h1. Overview
CAS is an enterprise Single Sign-On solution for web services. _Single Sign-On_ (SSO) means a better user experience when running a multitude of web services, each with it's own means of authentication. With a SSO solution, different web services may authenticate to one authorative source of trust, that the user needs to log in to, instead of requiring the end-user to log in into each separate service.
JA-SIG produces an enterprise-wide single sign on system known as CAS. Unlike other initiatives, JA-SIG's Central Authentication Service is open source, widely used, simple to understand, platform independent, and supports proxy capabilities. Petals View could be connected to a CAS server to provide single sign on.
{color:#333333}Somewhere in your enterprise you will need to setup a CAS server. The CAS server is simply a standard WAR file, so there isn't anything difficult about setting up your server. Inside the WAR file you will customise the login and other single sign on pages displayed to users.{color}
You can learn more about CAS at [http://www.ja-sig.org/cas]. You will also need to visit this site to download the CAS Server files.
h1. How to customise Petals View to work with CAS ?
This section assumes that you have installed a CAS server accessible to the following URL : [https://myHost:8443/cas]
h2. Enable CAS authentication
By default, Petals View is setup to works with an embedded User Management system that allows to manage application users directly from the Petals View GUI. So, if you want to delegate authentication to a CAS system, the first thing you have to do is to disable the default authentication service and enable the CAS one.
Go to the Petals View web application directory in your application server web app repository. We call this directory *PETALSVIEW_ROOT*.
Then edit the file located in : *PETALSVIEW_ROOT{*}*/WEB-INF/spring/petals-view-security.xml*
Comment the "Classical authent" section and uncomment the "CAS authent" section. An exemple *petals-view-security.xml* is provided here :
{code:lang=xml}<?xml version="1.0" encoding="UTF-8"?>
<!--
Petals View - Functional Supervision. Copyright (c) 2010 EBM
Websourcing, http://www.ebmwebsourcing.com/ This library is free
software; you can redistribute it and/or modify it under the terms of
the GNU Lesser General Public License as published by the Free
Software Foundation; either version 2.1 of the License, or (at your
option) any later version. This library is distributed in the hope
that it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
-->
<beans xmlns:security="http://www.springframework.org/schema/security"
xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!--
<security:global-method-security secured-annotations="enabled" />
-->
<!--
########################## Classical authent
##########################
-->
<!-- <bean name="myUserDetailsService"
class="com.ebmwebsourcing.webcommons.user.auth.MyUserDetailsService">
<property name="userManager">
<ref bean="userManager" />
</property>
</bean>
<security:http>
<security:intercept-url pattern="/petals-view/pg/pages/Welcome"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/petals-view/**"
access="ROLE_AUTH" />
<security:form-login default-target-url="/petals-view/pg/pages/Welcome"
login-page="/petals-view/pg/pages/Welcome"
authentication-failure-url="/petals-view/pg/pages/Welcome?login_error=1" />
<security:anonymous />
<security:logout logout-success-url="/petals-view/pg/pages/Welcome" />
<security:remember-me />
</security:http>
<security:authentication-manager>
<security:authentication-provider
user-service-ref="myUserDetailsService">
<security:password-encoder hash="md5" />
</security:authentication-provider>
</security:authentication-manager> -->
<!--
########################## End of Classical authent
##########################
-->
<!--
########################## CAS authent
##########################
-->
<security:http entry-point-ref="casEntryPoint">
<security:intercept-url pattern="/petals-view/pg/pages/Welcome"
access="ROLE_AUTH" />
<security:intercept-url pattern="/petals-view/**"
access="ROLE_AUTH" />
<security:anonymous />
<security:logout logout-success-url="${cas.server.url}${cas.logout.path}" />
<security:custom-filter ref="casAuthenticationFilter"
after="CAS_FILTER" />
</security:http>
<bean id="casAuthenticationFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="${cas.server.url}${cas.login.path}" />
<property name="serviceProperties" ref="serviceProperties" />
</bean>
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<!--
<property name="service"
value="${webapp.url}/j_spring_cas_security_check" />
-->
<property name="service" value="${webapp.url}/j_spring_cas_security_check" />
<property name="sendRenew" value="false" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="casAuthenticationProvider" />
</security:authentication-manager>
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService" ref="myUserDetailsService" />
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="${cas.server.url}" />
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only" />
</bean>
<bean id="myUserDetailsService"
class="com.ebmwebsourcing.petalsview.util.FullAccessRightsUserDetailsService">
<property name="rolesResource">
<value>${role.list.file.url}</value>
</property>
</bean>
<!--
########################## End of CAS authent
##########################
-->
</beans>{code}
CAS is an enterprise Single Sign-On solution for web services. _Single Sign-On_ (SSO) means a better user experience when running a multitude of web services, each with it's own means of authentication. With a SSO solution, different web services may authenticate to one authorative source of trust, that the user needs to log in to, instead of requiring the end-user to log in into each separate service.
