Thursday, November 8, 2012

Jasig CAS

In most cases the login code of your application does not require thinking a lot. Simply use the standard module available on your framework, that is all you need.

But sometimes, you need to integrate third-party applications with your own. For example a cms, forums, ticketing systems, etc. Your users can stand a couple of months (in the best case) entering two times the user/password. But you know it is something you need to change.

At the beginning someone could be tempted to implement your own solution because seems it is very simple. Simply read one cookie from here and put there, and then redirect to there and back to... Well, at the end you will see yourself hacking every third-party application, and learning new concepts as man-in-the-middle, spoofing, etc. That is good, of course. But could be even more good if you can learn it with a bit less pressure because you have been so optimistic when you schedule this feature.

What I use in that cases is a SSO server. This allows me to leverage of SSO functionality on my application in a fraction of time if I'd try to implement by myself.
Jasig CAS (Central Authentication System) lets you to integrate it easily on your java web applications, but also in other platforms as PHP, .NET an others. The protocol is well documented and can be implemented in any platform if it is not available. On the other side, you have a lots of CASified applications which is how they name the clients that are been integrated into CAS.

Here we will see how can we use CAS on our JBoss6 applications. But, first of all you should start reading https://wiki.jasig.org/display/CASUM/Demo and try to become familiar with the CAS use.

Then, when you feel prepared to try it out with your JBoss/JAAS application follow the next steps. Remember you need to have a CAS server already up and running and reachable from http://yourcasserver/cas so, lets go:
  • Copy the cas-client-core-<version>.jar and cas-client-integration-jboss-<version>.jar to the server/default/lib dir.
  • Configure de JAAS login-config module as follows:
    <application-policy name="cas">
       <authentication>
          <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required">
             <module-option name="ticketValidatorClass">
               org.jasig.cas.client.validation.Cas20ServiceTicketValidator
             </module-option>
             <module-option name="casServerUrlPrefix">
                http://yourcasserver/cas
             </module-option>
             <module-option name="tolerance">20000</module-option>
             <module-option name="defaultRoles">admin,user</module-option>
             <module-option name="roleAttributeNames">role,list</module-option>
             <module-option name="principalGroupName">CallerPrincipal</module-option>
             <module-option name="roleGroupName">Roles</module-option>
             <module-option name="cacheAssertions">true</module-option>
             <module-option name="cacheTimeout">480</module-option>
          </login-module>
       </authentication>
    </application-policy>
  • Modify the deploy/jbossweb.sar/server.xml and uncomment:
    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
  • Finally in the web.xml of your xml you need to configure the servlet filters:
    <!-- Facilitates CAS single sign-out --> <listener> <listener-class> org.jasig.cas.client.session.SingleSignOutHttpSessionListener </listener-class> </listener> <!-- Following is needed only if CAS single-sign out is desired --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <!-- Only 2 CAS filters are required for JAAS support --> <filter> <filter-name>CASWebAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class> </filter> <filter> <filter-name>CASAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://cas.example.com/cas/login</param-value> </init-param> </filter> <!-- Other filters as needed --> <!-- CAS client filter mappings --> <!-- The order of the following filters is vitally important --> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CASWebAuthenticationFilter</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping> <filter-mapping> <filter-mapping> <filter-name>CASAuthenticationFilter</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping>

    In your WEB-INF/jboss-web.xml select the appropriate security domain:
    <jboss-web>
    <security-domain>java:/jaas/cas</security-domain> </jboss-web>
  • The first time, may be you could want to activate the trace logging to inspect any error you could get in your JBoss app. In server/default/deploy/jboss-logging.xml do it by adding:
    <logger category="org.jasig">
       <level name="TRACE" />
     </logger>
That is all. Start the server and make some tests. You have all of this more detailed in: