This post will show you how to secure folder by using BYU CAS.
Note: this can only be done on server side.
For example, we have few folders, such as folder1, folder2, and folder3 inside the course folder. Whenever people want to access one of three folders, they will be asked to provide a password before they can access the folder.
The method that we use is to use Apache mod_auth_cas module to secure those folders.
We will need to install libapache2-mod-auth-cas module and then configure auth_cas.conf in order to make it to work.
Note: the server is used in our case is ubuntu server with apache2 2.4.x.
#apt-get install libapache2-mod-auth-cas
#a2enmod auth_cas
#systemctl restart apache2.service
After you installed the module, you will need to create a folder called mod_auth_cas in /var/cache/apache2/mod_auth_cas.
And give proper permission on this folder, so apache2 can access it.
#chown apache:apache /var/cache/apache2/mod_auth_cas
Sometimes we don’t always use apache as user group and owner group, so check please use apahce:apache.
Some online articles would set folder permission to 700, so it only can access by apache
#chmod 700 /var/cache/apache2/mod_auth_cas
Note: mod_auth_cas is a folder where is used to track authentication sessions.
Second step is to create auth_cas.conf file under
/etc/apache2/mods-available
#/etc/apache2/mods-available# cat auth_cas.conf
CASDebug off
CASCookiePath /var/cache/apache2/mod_auth_cas/
# set this to directory writable by the apache server. it will use to track authentication session
CASLoginURL https://cas.byu.edu/cas/login
CASValidateURL https://cas.byu.edu/cas/samlValidate
CASValidateSAML On
CASCertificatePath /etc/ssl/certs/cas-byu-certs.pem
# set this to the location of a certificate cache file for verifying the CAS server cert.
# this cas-byu-certs.pem is the cert of cas.byu.edu
Note: some examples on the web don’t include this parameter.
CASIdleTimeout 900
# maybe optional
CASTimeout 45
# maybe optional
CASCacheCleanInterval 1
# maybe optional
CASAttributePrefix “X-CAS-”
# optional ?
CASSSOEnabled On
# set this to on causes the mod_auth_cas module to respond to CAS single sing out requests
Notes: you will also need to get the certificate of the CAS server and store it at /etc/ssl/certs or your chosen directory. Otherwise, you will encounter apache2 restart error. (Failed to start the Apache HTTP Server)
Third step is to create symbolic link in /etc/apache2/mods-enabled
lrwxrwxrwx 1 root root 31 Dec 6 16:14 auth_cas.conf -> ../mods-available/auth_cas.conf
After this, you might need to restart apache server
Fourth step is to set TypeAuth in VirtualHost.conf file in /etc/apache2/sites-available
<VirtualHost *:80>
ServerAdmin webmaster@localhost
<Directory “/var/www/the/path/of/private/folder”>
AuthType CAS
Require valid-user
</Directory>
Note: also need to make sure virtualhost is in /etc/apache2/sites-enabled
Note: sometimes people will put CAS configuration and AuthType all in VirtualHost configuration file.
<IfModule mod_auth_cas.c>
CASDebug Off
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://cas.byu.edu/cas/login
CASValidateURL https://cas.byu.edu/cas/samlValidate
CASValidateSAML On
</IfModule>
<Directory “/var/www/the/path/of/private/folder”>
AuthType CAS
Require valid-user
</Directory>
Fifth step is to make sure folders are protected.
Notes: You might need to restart apache2 in order to make it to work.
Source:
https://ucdavis.jira.com/wiki/spaces/IETP/pages/132808713/mod+auth+cas
https://iam.uconn.edu/mod_auth_cas-installation-and-configuration/
https://gist.github.com/acdha/7994024