Where should I put CAS session checking code in a CakePHP application?

Question

I work for a department of a university that uses CAS to provide single-sign-on authentication, and am writing a CakePHP application that needs to use this CAS service. I need to write code that:

• Checks with the CAS server to see if the user is logged in
• Pulls some credentials from the server if so
• Checks the credentials against an internal ACL, as the set of people who can access the application is a subset of the set that can log into the CAS service.
• Provides some mechanism for admin users, either by creating special admin users outside the CAS system (with all the headaches that would entail) or by promoting certain CAS users (with the different headaches that would entail).

As a relative newcomer to CakePHP, I frequently struggle with where to stick code that "doesn't belong". The best I can figure is that this code ought to go in the beforeFilter method of the App Controller, but I wonder, is this the best place for it? Also, is it too low in the stack to take advantage of admin routing?

Lastly, I know that CakePHP provides both Auth and ACL components, but when I looked into using them they did not appear amenable to interfacing with outside authentication services. Am I wrong, and would either of these be a good fit for what I need to do?

Thanks!

Answer 1

If you take a look at the Cake's core components you can see that your CAS requirement fits with the type of things components are typically used for (ie. auth/session).

I would recommend creating a CasAuthComponent. There is some information on extending AuthComponent, in a previous answer of mine, which may prove useful if you wish to build on top of the existing core AuthComponent.

A component (essentially reusable controller code) can interact with models, use other components (such as Session) and control user flow (redirects for example)

Note that, the core AuthComponent actually retrieves information from a model (the User model by default), so you could do something similar.

The CasAuthComponent you create could $use an external user model (CasUser maybe) which is responsible for CRUD operations on the data (retrieving users mainly).

You could take this one step further and abstract CAS interactions into a datasource used by this model, but it isn't strictly neccessary if you don't plan on reusing the code in other models.

The end result could be packaged into a plugin:

• CasAuthComponent (app/plugins/cas/controllers/components/cas_auth.php)
• CasUser (app/plugins/cas/models/cas_user.php)
• CasSource (app/plugins/cas/models/datasources/cas_source.php) [optional]

And used in your application by putting the following in your app_controller:

public $components = array('Cas.CasAuthComponent');

If you wish to be able to administer the users from Cake, you can also include a controller and views in your plugin, which allow the user to interact with the CasUser model (ie. $this->CasUser->save()).