{ "info": { "author": "jiangdongjin", "author_email": "eastxing@gmail.com", "bugtrack_url": null, "classifiers": [ "Framework :: Plone", "Programming Language :: Python" ], "description": "=====================\r\n anz.casclient README\r\n=====================\r\n\r\n:author: jiangdongjin\r\n:contact: eastxing@gmail.com\r\n:date: 2010/09/25\r\n:abstract: This is a Zope PAS plugin that authenticates users against a\r\n CAS (Central Authentication Service) server.\r\n\r\n.. contents::\r\n.. sectnum::\r\n\r\nIntroduction\r\n============\r\nanz.casclient is a PAS plugin that authenticates users against a CAS\r\n(Central Authentication Service) server.\r\n\r\nOverview\r\n========\r\nanz.casclient implement a new PAS plugin 'Anz CAS Client'. It enabling you\r\nto integrate your Zope sites into your CAS SSO solutions.\r\n\r\nCredits\r\n========\r\nThanks to those guys who developed the following products, without your\r\nworks anz.casclient will never happen.\r\n\r\n- CAS_\r\n- `JA-SIG CAS Client for Java 3.1`_\r\n- CAS4PAS_\r\n\r\n.. _CAS: http://www.jasig.org/cas\r\n.. _`JA-SIG CAS Client for Java 3.1`: https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1\r\n.. _CAS4PAS: http://plone.org/products/cas4pas\r\n\r\nComparison with CAS4PAS\r\n=======================\r\nCAS4PAS is the first(if not the only)CAS client used in Zope world, but it\r\nhas only implemented partial CAS\r\n`protocol `_, so comes anz.casclient.\r\n\r\nanz.casclient have some advantages:\r\n\r\n- anz.casclient provides full CAS 1.0/2.0 protocol implementation.\r\n- anz.casclient implemented Single-Sign-Out.\r\n- anz.casclient provides a framework that similar as the official java\r\n client implementation, this will make it easy to follow the evolution of\r\n CAS client.\r\n\r\nRequirements\r\n============\r\n- Plone 3 or Plone 4\r\n- ZODB3>=3.8.3 (test under 3.8.3 only)\r\n- zope.proxy>=3.4.1 (test under 3.4.1 only)\r\n- zope.bforest\r\n\r\nInstallation\r\n============\r\nTo install anz.casclient into the global Python environment (or a\r\nworkingenv), using a traditional Zope 2 instance, you can do this:\r\n\r\n* When you're reading this you have probably already run\r\n ``easy_install anz.casclient``. Find out how to install setuptools\r\n (and EasyInstall) here:\r\n http://peak.telecommunity.com/DevCenter/EasyInstall\r\n\r\n* Create a file called ``anz.casclient-configure.zcml`` in the\r\n ``/path/to/instance/etc/package-includes`` directory. The file\r\n should only contain this::\r\n\r\n \r\n\r\nAlternatively, if you are using zc.buildout and the\r\nplone.recipe.zope2instance recipe to manage your project, you can do this:\r\n\r\n* Add ``anz.casclient`` to the list of eggs to install, e.g.:\r\n\r\n::\r\n\r\n [buildout]\r\n ...\r\n eggs =\r\n ...\r\n anz.casclient\r\n\r\n* Tell the plone.recipe.zope2instance recipe to install a ZCML slug:\r\n\r\n::\r\n\r\n [instance]\r\n recipe = plone.recipe.zope2instance\r\n ...\r\n zcml =\r\n anz.casclient\r\n\r\n* Re-run buildout, e.g. with:\r\n\r\n::\r\n\r\n $ ./bin/buildout\r\n\r\nYou can skip the ZCML slug if you are going to explicitly include the\r\npackage from another package's configure.zcml file.\r\n\r\nHow to use anz.casclient\r\n========================\r\n\r\nCreate 'Anz CAS Client' plugin\r\n------------------------------\r\nGo into ZMI, {your plone site}\\acl_users, add an 'Anz CAS Client' instance,\r\nchoose any Id you like, we input 'anz_casclient' for example.