CAS + ColdFusion

Posted by Quinn Madson | Posted in | Posted on 9:24 AM

3

The example available from JA-SIG is some of the ugliest code I've seen lately. This is what I came up with (based on their example code):
Application.cfm

<cfapplication name="my_awesome_app_name_here"
clientmanagement="yes" sessionmanagement="yes"
setclientcookies="yes" setdomaincookies="no"
loginstorage="session">
index.cfm
<!--- globals --->
<cfparam name="url.ticket" default="">
<cfparam name="username" default="">
<cfparam name="url.action" default="">
<cfscript>
cas_path = "https://cas-server.example.edu/cas/";
app_path = "https://coldfusion-server.example.edu/path/to/this/app/";
cas_url = cas_path & "login?" & "service=" & app_path;
</cfscript>

<!--- session init --->
<cflock timeout="10" scope="session" type="readonly">
<cfparam name="session.username" default="">
<cfparam name="session.authorized" default="0">
</cflock>

<!--- logout action --->
<cfif url.action eq "logout">
<!--- session reset --->
<cflock scope="session" timeout="30" type="exclusive">
<cfset session.username = "">
<cfset session.authorized = "0">
</cflock>

<cfset cas_url = cas_path & "logout">
<cflocation url="#cas_url#" addtoken="false">

<cfelse>
<!--- auth check --->
<cfif not len(trim(session.username))>
<cfif not len(trim(ticket))>
<cflocation url="#cas_url#" addtoken="no">
<cfelse>
<cfset cas_url = #cas_path# & "serviceValidate?ticket=" & url.ticket & "&" & "service=" & app_path & "/">
<cfhttp url="#cas_url#" method="get"/>
<cfset objXML = xmlParse(cfhttp.filecontent)>
<cfset SearchResults = XmlSearch(objXML,"cas:serviceResponse/cas:authenticationSuccess/cas:user")>

<cfif arraylen(SearchResults)>
Raw XML:<cfdump var="#cfhttp.filecontent#">
<cfdump var="#objXML#" label="CAS Results">
<cfdump var="#SearchResults#" label="Parsed CAS Results">
<cfset username = SearchResults[1].XmlText>
<cflock scope="session" timeout="30" type="exclusive">
<cfset session.username = username>
<cfset session.authorized = "1">
</cflock>
<cfelse>
<cflocation url="#cas_url#" addtoken="no">
</cfif>
</cfif>
</cfif>



<cfif structKeyExists(url, "accessdenied")>
Access Error
<cfelse>
Authenticated.<br/>
<cfdump var="#session#" label="ColdFusion Session Object">
<a href="?action=logout">Logout</a><br/>
</cfif>
</cfif>
Honestly, it's a pretty simple process:
  • Check for a ColdFusion session
  • If one doesn't exist, redirect to CAS and provide a call back URL
  • When CAS redirects back to your application you grab the ticket and verify it server to server via cfhttp.
  • If the ticket checks out, you create a ColdFusion session and use it within your application.
The point of this example is to keep it simple. The code is commented to clue you into where the different components would plug into the framework of your choice.

Comments (3)

Wow this is AWESOME, soooo cool! I didn't even think this was possible! Definately donate!!!!
Thank You
ColdFusion plugins

Hello I'm having a problem trying to implement your code, I get an XML parsing error. From this line

Make sure you have the SSL certificate from your Tomcat (CAS) server imported into your JRE on the ColdFusion server.

Otherwise you'll get a Connection failed error, which means the XML parser will not get anything to parse (and give you the error you described)

http://www.bpurcell.org/blog/index.cfm?mode=entry&entry=843

Hope this helps...