For the past few months or so I've been dinking around with CAS
and OpenID
and a few other protocols for web single sign-on
. The reason for this is primarily because at work we run a multi-platform web site. For the main content portion of our web site we've been using Magnolia
and for the community side of the site we've been using Drupal
.
It's kind of an odd setup, but it works. The structure might change in the near future, but that's a different story. We've got a few other products and services that we're also building. However, we don't really want members to login multiple times whenever accessing a different segment of the web site. This is where single sign-on comes in.
For the initial revision of the work I created a homebrew solution of single sign-on. It's immature, it doesn't really handle some of the security concerns it really ought to, and it's maintained only be me. Needless to say, this was a quick and dirty rather than ideal solution. The plan all along was to create a tool that could provide a single sign-on service in a standard way so that we didn't have to do much, if any, of the maintenance.
My research led me to conclude that CAS (Central Authentication Service), created by Yale, is really the best solution available. There are several others out there including Cosign, Crowd, OpenSSO, and others. CAS is the most widely supported of these schemes and it implements a very robust, simple, and functional protocol.
The major drawback to CAS, for me, is that it is written in Java. This isn't a terrible issue at work since we already use a J2EE server to support Magnolia. Yet, my experience with J2EE servers (even the ones that are just servlet containers) has led me to believe that they tend to be more difficult maintain than Apache with CGI or FastCGI add ons. Furthermore, I have some interest in using CAS on my own web site, but don't have the means to host a J2EE server without changing how I host my site (and I'm very happy with DreamHost
).
Therefore, I decided to see how difficult an implementation of the CAS server protocol would be in a different language. It was not difficult. The protocol requires fewer than 10 HTTP request/responses to be implemented and the processing required to build those actions is straightforward. Viola, we have CAS+.
CAS+ implements the complete CAS 2.0 protocol. As far as I can tell (without asking as I haven't contacted anyone in the CAS realm), the CAS 3.0 protocol does not exist or does not differ from the core of CAS 2.0 in that it consists only of aspect-oriented hooks to extend CAS+.
My plans branch further in that I want CAS+ to be a more general solution to this problem than CAS is. CAS is meant for use in a totally secure environment, whereas I'm willing to sacrifice a few things for additional flexibility. I've implemented CAS+ in Jifty
and am using CAS+ as a test bed for the work I'm doing with Jesse Vincent on the "virtual-models" branch of that product. Finally, I am thinking of building CAS+ into a more general authentication solution. There's no reason why it couldn't also support some of the other SSO protocols that exist and I would love for it to be an authentication source and sink for distributed authentication protocols like OpenID.
Okay, so that was kind of a meandering way to introduce CAS+. If you're at all interested, feel free to check out the Subversion repository where it's hosted. This is the only project resource I currently have for accessing anything about it. If you want help with it, you can use the Jifty developers mailing list (see Jifty.org
for information) or see me, zostay, in "#jifty" of the freenode IRC server.
Here are the important links:
- Via Subversion: //svn.jifty.org/svn/jifty.org/CASPlus/trunk
- Brows the Web: //svn.jifty.org/jifty.org/CASPlus/trunk
View my LinkedIn profile
Leave a comment