\r\n\r\nConfigure 'Anz CAS Client' plugin\r\n---------------------------------\r\nGo into {your plone site}\\acl_users\\anz_casclient, in 'Active' tab active\r\nall four interface.\r\n\r\nClick 'Authentication' to configure 'Authentication Plugins', move\r\n'anz_casclient' to the top.\r\n\r\nClick 'Challenge' to configure 'Challenge Plugins', move 'anz_casclient'\r\nto the top.\r\n\r\nClick 'Extraction' to configure 'Extraction Plugins', move 'anz_casclient'\r\nto the top.\r\n\r\nGo into 'Properties' tab to configure CAS related properties.\r\n\r\n============================== =========== ==============================\r\nProperty Required Note\r\nserviceUrl False An identify of current service.\r\n CAS will redirects to here\r\n after login. Set this explicitly\r\n but not determine it automatically\r\n from request makes us get more\r\n security assurance. See\r\n `here `_.\r\ncasServerUrlPrefix True The start of the CAS server URL.\r\nuseSession False Whether to store the Assertion\r\n in session or not. If sessions\r\n are not used, proxy granting\r\n ticket will be required for\r\n each request. Default set to True.\r\nrenew False If set to True, CAS will ask\r\n user for credentials again to\r\n authenticate, this may be used\r\n for high-security applications.\r\n Default set to False.\r\ngateway False If set to True, CAS will not\r\n ask the user for credentials.\r\n If the user has a pre-existing\r\n single sign-on session with CAS,\r\n or if a single sign-on session\r\n can be established through\r\n non-interactive means(i.e.\r\n trust authentication), CAS MAY\r\n redirect the client to the URL\r\n specified by the \"service\"\r\n parameter, appending a valid\r\n service ticket.(CAS also MAY\r\n interpose an advisory page\r\n informing the client that a CAS\r\n authentication has taken place.)\r\n If the client does not have a\r\n single sign-on session with CAS,\r\n and a non-interactive\r\n authentication cannot be\r\n established, CAS MUST redirect\r\n the client to the URL specified\r\n by the \"service\" parameter with\r\n no \"ticket\" parameter appended\r\n to the URL. If the \"service\"\r\n parameter is not specified and\r\n \"gateway\" is set, the behavior\r\n of CAS is undefined. It is\r\n RECOMMENDED that in this case,\r\n CAS request credentials as if\r\n neither parameter was specified.\r\n This parameter is not compatible\r\n with the \"renew\" parameter.\r\n Behavior is undefined if both\r\n are set to True. See details\r\n `here_ `_.\r\nticketValidationSpecification True Use which CAS protocol to\r\n validate ticket.\r\n one of ['CAS 1.0','CAS 2.0']\r\nproxyCallbackUrlPrefix False The start of the proxy callback\r\n url. You should set it point to\r\n current plugin with protocol\r\n 'https'. The result url will be\r\n '{proxyCallbackUrlPrefix}/proxyCallback'.\r\n If set, it means this service\r\n will be used as a proxier to\r\n access back-end service on\r\n behalf of a particular user.\r\nacceptAnyProxy False Whether any proxy is OK.\r\nAllowed Proxy Chains False Allowed proxy chains. Each\r\n acceptable proxy chain should\r\n include a space-separated list\r\n of URLs. These URLs are\r\n proxier's proxyCallbackUrl.