mirror of
https://github.com/ACSPRI/queXS
synced 2024-04-02 12:12:16 +00:00
New version of PHPCAS
This commit is contained in:
Adam Zammit
145
include/phpCAS/docs/Upgrading
Normal file
145
include/phpCAS/docs/Upgrading
Normal file
@@ -0,0 +1,145 @@
|
||||
################################
|
||||
### Upgrading 1.5.0 -> 1.6.0 ###
|
||||
################################
|
||||
|
||||
phpCAS now requires an additional service base URL argument when constructing
|
||||
the client class, similar to other CAS client's serverName config. It accepts
|
||||
any argument of:
|
||||
|
||||
1. A service base URL string. The service URL discovery will always use this
|
||||
server name (protocol, hostname and port number) without using any external
|
||||
host names.
|
||||
2. An array of service base URL strings. The service URL discovery will check
|
||||
against this list before using the auto discovered base URL. If there is no
|
||||
match, the first base URL in the array will be used as the default. This
|
||||
option is helpful if your PHP website is accessible through multiple domains
|
||||
without a canonical name, or through both HTTP and HTTPS.
|
||||
3. A class that implements CAS_ServiceBaseUrl_Interface. If you need to
|
||||
customize the base URL discovery behavior, you can pass in a class that
|
||||
implements the interface.
|
||||
|
||||
For option 1 and 2, protocol, hostname and port should all appear without a
|
||||
trailing slash, e.g. http://example.org:8080. You can omit the default port for
|
||||
the protocol, which means use https://example.org instead of
|
||||
https://example.org:443 (if you use HTTPS).
|
||||
|
||||
For security reasons, we no longer allow service base URL discovery without an
|
||||
allowed list check by default. For more information, refer to the security
|
||||
advisory.
|
||||
|
||||
This version also changed the CURL User Agent string that phpCAS uses when
|
||||
sending validation requests to the CAS server. It will appear as phpCAS/1.6.0
|
||||
with the version number reflecting the library version.
|
||||
|
||||
|
||||
################################
|
||||
### Upgrading 1.3.3 -> 1.3.4 ###
|
||||
################################
|
||||
|
||||
For security hardening purposes the verbose error messages to the web browsers
|
||||
are now masked. If you want to have the verbose messages you need to use:
|
||||
phpCAS::setVerbose(true);
|
||||
This will set the configuration to the old verbose mode that helps during
|
||||
development and debugging.
|
||||
|
||||
|
||||
################################
|
||||
### Upgrading 1.3.1 -> 1.3.2 ###
|
||||
################################
|
||||
|
||||
Due to the missing validation of the CN of the SSL certifcate it may be that
|
||||
phpcas fails validation of CAS server certicates that do not match the IP/DNS
|
||||
name you use in the phpcas client() or proxy() setup.
|
||||
If this happens a quick workaround to change the setup to the old but unsecure
|
||||
behaviour. This can be seen in the no_ssl_cn_validation example.
|
||||
This is not a recommended setting and is no a secure setup!
|
||||
|
||||
################################
|
||||
### Upgrading 1.2.x -> 1.3.0 ###
|
||||
################################
|
||||
|
||||
|
||||
------------------------------------------------------------------
|
||||
1. Changing of the default debug.log permissions:
|
||||
------------------------------------------------------------------
|
||||
|
||||
The default debug log is now created with 0600 permissions to be only readable
|
||||
by the webserver
|
||||
|
||||
-------------------------------------------------------
|
||||
2. Changing of the behaviour of proxied applications:
|
||||
-------------------------------------------------------
|
||||
|
||||
If your application is being proxied (Another casified application is using
|
||||
proxy tickets to access your service you need to change your configuration. The
|
||||
new default configuration is now to deny any proxied use of your service unless
|
||||
it is exlicitly allowed:
|
||||
|
||||
If you want your service to be proxied you have to enable it (default disabled)
|
||||
and define an accepable list of proxies that are allowed to proxy your service.
|
||||
|
||||
Add each allowed proxy definition object. For the normal CAS_ProxyChain
|
||||
class, the constructor takes an array of proxies to match. The list is in
|
||||
reverse just as seen from the service. Proxies have to be defined in reverse
|
||||
from the service to the user. If a user hits service A and gets proxied via
|
||||
B to service C the list of acceptable on C would be array(B,A). The definition
|
||||
of an individual proxy can be either a string or a regexp (preg_match is used)
|
||||
that will be matched against the proxy list supplied by the cas server
|
||||
when validating the proxy tickets. The strings are compared starting from
|
||||
the beginning and must fully match with the proxies in the list.
|
||||
|
||||
Examples:
|
||||
phpCAS::allowProxyChain(new CAS_ProxyChain(array(
|
||||
'https://app.example.com/'
|
||||
)));
|
||||
or
|
||||
phpCAS::allowProxyChain(new CAS_ProxyChain(array(
|
||||
'/^https:\/\/app[0-9]\.example\.com\/rest\//',
|
||||
'http://client.example.com/'
|
||||
)));
|
||||
|
||||
For quick testing or in certain production screnarios you might want to
|
||||
allow allow any other valid service to proxy your service. To do so, add
|
||||
the "Any" chain:
|
||||
|
||||
phpCAS::allowProxyChain(new CAS_ProxyChain_Any);
|
||||
|
||||
THIS SETTING IS HOWEVER NOT RECOMMENDED FOR PRODUCTION AND HAS SECURITY
|
||||
IMPLICATIONS: YOU ARE ALLOWING ANY SERVICE TO ACT ON BEHALF OF A USER
|
||||
ON THIS SERVICE.
|
||||
|
||||
|
||||
----------------------------------------------------------------
|
||||
3. Changing of the default PGT file storage location in proxy mode:
|
||||
----------------------------------------------------------------
|
||||
|
||||
The default storage of the sensitive PGT session files is the
|
||||
session_save_path() now. This is a php environment dependent dir which is also
|
||||
used for storing your php session data. The default permissions are also changed
|
||||
to 0600 to be only readable by the webserver.
|
||||
|
||||
|
||||
|
||||
|
||||
------------------------------------------------------------------
|
||||
4. The setPGTStorageFile() function has changed it parameters.
|
||||
------------------------------------------------------------------
|
||||
|
||||
The setPGTStorageFile() function no longer needs an storage "format" argument.
|
||||
Since the format functionality was never implemented it has now been dropped
|
||||
and only the path argument is necessary.
|
||||
|
||||
------------------------------------------------------------------
|
||||
5. The startSession boolean in the constructor has been changed to
|
||||
changeSessionID
|
||||
------------------------------------------------------------------
|
||||
|
||||
The last parameter of the constructor for has been changed from "start session"
|
||||
to "change session ID". This has no negative effects on existion integrations
|
||||
but will allow integration with other frameworks to take advantage of single
|
||||
sign-out if they switch to "true". phpCAS will then rename the session id
|
||||
(keeping all vars) and be able to single sign-out users.
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user