-
Notifications
You must be signed in to change notification settings - Fork 6
Authentication with CAS
By default UCDArch doesn't impose an authentication system on new applications, but if you would like to use the UCDavis CAS authentication system then UCDArch provides a library which makes it very easy to setup.
In order to setup CAS authentication within an UCDArch application (or any Mvc Application), you need to create an AccountController similar to the one given below (if there is already an AccountController, just remove it and all related views). You can just copy this code and be done, but if you are interested in learning just a bit more about how authorization works then keep reading past the code block for a short explanation.
public class AccountController : Controller
{
public ActionResult Login(string returnUrl)
{
return CasMvc.LoginAndRedirect();
}
public ActionResult LogOut()
{
FormsAuthentication.SignOut();
return Redirect("https://cas.ucdavis.edu/cas/logout");
}
}
Calls UCDArch's CasMvc.LoginAndRedirect() method to handle CAS authentication, redirect as necessary, and direct the authenticated user to their destination (including preserving the query string). If we detect the user is already logged in and is trying to authenticate again, we will just render the Login view. This indicates that there is an authorization issue, so be sure to make the Login.cshtml view inform the user they don't have access to the page they are trying to view.
If you would like a little more control over your login method, you can use CasMvc.Login(). This will give you the opportunity to redirect the user to a different location or add a little information to the error page, or anything else you'd like to do. A reference implementation would be below:
public ActionResult Login(string returnUrl)
{
string result = CasMvc.Login(); //Do the CAS Login
if (result != null) //user logged in successfully
{
return result;
}
TempData["Url"] = returnUrl; //ex: add tempData to show an error message to your users
return View();
}
You might want to allow your users to log out of your application-- it's important to remember here that there are two authentication systems at work.
- CAS: CAS stores a cookie after authenticating, which allows a user to "login" to many different CAS sites (or the same site multiple times) without re-entering their password.
- ASPNET Forms Auth: After a user authenticates with CAS, the login method sets a Forms Authentication cookie which ASPNET can use to keep track of which user is accessing your application.
So, when logging off, you will always destroy the Forms Authentication ticket by doing FormsAuthentication.SignOut();, but if you want remove your CAS ticket you will have to allow CAS to handle this by redirecting to their signout URL Redirect("https://cas.ucdavis.edu/cas/logout");.
Thus, a full logout looks like this:
public ActionResult LogOut()
{
FormsAuthentication.SignOut();
return Redirect("https://cas.ucdavis.edu/cas/logout");
}
Already Done! If you protect an action with [Authorize], ASPNET will automatically redirect because of the default
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
section in the web.config and cause your user to authenticate.