\r\n============================== =========== ==============================\r\n\r\nExample configures:\r\n\r\n- Set 'serviceUrl' to 'http://{my plone site domain}:{port}/plone'\r\n- Set 'casServerUrlPrefix' to 'https://{my cas server domain}:{port}/cas'\r\n- Set 'useSession' to True\r\n- Set 'renew' to False\r\n- Set 'gateway' to False\r\n- Set 'ticketValidationSpecification' to 'CAS 2.0'\r\n- Set 'proxyCallbackUrlPrefix' to 'https://{my plone site domain}:{port}/plone/acl_users/anz_casclient'\r\n- Set 'acceptAnyProxy' to False\r\n- Set 'Allowed Proxy Chains' to None\r\n\r\nConfigure 'CAS login' entrance\r\n------------------------------\r\nIf you use 'Log in' link at the upper-right of the Plone page to login, you\r\nshould hide the stock Plone 'Log in' action first. Then add a new one named\r\n'CAS log in' there, set URL(Expression) to\r\n**'string:${globals_view/navigationRootUrl}/caslogin'**\r\n\r\nThen add a Script(Python) named '**caslogin**' into 'portal_skins/custom',\r\nits contents looks like:\r\n\r\n::\r\n\r\n ## Script (Python) \"caslogin\"\r\n ##bind container=container\r\n ##bind context=context\r\n ##bind namespace=\r\n ##bind script=script\r\n ##bind subpath=traverse_subpath\r\n ##parameters=\r\n ##title=CAS Login\r\n ##\r\n request = container.REQUEST\r\n\r\n portal = context.portal_url.getPortalObject()\r\n plugin = portal.acl_users.anz_casclient\r\n\r\n if plugin.casServerUrlPrefix:\r\n url = plugin.getLoginURL() + '?service=' + plugin.getService()\r\n if plugin.renew:\r\n url += '&renew=true'\r\n if plugin.gateway:\r\n url += '&gateway=true'\r\n\r\n request.RESPONSE.redirect( url, lock=1 )\r\n\r\nIf you use 'login portlet' to login, you should remove the stock Plone\r\n'login portlet' first so as not to confuse users. Then you should write a\r\nnew 'CAS login portlet' to authenticate users against CAS or customize\r\ncollective.castle_ to work with anz.casclient.\r\n\r\n.. _collective.castle: http://plone.org/products/collective.castle/\r\n\r\nConfigure 'CAS logout' entrance\r\n-------------------------------\r\nIf you use 'Log out' link at the upper-right of the Plone page to logout,\r\nyou should hide the stock Plone 'Log out' action first. Then add a new one\r\nnamed 'CAS log out' there, set URL(Expression) to\r\n**'string:${globals_view/navigationRootUrl}/caslogout'**\r\n\r\nThen add a Script(Python) named '**caslogout**' into 'portal_skins/custom',\r\nits contents looks like:\r\n\r\n::\r\n\r\n ## Script (Python) \"caslogout\"\r\n ##bind container=container\r\n ##bind context=context\r\n ##bind namespace=\r\n ##bind script=script\r\n ##bind subpath=traverse_subpath\r\n ##parameters=\r\n ##title=CAS Logout\r\n ##\r\n from Products.CMFCore.utils import getToolByName\r\n\r\n request = container.REQUEST\r\n portal = context.portal_url.getPortalObject()\r\n cas_client_plugin = portal.acl_users.anz_casclient\r\n\r\n mt = getToolByName( context, 'portal_membership' )\r\n mt.logoutUser( REQUEST=request )\r\n\r\n request.RESPONSE.redirect( cas_client_plugin.casServerUrlPrefix + '/logout' )\r\n\r\nHow to use proxy authentication\r\n===============================\r\nProxy authentication is added by CAS 2.0, for the reason why do we need\r\nit, you can see the details `here. `_\r\n\r\n\r\n1. Create two plone sites in one Zope instance, called them **plone** and\r\n **backend**.\r\n2. Create and configure 'Anz CAS Client' plugin on them(make sure both sites\r\n can authenticate users against your CAS server).\r\n3. anz.casclient carried a simple example to show how to use it, but it need\r\n you to do a little customization. Open\r\n **anz.casclient\\anz\\casclient\\proxyauthexample\\view.py** with your\r\n favorite editor, find **__init__** method and modify it to suit your\r\n situation:\r\n\r\n::\r\n\r\n def __init__( self, context, request ):\r\n super(ProxyAuthExampleView, self).