In installations using Jasig CAS for authentication WebProxy portlet can be configured to obtain its own proxy tickets. These tickets are not usable to authenticate to CAS-enabled Web sites. Instead, WebProxy portlet can validate its proxy ticket, ask for its own Proxy Granting Ticket, and then ask for a proxy ticket for a service to access. The rest of this document outlines how to configure WebProxy portlet to do this.
This implementation adds a dependency on Jasig Java CAS Client. This dependency was added to WebProxy portlet's pom.xml in SVN.
Enabling CAS authentication
To turn on WebProxy portlet's support for authentication, set the value of "edu.wisc.my.webproxy.webproxy.httpclient.authEnable" portlet preference to "true." To select the authentication method, set the value of the "edu.wisc.my.webproxy.webproxy.httpclient.sAuthType" portlet preference to "CAS." Portlet preferences can be set using uPortal's Portlet Manager or using the .channel file import.
Obtaining a CAS proxy ticket.
uPortal passes CAS proxy tickets to portlets when a portlet is configured to request a user attribute "casProxyTicket." This is configured in portlet.xml by adding a user attribute like in the following example:
Enabling the CAS Authentication Handler
CAS authentication is implemented using the new handler in a Java class called edu.wisc.my.webproxy.beans.security.CasAuthenticationHandler. This is a Spring bean that is configured in WebProxy portlet's applicationContext.xml. The updated distribution of this file contains a section near the top, which is commented-out by default. Enable that section to look like this:
Enabling the Proxy Granting Ticket Receptor
Jasig Java CAS Client contains a Web filter that can receive Proxy Granting Tickets. WebProxy portlet is configured to retrieve these at an endpoint "/CasProxyReceptor" in the above example. To configure that endpoint, please add the following section to WebProxy portlet's web.xml as illustrated below:
You will notice that the new endpoint, "/CasProxyReceptor" is mapped to an existing ProxyServlet. This is OK because the Jasig Java CAS Client will actually intercept the CAS callbacks with the PGT and the servlet will not be invoked.