JA-SIG produces an enterprise-wide single sign on system known as CAS. Unlike other initiatives, JA-SIG's Central Authentication Service is open source, widely used, simple to understand, platform independent, and supports proxy capabilities. Petals View could be connected to a CAS server to provide single sign on.
{color:#333333}Somewhere in your enterprise you will need to setup a CAS server. The CAS server is simply a standard WAR file, so there isn't anything difficult about setting up your server. Inside the WAR file you will customise the login and other single sign on pages displayed to users.{color}
You can learn more about CAS at [http://www.ja-sig.org/cas]. You will also need to visit this site to download the CAS Server files.
h1. How to customise Petals View to work with CAS ?
This section assumes that you have installed a CAS server accessible to the following URL : [https://myHost:8443/cas]
h2. Enable CAS authentication
By default, Petals View is setup to works with an embedded User Management system that allows to manage application users directly from the Petals View GUI. So, if you want to delegate authentication to a CAS system, the first thing you have to do is to disable the default authentication service and enable the CAS one.
Go to the Petals View web application directory in your application server web app repository. We call this directory *PETALSVIEW_ROOT*.
Then edit the file located in : *PETALSVIEW_ROOT{*}*/WEB-INF/spring/petals-view-security.xml*
Comment the "Classical authent" section and uncomment the "CAS authent" section. An exemple *petals-view-security.xml* is provided here :
{code:lang=xml}<?xml version="1.0" encoding="UTF-8"?>
<!--
Petals View - Functional Supervision. Copyright (c) 2010 EBM
Websourcing, http://www.ebmwebsourcing.com/ This library is free
software; you can redistribute it and/or modify it under the terms of
the GNU Lesser General Public License as published by the Free
Software Foundation; either version 2.1 of the License, or (at your
option) any later version. This library is distributed in the hope
that it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
-->
<beans xmlns:security="http://www.springframework.org/schema/security"
xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!--
<security:global-method-security secured-annotations="enabled" />
-->
<!--
########################## Classical authent
##########################
-->
<!-- <bean name="myUserDetailsService"
class="com.ebmwebsourcing.webcommons.user.auth.MyUserDetailsService">
<property name="userManager">
<ref bean="userManager" />
</property>
</bean>
<security:http>
<security:intercept-url pattern="/petals-view/pg/pages/Welcome"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/petals-view/**"
access="ROLE_AUTH" />
<security:form-login default-target-url="/petals-view/pg/pages/Welcome"
login-page="/petals-view/pg/pages/Welcome"
authentication-failure-url="/petals-view/pg/pages/Welcome?login_error=1" />
<security:anonymous />
<security:logout logout-success-url="/petals-view/pg/pages/Welcome" />
<security:remember-me />
</security:http>
<security:authentication-manager>
<security:authentication-provider
user-service-ref="myUserDetailsService">
<security:password-encoder hash="md5" />
</security:authentication-provider>
</security:authentication-manager> -->
<!--
########################## End of Classical authent
##########################
-->
<!--
########################## CAS authent
##########################
-->
<security:http entry-point-ref="casEntryPoint">
<security:intercept-url pattern="/petals-view/pg/pages/Welcome"
access="ROLE_AUTH" />
<security:intercept-url pattern="/petals-view/**"
access="ROLE_AUTH" />
<security:anonymous />
<security:logout logout-success-url="${cas.server.url}${cas.logout.path}" />
<security:custom-filter ref="casAuthenticationFilter"
after="CAS_FILTER" />
</security:http>
<bean id="casAuthenticationFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="${cas.server.url}${cas.login.path}" />
<property name="serviceProperties" ref="serviceProperties" />
</bean>
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<!--
<property name="service"
value="${webapp.url}/j_spring_cas_security_check" />
-->
<property name="service" value="${webapp.url}/j_spring_cas_security_check" />
<property name="sendRenew" value="false" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="casAuthenticationProvider" />
</security:authentication-manager>
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService" ref="myUserDetailsService" />
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="${cas.server.url}" />
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only" />
</bean>
<bean id="myUserDetailsService"
class="com.ebmwebsourcing.petalsview.util.FullAccessRightsUserDetailsService">
<property name="rolesResource">
<value>${role.list.file.url}</value>
</property>
</bean>
<!--
########################## End of CAS authent
##########################
-->
</beans>{code}