diff --git a/CASAuth.php b/CASAuth.php index 6cac4ac..73d15a5 100644 --- a/CASAuth.php +++ b/CASAuth.php @@ -45,6 +45,8 @@ "LogoutServers" => false, "Port" => 443, "Url" => "/cas/", + "UseCert" => false, + "Cert" => "/cas/cert.crt", "Version" => "2.0", "CreateAccounts" => false, "PwdSecret" => "Secret", @@ -100,8 +102,12 @@ function casLogin($user) { if(!$casIsSetUp) casSetup(); - //Will redirect to CAS server if not logged in - phpCAS::forceAuthentication(); + // Check if we're logged in already + // This prevents the user from needing to logout of other resources + if (!phpCAS::checkAuthentication()) + { + phpCAS::forceAuthentication(); + } // Get username @@ -120,6 +126,12 @@ function casLogin($user) { // Get MediaWiki user $u = User::newFromName($username); + // Redirect the user if they are unauthorized and we aren't making accounts + if ($u->getID() == 0 && !$CASAuth["CreateAccounts"]) { + $wgOut->redirect($CASAuth["RestrictRedirect"]); + return true; + } + // Create a new account if the user does not exists if ($u->getID() == 0 && $CASAuth["CreateAccounts"]) { //Get email and realname @@ -285,10 +297,22 @@ function casSetup() { require_once($CASAuth["phpCAS"]."/CAS.php"); phpCAS::client($CASAuth["Version"], $CASAuth["Server"], $CASAuth["Port"], $CASAuth["Url"], false); + + // If we are using a certificate, set the CAS Server Certificate + if ($CASAuth["UseCert"]) + { + phpCAS::setCasServerCACert($CASAuth["Cert"]); + } + phpCAS::setSingleSignoutCallback('casSingleSignOut'); phpCAS::setPostAuthenticateCallback('casPostAuth'); phpCAS::handleLogoutRequests(true,isset($CASAuth["LogoutServers"])?$CASAuth["LogoutServers"]:false); - phpCAS::setNoCasServerValidation(); - + + // If we aren't using a certificate, don't use CAS Server Validation + if (!$CASAuth["UseCert"]) + { + phpCAS::setNoCasServerValidation(); + } + $casIsSetUp = true; } diff --git a/CASAuthSettings.php.template b/CASAuthSettings.php.template index d955a1a..255d26d 100644 --- a/CASAuthSettings.php.template +++ b/CASAuthSettings.php.template @@ -37,6 +37,16 @@ $CASAuth["Port"]=443; # Default: $CASAuth["Url"]="/cas/"; $CASAuth["Url"]="/cas/"; +# CA Certificate Settings +# +# Set UseCert to true if you need to use a CA certificate to authenticate +# then set Cert to the certificate location. +# +# Default: $CASAuth["UseCert"]=false; +# Default: $CASAuth["Cert"]="/crt/cert.crt"; +$CASAuth["UseCert"]=false; +$CASAuth["Cert"]="/crt/cert.crt"; + # CAS Version. Available versions are "1.0" and "2.0". # # Default: $CASAuth["Version"]="2.0"; diff --git a/README.md b/README.md index 099f52b..737d6ba 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,15 @@ -CASAuth(entication) Extension for Mediawiki -=========================================== +CASAuth Extension for Mediawiki +=============================== +This is compatible with version MediaWiki version 1.33 + +This differs from the original by offering a new CA Certificate setting that is implemented in the casSetup function. + +It also adds a check in casLogin() to see whether a user is already authenticated through another web application before forcing the authentication. This ensures that the phpCAS:getUser() method is able to get the username in the event the user is already authenticated through another session, and prevents the user from needing to log out of their institution's applications before logging into the MediaWiki. + +This is forked from the CWRUChielLab/CASAuth repo, both this version and the original seem to be compatible with newer versions of MediaWiki. + +Below is the original README content from CWRUChielLab/CASAuth : -A CAS Authentication extension for Mediawiki 1.27, 1.23 (and possibly -earlier). Introduction ------------