The Java CAS Client >=3.1.12 supports the Java Authentication and Authorization Service (JAAS) framework, which provides authnz facilities to CAS-enabled JEE applications.
A general JAAS authentication module,
CasLoginModule, was added in version 3.1.11 with the specific purpose of providing authentication and authorization services to CAS-enabled JEE applications. The design of the module is simple: given a service URL and a service ticket in a NameCallback and PasswordCallback, respectively, the module contacts the CAS server and attempts to validate the ticket. In keeping with CAS integration for Java applications, a JEE container-specific servlet filter is needed to protect JEE Web applications. The JBoss WebAuthentication component provided a convenient integration piece between a servlet filter and the JAAS framework, so a complete integration solution is available only for JBoss AS versions that provide the WebAuthentication class (4.2.3 and 5.x). The JAAS support should be extensible to any JEE container with additional development.
The following configuration instructions make the following assumptions:
- Jasig Java CAS client 3.1.12 or later
- JBoss AS container supporting the WebAuthentication class
- Ability to configure JAAS authentication modules for entire container or deployment descriptor of JEE application
The following Jasig Java CAS Client modules are needed for JAAS support in JBoss:
Note that the above modules have their own dependencies as seen from the output of the
mvn dependency:tree command:
Most if not all of the JBoss dependencies above should be available to a JEE application deployed to JBoss AS.
It is expected that for JEE applications both authentication and authorization services will be required for CAS integration. The following JAAS module configuration file excerpt demonstrates how to leverage SAML 1.1 attribute release in CAS to provide authorization data in addition to authentication:
For JBoss it is vitally important to use the above values for
roleGroupName. Additionally, the
cacheTimeout are required since JBoss by default attempts to reauthenticate the JAAS principal with a fairly aggressive default timeout. Since CAS tickets are single-use authentication tokens by default, assertion caching is required to support periodic reauthentication. A full description of
CasLoginModule configuration attributes follows.
- ticketValidatorClass - Fully-qualified class name of CAS ticket validator class.
- casServerUrlPrefix - URL to root of CAS Web application context.
- service (optional) - CAS service parameter that may be overridden by callback handler. NOTE: service must be specified by at least one component such that it is available at service ticket validation time.
- defaultRoles (optional) - Comma-delimited list of static roles applied to all authenticated principals.
- roleAttributeNames (optional) - Comma-delimited list of attribute names that describe role data delivered to CAS in the service-ticket validation response that should be applied to the current authenticated principal.
- principalGroupName (optional) - The name of a group principal containing the primary principal name of the current JAAS subject. The default value is "CallerPrincipal", which is suitable for JBoss.
- roleGroupName (optional) - The name of a group principal containing all role data. The default value is "Roles", which is suitable for JBoss.
- cacheAssertions (optional) - Flag to enable assertion caching. This may be required for JAAS providers that attempt to periodically reauthenticate to renew principal. Since CAS tickets are one-time-use, a cached assertion must be provided on reauthentication.
- cacheTimeout (optional) - Assertion cache timeout in minutes.
Ticket validator configuration attributes, such as tolerance in the example above, are also supported.
Configure Servlet Filters
Integration with the servlet pipeline is required for a number of purposes:
- Examine servlet request for an authenticated session
- Redirect to CAS server for unauthenticated sessions
- Provide service URL and CAS ticket to JAAS pipeline for validation
WebAuthenticationFilter performs these operations for the JBoss AS container. It is important to note that this filter simply collects the service URL and CAS ticket from the request and passes it to the JAAS pipeline. It is assumed that the
CasLoginModule will be present in the JAAS pipeline to consume the data and perform ticket validation. The following web.xml excerpts demonstrate how to integrate
WebAuthenticationFilter into a JEE Web application.