E-mail
Overview
CAS is an enterprise Single Sign-On solution for web services. Single Sign-On (SSO) means a better user experience when running a multitude of web services, each with it's own means of authentication. With a SSO solution, different web services may authenticate to one authorative source of trust, that the user needs to log in to, instead of requiring the end-user to log in into each separate service.
JA-SIG produces an enterprise-wide single sign on system known as CAS. Unlike other initiatives, JA-SIG's Central Authentication Service is open source, widely used, simple to understand, platform independent, and supports proxy capabilities. Petals View could be connected to a CAS server to provide single sign on.
Somewhere in your enterprise you will need to setup a CAS server. The CAS server is simply a standard WAR file, so there isn't anything difficult about setting up your server. Inside the WAR file you will customise the login and other single sign on pages displayed to users.
You can learn more about CAS at http://www.ja-sig.org/cas. You will also need to visit this site to download the CAS Server files.
How to customise Petals View to work with CAS ?
This section assumes that you have installed a CAS server.
Enable CAS authentication
By default, Petals View is configured to works with an embedded User Management system that allows to manage application users directly from the Petals View GUI. So, if you want to delegate authentication to a CAS system, the first thing you have to do is to disable the default authentication service and enable the CAS one.
 | Be careful, if you enable CAS authentication, the User Management system embedded in Petals View will be completly disabled. So the User Management section in the Petals View GUI will became useless. Authentication will be managed by the CAS server and user roles management will be externalised (see : TODO) |
Go to the Petals View web application directory in your application server web app repository. We call this directory PETALSVIEW_ROOT.
Then edit the file located in : PETALSVIEW_ROOT/WEB-INF/spring/petals-view-security.xml
Comment the "Classical authent" section and uncomment the "CAS authent" section. An exemple petals-view-security.xml is provided here :
<beans xmlns:security="http://www.springframework.org/schema/security" xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <!-- ########################## CAS authent ########################## --> <security:http entry-point-ref="casEntryPoint"> <security:intercept-url pattern="/petals-view/pg/pages/Welcome" access="ROLE_AUTH" /> <security:intercept-url pattern="/petals-view/**" access="ROLE_AUTH" /> <security:anonymous /> <security:logout logout-success-url="${cas.server.url}${cas.logout.path}" /> <security:custom-filter ref="casAuthenticationFilter" after="CAS_FILTER" /> </security:http> <bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> </bean> <bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> <property name="loginUrl" value="${cas.server.url}${cas.login.path}" /> <property name="serviceProperties" ref="serviceProperties" /> </bean> <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> <!-- <property name="service" value="${webapp.url}/j_spring_cas_security_check" /> --> <property name="service" value="${webapp.url}/j_spring_cas_security_check" /> <property name="sendRenew" value="false" /> </bean> <security:authentication-manager alias="authenticationManager"> <security:authentication-provider ref="casAuthenticationProvider" /> </security:authentication-manager> <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <property name="authenticationUserDetailsService" ref="myUserDetailsService" /> <property name="serviceProperties" ref="serviceProperties" /> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="${cas.server.url}" /> </bean> </property> <property name="key" value="an_id_for_this_auth_provider_only" /> </bean> <bean id="myUserDetailsService" class="com.ebmwebsourcing.petalsview.util.FullAccessRightsUserDetailsService"> <property name="rolesResource"> <value>${role.list.file.url}</value> </property> </bean> <!-- ########################## End of CAS authent ########################## --> </beans>
You also need to activate a CAS filter in the PETALSVIEW_ROOT/WEB-INF/web.xml file. Just uncomment the section :
<!-- Filter for Security --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Configure CAS properties
Now you have to configure CAS properties in the PETALSVIEW_ROOT/WEB-INF/petalsview.properties file. Here is a sample configuration for a CAS server available at "https://localhost:8443/cas" and a Petals View instance available at "http://localhost:9080/petals-view-ui" :
## CAS properties cas.server.url = https://localhost:8443/cas cas.logout.path = /logout cas.login.path = /login webapp.url = http://localhost:9080/petals-view-ui
cas.server.url : your CAS server URL.
cas.logout.path : the path to the CAS server logout page. In the above example, the full path to the logout page is : https://localhost:8443/cas/logout.
cas.login.path : the path to the CAS server login page. In the above example, the full path to the login page is : https://localhost:8443/cas/login.
webapp.url : the URL to your Petals View webapp. This URL must be accessible from the CAS server as it will redicrect to this URL after authentication.
How to customize user access rights with a CAS authentication enabled ?
By default, Petals View CAS authentication manager is plugged with a user rights manager that provides all rights to all authenticated users. If you would like to customize this behavior, you need to configure an other user rights manager. This could be done in the PETALSVIEW_ROOT/WEB-INF/spring/petals-view-security.xml file. You have to change the bean called "myUserDetailsService" to point to your custom user detail service. Spring provides a lot of user details service implementations for different types of user rights repositories like LDAP, JDBC, etc.
Your CAS server is also based on a Spring framework, so if you want to use the same user details service as the one configured in the CAS server, you could find it in the /WEB-INF/deployerConfigContext.xml avalaible in the CAS server
## CAS properties
cas.server.url = https://localhost:8443/cas
cas.logout.path = /logout
cas.login.path = /login
webapp.url = http://localhost:9080/petals-view-ui