From SecurePass

Protect an Apache resource with SecurePass

Basics

Protecting an Apache web site or resource with SecurePass' strong authentication is quick and easy. Probably the best technology is to leverage CAS, the protocol that enables your web application to use SecurePass' single sign-on system.

The mod_auth_cas Apache module allows an Apache web server to interact with an authentication server that conforms to the CAS version 1 or 2 protocol as specified by Yale/JA-SIG.

What is SecurePass

SecurePass is a strong authentication and identity management service from GARL Bank.

Established in 2008, with offices in Switzerland and United Kingdom, GARL is an independent and neutral bank of digital data. Like traditional banks deal with storing and protecting money, our core business is storing and protecting customers' data.

Unlike other software-as-a-service (SaaS) that are maintained by IT companies, SecurePass is managed by our bank and adopts the same high security standards traditionally used in banks and by government institutions. It is designed to be easy to use and easy to integrate. It verifies your users' identity for you, giving you peace of mind when you grant them access to applications and data. It gives users the peace of mind that their identity cannot be stolen or abused.

Any company can use SecurePass. Small and medium business, for example, will benefit from a lower total cost of ownership compared to maintain a similar infrastructure in-house.

Find more about SecurePass on http://www.secure-pass.net

On Debian and Ubuntu

Both Debian and Ubuntu have mod_auth_cas in their repositories, therefore it's enough to install the apache module with the following command:

# apt-get install libapache2-mod-auth-cas

On RedHat Enterprise Linux (RHEL), CentOS or Scientific Linux

You have to enable EPEL as an additional repository in your system. For more information on how to enable EPEL, please refer to the section "How can I use these extra packages?" of the http://fedoraproject.org/wiki/EPEL web site.

Once EPEL is enabled, proceed by installing the mod_auth_cas module with the following command:

yum install mod_auth_cas

From sources (including Solaris, etc..)

Download the mod_auth_cas sources from the JASIG official repository. Use the APache eXtenSion tool (APXS) to compile and install this object as a dynamically shared object (DSO), by either:

apxs -i -lssl -lcurl -c mod_auth_cas.c

or

apxs2 -i -lssl -lcurl -c mod_auth_cas.c

depending on your apache distribution. Note that you must use GNU Make - other Make implementations may work, but are untested and not recommended. Use the standard commands below to compile and install:

./configure; make; make install

configure can take an optional --with-apxs=/path/to/apxs argument to specify the path to your APXS binary.

We recommend to read the README file included with the sources for further details.

Configuring mod_auth_cas

mod_auth_cas need to be configured in the Apache main configuration file with the SecurePass parameters. On Debian and Ubuntu the module has a special configuration file named /etc/apache2/mods-enabled/auth_cas.conf, while on RHEL, CentOS and Scientific Linux is /etc/httpd/conf.d/auth_cas.conf. Copy and paste the following lines:

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASValidateServer Off
CASLoginURL https://login.secure-pass.net/cas/login
CASValidateURL https://login.secure-pass.net/cas/serviceValidate
CASAllowWildcardCert On

Afterwards, we need to define a resource to be protected. The example below refers to an Apache location, but it can be placed in a directory statement or .htaccess.

<Location />
    Order allow,deny
    allow from all
    AuthType CAS
    AuthName "private area"
    Require valid-user
<Location>

Please note in the above example that EVERY authenticated user with CAS is allowed to enter the resource. It is strongly recommended that the resource has a limited list of users that has the permission to access, ex: with the require user or require group directives.

Apache