CAS Authentication

Version 11 by Olivier Fabre
on Jun 04, 2010 15:22.

<< Changes from 10 to 11

compared with

Version 12 by Olivier Fabre
on Jun 04, 2010 15:40.

Changes from 12 to 13 >>

Key

This line was removed.

This word was removed. This word was added.

This line was added.

Changes (3)

View Page History

...

JA-SIG produces an enterprise-wide single sign on system known as CAS. Unlike other initiatives, JA-SIG's Central Authentication Service is open source, widely used, simple to understand, platform independent, and supports proxy capabilities. Petals View could be connected to a CAS server to provide single sign on.

{color:#333333}Somewhere in your enterprise you will need to setup a CAS server. The CAS server is simply a standard WAR file, so there isn't anything difficult about setting up your server. Inside the WAR file you will customise the login and other single sign on pages displayed to users.{color}

You can learn more about CAS at [http://www.ja-sig.org/cas]. You will also need to visit this site to download the CAS Server files.

...

By default, Petals View is configured to works with an embedded User Management system that allows to manage application users directly from the Petals View GUI. So, if you want to delegate authentication to a CAS system, the first thing you have to do is to disable the default authentication service and enable the CAS one.

{warning}Be careful, if you enable CAS authentication, the User Management system embedded in Petals View will be completly disabled. So the User Management section in the Petals View GUI will becaome useless. Authentication will be managed by the CAS server and user roles management will be externalised (see : {color:#ff0000}TODO{color}){warning} [User details service|petalsview:CAS Authentication#userdetailsserv] ){warning}

Go to the Petals View web application directory in your application server web app repository. We call this directory *PETALSVIEW_ROOT*.

...

Then edit the file located in : *PETALSVIEW_ROOT{*}*/WEB-INF/spring/petals-view-security.xml*

Comment the "Classical authent" section and uncomment the "CAS authent" section. An exemple *petals-view-security.xml* is provided here : 
{code:lang=xml}
<beans xmlns:security="http://www.springframework.org/schema/security"
xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">



<security:http entry-point-ref="casEntryPoint">
<security:intercept-url pattern="/petals-view/pg/pages/Welcome"
access="ROLE_AUTH" />
<security:intercept-url pattern="/petals-view/**"
access="ROLE_AUTH" />
<security:anonymous />
<security:logout logout-success-url="${cas.server.url}${cas.logout.path}" />
<security:custom-filter ref="casAuthenticationFilter"
after="CAS_FILTER" />
</security:http>
<bean id="casAuthenticationFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="${cas.server.url}${cas.login.path}" />
<property name="serviceProperties" ref="serviceProperties" />
</bean>

<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">

<property name="service" value="${webapp.url}/j_spring_cas_security_check" />
<property name="sendRenew" value="false" />
</bean>

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="casAuthenticationProvider" />
</security:authentication-manager>
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService" ref="myUserDetailsService" />
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="${cas.server.url}" />
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only" />
</bean>

<bean id="myUserDetailsService"
class="com.ebmwebsourcing.petalsview.util.FullAccessRightsUserDetailsService">
<property name="rolesResource">
<value>${role.list.file.url}</value>
</property>
</bean>



</beans>{code}

You also need to activate a CAS filter in the *PETALSVIEW_ROOT{*}*/WEB-INF/*{*}web.xml* file. Just uncomment the section :

{code:lang=xml}

<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
{code}

h2. Configure CAS properties

Now you have to configure CAS properties in the *PETALSVIEW_ROOT{*}*/WEB-INF/*{*}petalsview.properties* file. Here is a sample configuration for a CAS server available at "https://localhost:8443/cas" and a Petals View instance available at{color:#000000} "{color}{color:#000000}http:{color}{color:#000000}//localhost:9080/petals-view-ui" :{color}
{code}## CAS properties
cas.server.url = https://localhost:8443/cas
cas.logout.path = /logout
cas.login.path = /login
webapp.url = http://localhost:9080/petals-view-ui{code}
*cas.server.url* : your CAS server URL.