__init__( context, request )\r\n\r\n # eg. http://xx.xx.xx.xx:8080/backend\r\n self.BACK_END_SERVICE_URL = 'http://{domain of your zope instance}:{port}/backend'\r\n\r\n # eg. /plone/acl_users/anz_casclient\r\n self.PATH_TO_PROXIER_PLUGIN = '/plone/acl_users/anz_casclient'\r\n\r\n # eg. /backend/acl_users/anz_casclient\r\n self.PATH_TO_BACK_END_PLUGIN = '/backend/acl_users/anz_casclient'\r\n\r\n4. After that restart your Zope, open a browser and login into site\r\n **plone** ( suppose user name is **tom** ).\r\n5. Modify location in your browser to\r\n **http://{domain of your zope instance}:{port}/plone/@@proxyAuthExample/getUserInfoFromTargetService**\r\n and click Enter, if all things goes well, you'll see:\r\n\r\n::\r\n\r\n Hello, tom!\r\n\r\n\r\nSAML service ticket validation\r\n==============================\r\nFrom version 1.1, the server is able to connect to a CAS server 3.x and above\r\nand validate the service ticket (ST) against the CAS server using SAML, in order\r\nto retrieve the extra fields for the authenticated user that the CAS server may\r\nbe providing. To use his feature, it's required to configure the plugin to use\r\nthe SAML validation by configuring the **SAMLValidate** property to ``True``.\r\n\r\nIn order to do something with the retrieved properties an event\r\n``ISAMLPropertiesExist`` is emmited for a subscriber to be hooked into it.\r\n\r\n\r\nToDo\r\n====\r\n* Add automation tests ( I really don't know how to automation test this\r\n kind of package :) )\r\n\nChangelog\r\n=========\r\n\r\n1.1.1 (2015-08-06)\n----------------\r\n\r\n - Fix release.\r\n\r\n\r\n1.1 (2015-08-06)\r\n----------------\r\n - Fixed a problem in Plone 4.3 that forces to cast the resultant username to an\r\n str before passing it to plone.session for session creation. It's needed to\r\n cast username which is an unicode type to an str as plone.session does a\r\n direct concatenation of unicode username and other string types that leads to\r\n an UnicodeDecode error otherwise. It's needed to address plone.session to do\r\n not so. Meanwhile, casting the username assumes that there are non ascii\r\n chars in it [sneridagh]\r\n\r\n - Fixed a problem when used in a Zope/ZEO environment with multiple Zope\r\n clients. Make it work using the default Plone session factory solved the\r\n problem. [sneridagh]\r\n\r\n - Clean paster plugins in setup.py [sneridagh]\r\n\r\n - Add an extra validation for CAS2.0 service ticket via SAML. This enables the\r\n extraction of extra user properties. [sneridagh]\r\n\r\n1.0.1\r\n-----\r\n\r\n - Update to support Plone4.\r\n\r\nNote: When used under Plone3, please pin products version like this::\r\n\r\n ZODB3==3.8.3\r\n zope.proxy==3.4.1\r\n\r\n1.0\r\n---\r\n\r\n - Initial release", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://plone.org/products/anz.casclient/", "keywords": "plone cas sso", "license": "GPL", "maintainer": null, "maintainer_email": null, "name": "anz.casclient", "package_url": "https://pypi.org/project/anz.casclient/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/anz.casclient/", "project_urls": { "Download": "UNKNOWN", "Homepage": "http://plone.org/products/anz.casclient/" }, "release_url": "https://pypi.org/project/anz.casclient/1.1.1/", "requires_dist": null, "requires_python": null, "summary": "This