What Source Code is Available?
Effective November 21, 2003, the Identity Management team is making
source code to certain authentication components available to the
campus community. The source code will consist of Linux versions
of CASAPI and a Mozilla component which does authentication similar
to SideCar
Read CIT/Identity Management's Position on Authentication Solutions for UNIX/Linux
What is CASAPI?
CASAPI is a small cross-platform library which defines
an API for doing client-side authentication here at Cornell. The
API calls may be made from C/C++ or Java. Under MacOS X and Windows,
this library is a simple abstraction layer on top of the Kerberos
libraries. Under Linux and UNIX, CASAPI also implements the graphical
dialog used to prompt for NetID and Password.
What Uses CASAPI?
- The infrastructure used by most Java-based administrative applications (Just The Facts, Colts II, PEDL, SES, etc) is in the process of adopting CASAPI as a method through which authentication can occur.
- Any new client side authentication software will likely be based on CASAPI.
- Our reference implementation of the Mozilla web authentication component.
What is the Mozilla Web Authentication Component?
This component is used to interact with a web server in
the Cornell namespace running CUWebAuth. When an end user attempts
to access any web site in the .cornell.edu domain, the component
will first make a HEAD request with a special header which asks
the server if CUWebAuth is running and if authentication is needed.
If the web server isn't running CUWebAuth OR if authentication is
not needed, no further action is taken by the component (and the
page is requested normally). However if the HEAD request is acknowledged
itself with a special header indicating that authentication is necessary
(and what Kerberos principal/realm the web server is running under),
the component will call into CASAPI to acquire the necessary Kerberos
service ticket and will then include that ticket encoded in an HTTP
header when making the normal GET request for the original URL.
In general, the special HEAD request is made only for hosts in the
.cornell.edu domain, but that can be overridden by a special include/exclude
file if desired.
Why are we Publishing Source Code?
Over the years, there has been much criticism that CIT
needs to have more open development practices, especially in the
realm of our authentication software. There has been much frustration
within the UNIX/Linux community that without an open source environment
they are unable to implement authentication themselves and therefore
they cannot use their preferred platform with many central administrative
applications. CIT's position (with respect to authentication software)
has been that we need to make certain guarantees about how the central
authentication system behaves. While we agree that a very determined
individual could find a way to alter that behavior without having
access to source code, making source code available dramatically
increases the number of people who could alter the behavior. In
an effort to "test" whether or not this is a valid concern
or just paranoia, the Identity Management team decided to "test
the open source waters" by releasing the CASAPI and Mozilla
component source code. For a more complete discussion of this decision,
read CIT/Identity Management's Position
on Authentication Solutions for UNIX/Linux.
How Do I Obtain Source?
Before downloading source code, you must agree to guidelines for
handling the source code. The guidelines are basic rules which help
address the concerns we have regarding the release of source code.
We hope the rules would be self-enforced. The only consequence for
breaking the rules is the possible discontinuation of any open source
efforts. If the rules are adhered to and the open source experience
is generally positive, we will consider releasing more source code
in the future.
To obtain source code, please begin by reading and agreeing to the Guidelines for Handling Source Code distributed by the Identity Management group at CIT.