initially authorized, sfBasicSecurityFilter sets $controller->forward(sfConfig::get('sf_login_module'), sfConfig::get('sf_login_action'));
    # so we re-dispatch since we are already authorized
    # copied from sfFrontWebController's dispatch()
    $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} configs are ' . sfConfig::get('sf_login_module') . '/' . sfConfig::get('sf_login_action'));
    if ($this->getContext()->getModuleName() == sfConfig::get('sf_login_module')
            && $this->getContext()->getActionName() == sfConfig::get('sf_login_action')) {

        $request    = $this->getContext()->getRequest();
        $moduleName = $request->getParameter('module');
        $actionName = $request->getParameter('action');
        $this->getContext()->getLogger()->debug('{sfCASRequiredFilter} forwarding to ' . $moduleName . '/' . $actionName);
        $this->getContext()->getController()->forward($moduleName, $actionName);
    }

    // Execute next filter in the chain
    $filterChain->execute();
  }
}
?>

Then in your app's config/filters.yml we need to add and configure this CAS filter. In filters.yml before the 'security' filter, add the following (using the appropriate params for the CAS server you authenticate to):

cas_required:
  class: sfCASRequiredFilter
  param:
    # https://auth.mydomain.edu/cas/
    server_domain: auth.mydomain.edu
    server_port: 443
    server_path: cas

In config/security.yml we enter the following

# for all modules
default:
  # require authentication, which our CAS filter will provide
  is_secure: on
  # allow only 3 specific users
  # double brackets means "or", single brackets means "and"
  credentials: [[username_d0501175, username_j0121968, username_l0004709]]

# need this to prevent infinite internal forwarding (don't have to be secured to see the "you need to be secured" page)
login:
  is_secure: off
secure:
  is_secure: off

In config/settings.yml make sure that use_security is not set to off. The default is on, which is good.

Finally, the secureSuccess.php template is used when authorization is not given (the user authenticates, but is not in our list of users). However the symfony packaged secureSuccess.php says login required, instead of permissions required (which doesn't make sense.. it seems like they got secureSuccess.php and loginSuccess.php reversed). Anyway, you'll want to customize secureSuccess.php so that when unauthorized users reach it they see your logo not symfony's logo. To do that, go to your app's modules/ folder. Create a default/ folder if one doesn't exist, and within that a templates/ folder. Then create a secureSuccess.php in it. You can use $PEAR_HOME/data/symfony/modules/default/templates/loginSuccess.php as a base if you want.

To access a user name in your code:

$this->getContext()->getUser()->getAttribute('username', null, 'cas');

Symfony CAS Client

Labels