Implementing SSO using JASIG CAS

Principles

This module contains the CAS authentication handler that uses the JASIG CAS client in proxy mode proxy authentication mode to authenticate the user while processing block or template includes.

Configuring CAS on the aggregator or master application

You will have to define all the URL that have to be behind CAS authentication. WARN: CAS has to be configured in proxy mode, this means configuring proxyCallbackUrl and proxyReceptorUrl. Unless you disable security on the CAS server CAS AND the aggregator application MUST be in HTTPS!

<filter>
	<filter-name>CAS Authentication Filter</filter-name>
	<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
	<init-param>
		<param-name>casServerLoginUrl</param-name>
		<param-value>http://cas-server/cas/login</param-value>
	</init-param>
	<init-param>
		<param-name>serverName</param-name>
		<param-value>http://localhost:8080</param-value>
	</init-param>
</filter>
<filter>
	<filter-name>CAS Validation Filter</filter-name>
	<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
	<init-param>
		<param-name>casServerUrlPrefix</param-name>
		<param-value>http://cas-server/cas</param-value>
	</init-param>
	<init-param>
		<param-name>serverName</param-name>
		<param-value>http://localhost:8080</param-value>
	</init-param>
	<init-param>
		<param-name>proxyCallbackUrl</param-name>
		<param-value>http://localhost:8080/esigate-app-casified-aggregator/proxy/receptor</param-value>
	</init-param>
	<init-param>
		<param-name>proxyReceptorUrl</param-name>
		<param-value>/proxy/receptor</param-value>
	</init-param>
	<init-param>
		<param-name>redirectAfterValidation</param-name>
		<param-value>true</param-value>
	</init-param>
</filter>
<filter>
	<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
	<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
	<filter-name>CAS Assertion Thread Local Filter</filter-name>
	<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
	<filter-name>CAS Validation Filter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
	<filter-name>CAS Authentication Filter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
	<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
	<filter-name>CAS Assertion Thread Local Filter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>
In addition, you must configure the AuthenticationHandler and the cas login url in esigate.properties file for each provider that need CAS Authentication :
#Global configuration (for each provider) :
casLoginUrl=http://cas-server/cas/login
authenticationHandler=org.esigate.cas.CasAuthenticationHandler

#or configuration by provider
aggregated1.casLoginUrl=http://cas-server/cas/login
aggregated1.authenticationHandler=org.esigate.cas.CasAuthenticationHandler

aggregated2.casLoginUrl=http://cas-server/cas/login
aggregated2.authenticationHandler=org.esigate.cas.CasAuthenticationHandler


Configuring CAS on the aggregated or provider applications

Aggregated applications can use any CAS client but must be configured to accept proxy chains.

<filter>
	<filter-name>CAS Authentication Filter</filter-name>
	<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
	<init-param>
		<param-name>casServerLoginUrl</param-name>
		<param-value>http://cas-server/cas/login</param-value>
	</init-param>
	<init-param>
		<param-name>serverName</param-name>
		<param-value>http://localhost:8080</param-value>
	</init-param>
</filter>
<filter>
	<filter-name>CAS Validation Filter</filter-name>
	<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
	<init-param>
		<param-name>casServerUrlPrefix</param-name>
		<param-value>http://cas-server/cas</param-value>
	</init-param>
	<init-param>
		<param-name>serverName</param-name>
		<param-value>http://localhost:8080</param-value>
	</init-param>
	<init-param>
		<param-name>redirectAfterValidation</param-name>
		<param-value>true</param-value>
	</init-param>
	<init-param>
		<param-name>acceptAnyProxy</param-name>
		<param-value>true</param-value>
	</init-param>
</filter>
<filter>
	<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
	<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
	<filter-name>CAS Assertion Thread Local Filter</filter-name>
	<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
	<filter-name>CAS Validation Filter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
	<filter-name>CAS Authentication Filter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
	<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
	<filter-name>CAS Assertion Thread Local Filter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

Spring security

If you want to use CAS authentication via Spring security, there are 2 additional parameters to configure in the configuration file:

isSpringSecurity=true
springSecurityUrl=...
comments powered by Disqus