*cas.logout.path* : the path to the CAS server logout page. In the above example, the full path to the logout page is : {color:#000000}https:{color}{color:#000000}//localhost:8443/cas/logout.{color}

{color:#333333}{*}cas.login.path{*}{color} {color:#333333}: the path to the CAS server login page. In the above example, the full path to the login page is : {color}{color:#000000}https:{color}{color:#000000}//localhost:8443/cas/login.{color}

{color:#000000}{*}webapp.url{*}{color} {color:#000000}:{color} the URL to your Petals View webapp. This URL must be accessible from the CAS server as it will redicrect to this URL after authentication.

h1. How to customize user access rights with a CAS authentication enabled ? ? {anchor:userdetailsserv}

This section is intended to Petals View administrator who would like to customize users access rights. If you only need to provided "yes/no" access rights to Petals View users, the default configuration is sufficient.

...

h2. Spring configuration

By default, Petals View CAS authentication manager is plugged with a user rights manager that provides all rights to all authenticated users. If you would like to customize this behavior, you need to configure an other user rights manager. This could be done in the *PETALSVIEW_ROOT{*}*/WEB-INF/spring/petals-view-security.xml* file. You have to change the bean called {color:#000000}"{color}{color:#000000}myUserDetailsService{color}{color:#000000}"{color} to point to your custom user detail service. Here is the code snippet showing the default user details service configuration provided by Petals View.

{code:lang=xml}
<bean id="myUserDetailsService"
class="com.ebmwebsourcing.petalsview.util.FullAccessRightsUserDetailsService">
<property name="rolesResource">
<value>${role.list.file.url}</value>
</property>
</bean>
{code}

Spring provides a lot of user details service implementations for different types of user rights repositories like LDAP, JDBC, etc. For more information about user details services see [http://static.springsource.org/spring-security/site/docs/3.0.x/reference/technical-overview.html#d4e758] .

Your CAS server is also based on a Spring framework, so if you want to use the same user details service as the one configured in your CAS server, you could find it in the */WEB-INF/deployerConfigContext.xml* avalaible in the CAS server webapp directory.
{warning}Be careful, the Spring framework version used in CAS server is 2.5 which is different from the one used in Petals Master. Some packages have changed, but you could easily retrieve equivalent classes.{warning}
Here is a simple In Memory user details service for Spring 2.5.x :
{code:lang=xml}<bean id="userDetailsService" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
admin=dummy,ROLE_AUTH,ROLE_FLOWMANAGER,ROLE_FLOWREFMANAGER,ROLE_USERMANAGER
refmanager=dummy,ROLE_AUTH,ROLE_FLOWREFMANAGER
fluxmanager=dummy,ROLE_AUTH,ROLE_FLOWMANAGER
</value>
</property>
</bean> {code}
Here is the same user details service, but for Spring 3.0.x :
{code:lang=xml}<bean id="userDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
admin=dummy,ROLE_AUTH,ROLE_FLOWMANAGER,ROLE_FLOWREFMANAGER,ROLE_USERMANAGER
refmanager=dummy,ROLE_AUTH,ROLE_FLOWREFMANAGER
fluxmanager=dummy,ROLE_AUTH,ROLE_FLOWMANAGER
</value>
</property>
</bean> {code}
{info}The password is set to "dummy" for the three user defined because it isn't used (password based authentication is done by the CAS server). Only role list for each users is useful.

In Memory user details service isn't for production purposes. Use LDAP, JDBC or something else to connect to your user repository in production environment.{info}

h2. Available roles 

Once you have customized the user details service to connect to your enterprise user repository, you need to add some specific roles to the users to customized their Petals View access right. Here is a list of available roles: 

*ROLE_FLOWREFMANAGER* : allows the user to access to the Flow Referential management section.

*ROLE_FLOWMANAGER* : allows the user to access to the Flow instances management section.
{warning}You must add the role "*ROLE_AUTH*" to all users authorized to access to the Petals View web application.{warning}

Quick access

Petals View Snapshot

Petals View 1.2

CAS Authentication

Changes (3)