At my latest project I got the opportunity to use CAS server in combination with acegi security. With this setup it is possible to have a real single sign-on authentication over multiple contexts and servers.
On the acegi security site and the CAS site I could not find a tutorial to get this setup up and running correctly. It took me several days to get a hello world setup up and running. The biggest problem came across was outdated ageci security documentation. It seems that they did some refactoring in there code base! Additional I had some problem to get tomcat (https) configured correctly. This article will give you a guide on how to get this hello world setup up and running from scratch.
My setup is based on tomcat I used tomcat version 5.5.23 as my servlet engine. CAS needs to run on https, for https you need to sign your JDK by generating a certificate and add this to the jks keychain. WARNING generating the certificate use ‘localhost ’ as your name or common name, otherwise tomcat will not except this certificate.
$JAVA_HOME\bin\keytool -delete -alias tomcat -keypass changeit
$JAVA_HOME\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
$JAVA_HOME\bin\keytool -export -alias tomcat -keypass changeit -file server.crt
$JAVA_HOME\bin\keytool -import -file server.crt -keypass changeit -keystore %JAVA_HOME\jre\lib\security\cacerts
$JAVA_HOME\bin\keytool -import -file server.crt -keypass changeit
For tomcat to accept https request the next few lines should be added to the server.xml. The .keystore file can be found in your home folder.
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/path/to/.keystore"
keystorePass="changeit"/>
To get CAS going download the latest 3.x release, I used 3.1 and drop the cas.war in tomcat. For a simple hello world application CAS doesn't need any more configuration. CAS will aunthenticate all user who have the same username as password, I will come back to this later on
Ageci security was for me alot more difficult to setup correctly. The article will only walk you through the basics, for more details I refer to the source code.
<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
marissa=marissa,ROLE_USER,ROLE_SUPERVISOR
dianne=dianne,ROLE_USER
scott=scott,ROLE_USER
peter=peter,ROLE_USER
</value>
</property>
</bean>
<bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
<property name="casAuthoritiesPopulator"><ref local="casAuthoritiesPopulator"/></property>
<property name="casProxyDecider"><ref local="casProxyDecider"/></property>
<property name="ticketValidator"><ref local="casProxyTicketValidator"/></property>
<property name="statelessTicketCache"><ref local="statelessTicketCache"/></property>
<property name="key"><value>my_password_for_this_auth_provider_only</value></property>
</bean>
Ageci is set up around the inMemoryDaoImpl, four users are defined marissa, dianne, scott, and peter. This DAO is used to get the credentials for the users who are authenticated by CAS, CAS can only check if a user is authenticated. The CasAuthenticationProvider has a special field 'key' what should be set to some special phrase. This phrase is used with-in CAS to distinguish the different client applications. This is necessary for applications what need extra security for instance for some applications CAS needs to re-check the credentials of the user to match the security requirements.
To see all the CAS magic in action for you self, you can download the source or binary with the following links
caswithageci-bin-1.0.zip
caswithageci-src-1.0.zip
The release notes can be found here
Additional info about this article
I see a casfailed.jsp page
Wednesday, July 25, 2007
CAS with ageci security
Subscribe to:
Post Comments (Atom)
10 comments:
Mark,
thanks for your post.
I setup your example app and cas.
When I try to access the secured page, I'm redirected to the cas servers login page.
After I enter the logon data, tomcat presents an error page:
HTTP Status 404 - /caswithageci/casfailed.jsp
The cas debug log output states:
2007-09-05 17:54:29,269 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler successfully authenticated the user which provided the following credentials: marissa
2007-09-05 17:54:29,289 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-BjPSg3qSkyA9fSBaxP0cCWBWi9awDjctBFj-20] for service [https://localhost:8443/caswithageci/j_acegi_cas_security_check] for user [marissa]
Do you know what's wrong with it?
Thanks,
Robert
see http://code.google.com/p/caswithageci/issues/detail?id=1
your problem has probably to do with a invalid https/ssl config.
thanks for the interest,
Mark Bakker
I am trying to integrate cas with acegi. My cas server is configured and ready. Please let me know how to integrate my client(Spring/acegi). Do i have to change in web.xml and applicationContext.xml? Please let me know.
If you look in the source code (see download link) or look into svn
http://caswithageci.googlecode.com/svn/trunk/caswithageci/www/console/WEB-INF/web.xml
s thanks for your response. I did download and went throu the codes. As I am a beginner, I couldn't get a clear picture of web.xml. B'cos in the document in chapter 18 of http://www.acegisecurity.org/guide/springsecurity.html#cas of Acegi Security, i could find a different picture and also I couldn't see something called applicationContext.xml. Please explain me bit more. Thanks
Hi
First of all thanks for putting up this useful doc.
I was really struggling with this cas integeration.
I just followed ur instructions, i had put up the caswithacegi.war in my tomcat/webapps.
then i created the certificate also, i feel everything is Proper but when i go to http://localhost:8080/caswithageci/
it is getting the front page with these are the username, password.
when i click on the login im getting
HTTP Status 404 - /cas/login
type Status report
message /cas/login
description The requested resource (/cas/login) is not available.
what could b the reason behind this. where am i going wrong.
Im seriously out of clue.
Pls help.. Your reply will b very much valuable to me.
Ambika.
I think you need to deploy the cas.war to in your tomcat environment under context /cas (CAS is a separate web application)
Hi Mark,
As specified in the blog that to put the caswithacgei.war which is there in the caswithageci-bin-1[1].0.zip
I did the same.
Then wht should i do
could u give me out some idea regarding.
Ambika
a 404 on /cas/login means you don't have anything deployed on tomcat on context path '/cas'.
Please make sure if you point to
http://localhost:8080/cas
you see the cas login screen. Other wise install CAS on your tomcat environment (see my blog). make sure you deployed your CAS server on context path '/cas'
Thanks a lot mark,
Pls if u don't mind could u pls tell wht did u excatly meant by "install CAS on your tomcat environment" or "make sure you deployed your CAS server on context path '/cas'".
Im really confused pls give me a idea where should i deploy the cas server.
deploying cas server means this or something else"To get CAS going download the latest 3.x release, I used 3.1 and drop the cas.war in tomcat" as mentioned in blog.
pls mark help me out in this..
Ambika
Post a Comment