is a Zope PAS plugin that authenticates users against a CAS (Central Authentication Service) server.", "version": "1.1.1" }, "last_serial": 1669869, "releases": { "1.0": [ { "comment_text": "", "digests": { "md5": "4545c7385fb5fa0c47ab0dd7245cf569", "sha256": "c955eb6eccbc5c693dee758996056ce2bf9a2e535f0c9d50745ce444eef80df9" }, "downloads": -1, "filename": "anz.casclient-1.0-py2.4.egg", "has_sig": false, "md5_digest": "4545c7385fb5fa0c47ab0dd7245cf569", "packagetype": "bdist_egg", "python_version": "2.4", "requires_python": null, "size": 44244, "upload_time": "2010-07-01T13:22:53", "url": "https://files.pythonhosted.org/packages/f3/cd/ab4fee6abbda9030e1536efbd773caaf6abcf9692e05803daaf334ed551b/anz.casclient-1.0-py2.4.egg" }, { "comment_text": "", "digests": { "md5": "ec77f036e997dd2ded5bb4f118bfa546", "sha256": "cd30a1e69a048ef08b4981da5a422cfff7058175f4b2b0b1ac3d41166f5223d4" }, "downloads": -1, "filename": "anz.casclient-1.0.tar.gz", "has_sig": false, "md5_digest": "ec77f036e997dd2ded5bb4f118bfa546", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 19356, "upload_time": "2010-07-01T13:22:50", "url": "https://files.pythonhosted.org/packages/49/33/4ef518ef15ae372e66cfa2bb334589d722b1f98aae2e9e2148d4de285f4b/anz.casclient-1.0.tar.gz" } ], "1.0.1": [ { "comment_text": "", "digests": { "md5": "c45d02f8bda4cfb66b9d41b8dd192636", "sha256": "ec58baac7e4d4af2dc17fae0baceaa643be140c1830f4042c51f9cd406e05a10" }, "downloads": -1, "filename": "anz.casclient-1.0.1.tar.gz", "has_sig": true, "md5_digest": "c45d02f8bda4cfb66b9d41b8dd192636", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 30277, "upload_time": "2010-09-25T10:06:36", "url": "https://files.pythonhosted.org/packages/96/66/4e3220e35269bd8b8b08406aefe51e8372aeb2c042576e9864f140e2bb97/anz.casclient-1.0.1.tar.gz" } ], "1.1": [ { "comment_text": "", "digests": { "md5": "a6f1a9cdb8e2d275d73eb2d4e7576bc2", "sha256": "0648294a029620bb45f1bd6f2c2e8871cd14e4b6d027b2e9d2204b1333a23418" }, "downloads": -1, "filename": "anz.casclient-1.1.tar.gz", "has_sig": false, "md5_digest": "a6f1a9cdb8e2d275d73eb2d4e7576bc2", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 19226, "upload_time": "2015-08-06T07:21:18", "url": "https://files.pythonhosted.org/packages/86/b8/0c0a13a04c915f13c46bdbe426a69f39580bb56cb8f3bfe2908f32848f62/anz.casclient-1.1.tar.gz" } ], "1.1.1": [ { "comment_text": "", "digests": { "md5": "5afd15f0cf40a2bf85928fb00a4dde08", "sha256": "e04a10b6202377af9b509e76a0d851be9e55409fb682a0dda3dd1e3d5101a41f" }, "downloads": -1, "filename": "anz.casclient-1.1.1.tar.gz", "has_sig": false, "md5_digest": "5afd15f0cf40a2bf85928fb00a4dde08", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 33277, "upload_time": "2015-08-06T10:26:48", "url": "https://files.pythonhosted.org/packages/ae/6d/93e8d9f49d86446d30990b6c8cfe27fb67cf5b4302af1efbdb27ccad9ecc/anz.casclient-1.1.1.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "5afd15f0cf40a2bf85928fb00a4dde08", "sha256": "e04a10b6202377af9b509e76a0d851be9e55409fb682a0dda3dd1e3d5101a41f" }, "downloads": -1, "filename": "anz.casclient-1.1.1.tar.gz", "has_sig": false, "md5_digest": "5afd15f0cf40a2bf85928fb00a4dde08", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 33277, "upload_time": "2015-08-06T10:26:48", "url": "https://files.pythonhosted.org/packages/ae/6d/93e8d9f49d86446d30990b6c8cfe27fb67cf5b4302af1efbdb27ccad9ecc/anz.casclient-1.1.1.tar.gz" } ] }