Skip to end of metadata
Go to start of metadata
Table of Contents

Christian Stuck of Westminster Choir College contributed this information about authentication of ColdFusion applications on the CAS Mailman list:

This is a simple CAS script we developed to replace an existing simple login script for a problem solving ColdFusion application we have. This is not very elegant (esp. not with XML), but it will get the job done. You will have to go through and change some variables, along with the SQL statement:

What does this script do? How do you consume its output? Well,

It sets the authenticated username from the XML response

in the NetId variable.

It then sets the Session variable of MM_UserName to this NetId variable so that all ColdFusion pages in the application can access it.

  • No labels

2 Comments

  1. Thanks Christian this code was great. Using <cfhttp> over SSL gave us some problems though. Read this post from bpurcell.org to remedy any problems: http://www.bpurcell.org/blog/index.cfm?mode=entry&entry=843

    If you have had problems connecting CFHTTP using HTTPS then the following forum posting may help you out.

    It ended up being because the server we were connecting to used certificates and the Java didn't like them. To fix it we exported the certificates from IE Certificate manager after installing them from thier website and the entie certificate chain if neccessary (root, and intermediates)...

    Export each to c:\cfusion\runtime\jre\lib\security (Assuming CF is installed at this location) using the bianry x.509 format (The default for IE 6). Name them something recognisable (Site1.cer, site2.cer and site3.cer in this case)
    Easy part is done.

    Now, run a command line (CMD at Start-Run)
    type PATH=%PATH%;C:\CFUSIONMX\RUNTIME\JRE\BIN (Assuming CF is installed at this location)
    cd\
    cd cfusionmx\runtime\jre\lib\security
    keytool -import -noprompt -alias SITE1 -file site1.cer -keystore .\cacerts -storepass changeit (assuming you haven't changed the default java password yet)
    keytool -import -noprompt -alias SITE2 -file site2.cer -keystore .\cacerts -storepass changeit
    keytool -import -noprompt -alias SITE3 -file site3.cer -keystore .\cacerts -storepass changeit
    exit

    Now restart the CF Services or restart the server and it should work.

  2. Below is some sample code we developed to test CAS out without the CAS login screen, adapted from Christian Struck's original code.

    <!---
    // Login.cfm

    // Cynthia Reece
    // Using CAS without the CAS login screen
    // Adapted from Christian Stuck's CAS Client Script Code
    // Monday, May 23 2005

    --->

    <cfif NOT isDefined("url.ticket")>
    <!--- go to cas to get the login ticket which will get passed with the username and password --->
    <cftry>
    <cfhttp
    method="get"
    url="#CAS_Server_insecure#/login?service=#MyApp#/login.cfm">

    <!--- Back from CAS
    parse through the text to extract the login ticket
    Login ticket will get passed with the username and password via next http call --->

    <cfset loginTicketLocation = REFindNoCase("LT-0-9-A-Za-z0-9", cfhttp.filecontent, 1, "True")>
    <cfset loginTicket = Mid(cfhttp.filecontent, loginTicketLocation.pos1, loginTicketLocation.len1)>
    <cfcatch>
    <p>We're sorry the authentication server is unavailable at this time, please try again later.</p>
    <cfabort>
    </cfcatch>
    </cftry>

    <!--- Go back to CAS and try to log in with the username and password specified by the user, plus the login ticket
    we just obtained from CAS --->
    <cftry>
    <cfhttp method="post"
    url="#CAS_Server_insecure#/login?service=#MyApp#/login.cfm">
    <cfhttpparam type="FormField"
    name="username"
    value="#username#">
    <cfhttpparam type="FormField"
    name="password"
    value="#password#">
    <cfhttpparam type="FormField"
    name="lt"
    value="#loginTicket#">
    </cfhttp>

    <!--- Check to see if CAS returned a valid Ticket Granting Cookie
    parse through the text to extract the ticket granting cookie --->
    <cfset TicketGrantingCookieLocation = REFindNoCase("TGC-0-9-A-Za-z0-9", cfhttp.header, 1, "True")>
    <cfset TicketGrantingCookie = Mid(cfhttp.header, TicketGrantingCookieLocation.pos1, TicketGrantingCookieLocation.len1)>
    <!--- Set cookie via cfheader because we must specify the character set.
    cfcookie uses the UTF character set --->
    <cfheader
    name="Set-Cookie"
    value="CASTGC=#TicketGrantingCookie#; Path=/cas; Secure Content-Type: text/html;charset=ISO-8859-1; domain=.yourdomain.org;">

    <!--- If a valid ticket is returned the contents of this variable will contain a javascript redirect back to this page
    and also some 'click here' text if the user has javascript disabled --->
    <cfoutput>#cfhttp.filecontent#</cfoutput>
    <cfcatch>
    <p>We're sorry the username and password you entered is invalid.</p>
    </cfcatch>
    </cftry>

    <cfelse>
    <!--- Now we've gotten the service ticket so we must validate it --->
    <cfset casurl = CAS_Server & "serviceValidate?ticket=" & url.ticket & "&service=" & MyApp & "/login.cfm">
    <cfhttp url="#casurl#" method="get"></cfhttp>
    <!--- Strip out the username that is returned from CAS --->
    <cfscript>
    myxmldoc = XmlParse(cfhttp.filecontent);
    selectedElements = XmlSearch(myxmldoc, "cas:serviceResponse/cas:authenticationSuccess/cas:user");
    if(isArray(selectedElements) AND NOT ArrayIsEmpty(selectedElements)) {
    //valid ticket found
    ULuserid = selectedElements1.XmlText;
    }
    else
    //invalid ticket
    ULuserid = 0;
    </cfscript>

    <!--- Set the username in the session --->
    <cfset Session.MM_ULuserID=selectedElements1.XmlText>

    <cflocation url="index.cfm" addtoken="no">

    <!--- Now that we have the username we should go ahead and set some permissions --->
    </cfif>