Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
Warning
titleWarning

Users looking for a CAS Client for Java should be using the CAS Client for Java 3.1

Configure the CAS Client for Standalone Applications

Add the Dependencies

To configure the JA-SIG CAS Client for Java, the first thing you need to do is gather the dependencies. If your project is using Maven2, you can include the client by adding the following to your pom.xml:

Code Block
xml
xml
<dependency>
     <groupId>org.jasig.cas</groupId>
     <artifactId>cas-client-core</artifactId>
     <version>3.0</version>
</dependency>

If you are not using Maven2, you should download the CAS distribution and manually copy in the required dependencies.

Configure the web.xml

You need to add the following XML filter and Spring configuration code to the web.xml

Code Block
xml
xml
<context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>

            /WEB-INF/simpleFilter.xml
        </param-value>
    </context-param>

    <filter>
        <filter-name>CAS Authentication Filter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>targetBeanName</param-name>

            <param-value>casAuthenticationFilter</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>CAS Validation Filter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>

            <param-name>targetBeanName</param-name>
            <param-value>casValidationFilter</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>CAS Authorization Filter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

        <init-param>
            <param-name>targetBeanName</param-name>
            <param-value>casAuthorizationFilter</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>CAS Authentication Filter</filter-name>

        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter-mapping>
        <filter-name>CAS Validation Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter-mapping>
        <filter-name>CAS Authorization Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!--
      - Loads the root application context of this web app at startup.
      - The application context is then available via
      - WebApplicationContextUtils.getWebApplicationContext(servletContext).
    -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

If you need Proxy support, add the following to your web.xml

Code Block
xml
xml
<servlet>
	<servlet-name>casclient</servlet-name>
	<servlet-class>org.jasig.cas.client.proxy.SpringConfiguredProxyReceptorServlet</servlet-class>
	<load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
	<servlet-name>casclient</servlet-name>
	<url-pattern>/proxy/Receptor</url-pattern>
</servlet-mapping>

Configure the Spring Bean Factory

Include the following simpleFilter.xml file:

Code Block
xml
xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

    <bean id="propertyPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="location" value="/WEB-INF/cas-client.properties"/>
    </bean>

    <bean id="authorizedDecider" class="org.jasig.cas.client.authorization.DefaultAuthorizedDeciderImpl">
        <constructor-arg index="0">
            <list>
                <value>scott</value>
                <value>velpi</value>
                <value>apetro</value>
            </list>
        </constructor-arg>
    </bean>

    <bean id="httpClient" class="org.jasig.cas.util.HttpClient3FactoryBean"/>

    <bean id="proxyRetriever" class="org.jasig.cas.client.proxy.Cas20ProxyRetriever">
        <constructor-arg index="0" value="${cas.server.url}"/>
        <constructor-arg index="1" ref="httpClient"/>
    </bean>

    <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>

    <bean id="ticketValidator" class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator">
        <constructor-arg index="0" value="${cas.server.url}"/>
        <constructor-arg index="1" value="${cas.server.renew}"/>
        <constructor-arg index="2" ref="httpClient"/>
        <constructor-arg index="3"><list></list></constructor-arg>
        <constructor-arg index="4" value="true"/>
    </bean>

    <bean id="casHttpServletRequestWrapperFilter" class="org.jasig.cas.client.web.filter.HttpServletRequestWrapperFilter"/>

    <bean id="casValidationFilter" class="org.jasig.cas.client.web.filter.TicketValidationFilter">
        <constructor-arg index="0" value="${cas.client.serverName}"/>
        <constructor-arg index="1"><null/></constructor-arg>
        <constructor-arg index="2" ref="ticketValidator"/>
    </bean>

    <bean id="casAuthenticationFilter" class="org.jasig.cas.client.web.filter.AuthenticationFilter">
        <constructor-arg index="0" value="${cas.client.serverName}"/>
        <constructor-arg index="1"><null/></constructor-arg>
        <constructor-arg index="2" value="${cas.server.url}login"/>
        <constructor-arg index="3" value="${cas.server.renew}"/>
        <constructor-arg index="4" value="${cas.server.gateway}"/>
    </bean>

    <bean id="casAuthorizationFilter" class="org.jasig.cas.client.web.filter.AuthorizationFilter">
        <constructor-arg index="0" ref="authorizedDecider" />
    </bean>
</beans>

Configure Your application specific properties.

You'll need to create a file called cas-client.properties:

Code Block
cas.server.gateway=false
cas.server.renew=false
cas.server.url=https://localhost:8443/cas/
cas.client.serverName=localhost:8443
cas.client.proxyCallbackUrl=https://localhost:8443/myClientApp/casProxyReceptor

uPortal Integration Support

The JA-SIG CAS Client for Java provides out the box support for the uPortal 2.x framework.

Warning
titleGotchas and alternatives

uPortal in recent releases (later 2.5.x releases and all 2.6 releases) provides out of the box CAS integration support, including example configuration, all necessary libraries, and integration APIs, by means of the Yale Java CAS Client. You do not need to use the JA-SIG Java CAS Client or to follow these instructions to achieve basic CAS integration in uPortal. See instead the uPortal Manual page on this topic, which exists with the purpose of making this as simple and as un-frustrating as possible for you, the uPortal deployer. (It's even named "for the impatient"!)

