[Zope3-Users] Re: Remote authentication

Maciej Wisniowski maciej.wisniowski at coig.katowice.pl
Sat May 12 11:42:11 EDT 2007

> Hi Maciej. I have been reading quite a bit about CAS today. It looks
> like a good way to go. Couple of questions with how you having it
> working in z2. Are you using LDAP as a user store with CAS. 
We're not using LDAP. We have propertiary system to manage user
accounts in our applications (user data and permissions in
specific applications). This system uses RDBMS to store its data so
for CAS it is just external database with user names and passwords.
Our CAS server authenticates users against this database with just one
simple select statement I think.

> I have downloaded a few of the z2 products to study the code
> in the interim since a plugin for z3 would be a good thing. I've got to
> look at how this works with users and groups code particular with
> additional info you need for an app.
In fact i think that default plugin for CAS can't do more than just
So first step should be to rewrite CAS4PAS to zope3 PAU which should be
rather easy. Only thing I'm not sure obout is if this should use session
or maybe cookies? Sessions are nasty in Zope...

Another thing is a second plugin for user management. But this depends
on where
your user database is. This plugin may enumerate users, set roles for users
etc. Depending on specific solution this plugin may connect to LDAP
or RDBMS to get user data, roles and permissions from and map them to
Zope ones.
In our system we have a special permission in database that is mapped into
user role in Zope. In fact our plugin has parameter that says what is
the name
for this role so it is easy to customize that via ZMI.

Not sure if you already realised how CAS works (I had some problems to
realise that at the begining) so a quick description is at the bottom of my
post. Important thing to note is that all addresses have to be https ones.

> Anybody out there interested in helping with something like this? I'm
> likely to start a project for this for z3 package but with zpl or mit
> licensing since something this generic should have few barriers to
> anyone using Yale's system. Many thanks.
I'm interested in helping you with that.

Order of actions in CAS authentication

1. User tries to enter into Zope application via url like https://xyz/myapp

2. CAS4PAS checks if there is a special object in session
that says user is already authenticated

3. If there is no object in session CAS4PAS checks if there is a 'ticket'
parameter in request

4. If there is neither special object in session nor 'ticket' in request
redirects user to CAS login page with 'service' parameter in redirect URL
which is address of zope application itself (CAS4PAS has to know address
of CAS login page)

5. User authenticates at CAS login page

6. CAS checks credenitals in RDBMS (LDAP etc)

7. If everything is OK CAS sets secure cookie in browser that indicates
user is authenticated

8. CAS redirects user to 'service' URL with additional 'ticket' parameter

9. Zope (which is under 'service' URL) checks again if there is a special
object in session, and if not, checks if there is a 'ticket' parameter
in request.

10. CAS4PAS in Zope gets data form the 'ticket' in request and goes to
'service url' (with
'ticket' and 'service' parameters) at CAS server to confirm authentication
 (CAS4PAS has to know 'service url'):

11. CAS confirms user authentication and responds with name of
authenticated user.
12. CAS4PAS sets special object in session to indicate user authentication.

Now another application (in short)
13. User tries to enter to another application that is protected by CAS.
14. Application redirects to CAS login page.
15. CAS finds that there already is secure cookie set so this user is
16. CAS redirects user back to application with 'ticket' parameter in
URL... etc.

Maciej Wisniowski

More information about the Zope3-users mailing list