Protect an Apache resource with SecurePass
Protecting an Apache web site or resource with SecurePass' strong authentication is quick and easy. Probably the best technology is to leverage CAS, the protocol that enables your web application to use SecurePass' single sign-on system.
The mod_auth_cas Apache module allows an Apache web server to interact with an authentication server that conforms to the CAS version 1 or 2 protocol as specified by Yale/JA-SIG.
What is SecurePass
SecurePass is a strong authentication and identity management service from GARL Bank.
Established in 2008, with offices in Switzerland and United Kingdom, GARL is an independent and neutral bank of digital data. Like traditional banks deal with storing and protecting money, our core business is storing and protecting customers' data.
Unlike other software-as-a-service (SaaS) that are maintained by IT companies, SecurePass is managed by our bank and adopts the same high security standards traditionally used in banks and by government institutions. It is designed to be easy to use and easy to integrate. It verifies your users' identity for you, giving you peace of mind when you grant them access to applications and data. It gives users the peace of mind that their identity cannot be stolen or abused.
Any company can use SecurePass. Small and medium business, for example, will benefit from a lower total cost of ownership compared to maintain a similar infrastructure in-house.
Find more about SecurePass on http://www.secure-pass.net
On Debian and Ubuntu
Both Debian and Ubuntu have mod_auth_cas in their repositories, therefore it's enough to install the apache module with the following command:
# apt-get install libapache2-mod-auth-cas
On RedHat Enterprise Linux (RHEL), CentOS or Scientific Linux
You have to enable EPEL as an additional repository in your system. For more information on how to enable EPEL, please refer to the section "How can I use these extra packages?" of the http://fedoraproject.org/wiki/EPEL web site.
Once EPEL is enabled, proceed by installing the mod_auth_cas module with the following command:
yum install mod_auth_cas
From sources (including Solaris, etc..)
Download the mod_auth_cas sources from the JASIG official repository. Use the APache eXtenSion tool (APXS) to compile and install this object as a dynamically shared object (DSO), by either:
apxs -i -lssl -lcurl -c mod_auth_cas.c
apxs2 -i -lssl -lcurl -c mod_auth_cas.c
depending on your apache distribution. Note that you must use GNU Make - other Make implementations may work, but are untested and not recommended. Use the standard commands below to compile and install:
./configure; make; make install
configure can take an optional --with-apxs=/path/to/apxs argument to specify the path to your APXS binary.
We recommend to read the README file included with the sources for further details.
mod_auth_cas need to be configured in the Apache main configuration file with the SecurePass parameters. On Debian and Ubuntu the module has a special configuration file named /etc/apache2/mods-enabled/auth_cas.conf, while on RHEL, CentOS and Scientific Linux is /etc/httpd/conf.d/auth_cas.conf. Copy and paste the following lines:
CASCookiePath /var/cache/apache2/mod_auth_cas/ CASValidateServer Off CASLoginURL https://login.secure-pass.net/cas/login CASValidateURL https://login.secure-pass.net/cas/serviceValidate CASAllowWildcardCert On
Afterwards, we need to define a resource to be protected. The example below refers to an Apache location, but it can be placed in a directory statement or .htaccess.
<Location /> Order allow,deny allow from all AuthType CAS AuthName "private area" Require valid-user <Location>
Please note in the above example that EVERY authenticated user with CAS is allowed to enter the resource. It is strongly recommended that the resource has a limited list of users that has the permission to access, ex: with the require user or require group directives.