What is documented here is an alternative to the default approach. However, this alternative will only work with version 3.0.x of the JA-SIG Java CAS Client. It will not work with version 3.1 of the JA-SIG Java CAS Client, in which this uPortal-specific integration code was removed for various reasons. (It's not clear that uPortal-specific code belongs here, and this integration code did not make use of the CAS integration APIs shipping in uPortal, instead introducing new APIs, and so it did not transparently integrate with e.g. the CasConnecionContext shipping with uPortal 2.6).

In short, you're entirely welcome to this this JA-SIG Java CAS Client version 3.0.x and these instructions to accomplish your uPortal-CAS integration, but if you do, you're doing something different than the CAS integration that most uPortal-CAS-integrators are doing.

Add the Dependencies

To configure the JA-SIG CAS Client for Java, the first thing you need to do is gather the dependencies. If your project is using Maven2, you can include the client by adding the following to your pom.xml:

Code Block
xml
xml
<dependency>
     <groupId>org.jasig.cas</groupId>
     <artifactId>cas-client-uportal</artifactId>
     <version>3.0</version>
</dependency>

If you are not using Maven2, you should download the CAS distribution and manually copy in the required dependencies.

Edit the uPortal security.properties

First, you'll need to edit the security.properties file and set your "root" security context:

Code Block
root=org.jasig.cas.client.integration.uportal.CasSecurityContextFactory

Next, set the credentials token for the root context:

Code Block
credentialToken.root=ticket

Add the uPortal-specific configuration

Add the following file to your uPortal configuration files:

Code Block
xml
xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC  "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
    <bean id="propertyPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="location" value="/WEB-INF/properties/cas-client.properties"/>
    </bean>

    <bean id="casTicketValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
        <constructor-arg index="0" value="${cas.server.url}"/>
        <constructor-arg index="1" value="false"/>
        <constructor-arg index="2" ref="httpClient"/>
        <constructor-arg index="3">
            <bean class="org.jasig.cas.authentication.principal.SimpleService">
                <constructor-arg value="${cas.server.proxyCallbackUrl}"/>
            </bean>
        </constructor-arg>
        <constructor-arg index="4" ref="casProxyGrantingTicketStorage"/>
        <constructor-arg index="5" ref="casProxyRetriever" />
    </bean>

    <bean id="casProxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>

    <bean id="casProxyRetriever" class="org.jasig.cas.client.proxy.Cas20ProxyRetriever">
        <constructor-arg value="${cas.server.url}"/>
        <constructor-arg ref="httpClient"/>
    </bean>

    <bean id="httpClient" class="org.jasig.cas.util.HttpClient3FactoryBean">
        <property name="soTimeout" value="5000"/>
        <property name="connectionTimeout" value="5000"/>
        <property name="connectionManagerTimeout" value="5000"/>
        <property name="defaultMaxConnectionsPerHost" value="10"/>
        <property name="maxTotalConnections" value="10"/>
    </bean>

    <bean id="casService" class="org.jasig.cas.authentication.principal.SimpleService">
        <constructor-arg value="https://localhost:8443/portal/Authentication"/>
    </bean>
</beans>

Configure the cas-client.properties file

You'll also need a cas-client.properties file:

Code Block
cas.server.gateway=false
cas.server.renew=false
cas.server.url=https://localhost:8443/cas/
cas.client.serverName=localhost:8443
cas.client.proxyCallbackUrl=https://localhost:8443/myClientApp/casProxyReceptor

Configure the uPortal Spring Bean Factory

You'll need to add the CAS Spring Bean Factory to the uPortal Spring Bean Factory so it can find it. Modify the properties/beanRefFactory.xml to include the file you created above containing the Spring Beans that the CAS client needs.

Accessing the URL:

You should now be able to go to https://my.cas.server/cas/login?service=https://my.uportal.server/portal/Authentication and authenticate via CAS.

Removing service tickets from URLs after validation:

After users have logged into CAS and access a protected service/resource, they are redirected back to the requested service/resource with a CAS service ticket.  The CAS client uses this ticket to determine whether the user has been authenticated by CAS and request the user's username.  However, the service ticket is still on the query string for the request service.  This is a problem whenever the user attempts to refresh the page or return to the page after a later time because the ticket is no longer valid!

 In order for this service ticket to be removed from the URL of the requested service/resource, an alternative configuration of the TicketValidationFilter bean must be used.

Code Block
<bean id="casValidationFilter" class="org.jasig.cas.client.web.filter.TicketValidationFilter">
	<!-- serverName of client to construct serviceURL eg:"thisServer.myDomain.net" -->
        <constructor-arg index="0" value="${cas.client.serverName}"/>
        <!-- serviceUrl of client: either provide serverName or serviceUrl -->
        <constructor-arg index="1">
            <null/>
        </constructor-arg>
        <!-- use sessions -->
        <constructor-arg index="2" value="true"/>
        <!-- ticketValidator implementation (defines protocol version to be used) -->
        <constructor-arg index="3" ref="ticketValidator"/>
        <!-- redirect users to the service after validation to remove service ticket -->
        <constructor-arg index="4" value="true"/>
</bean>