This document explains how to integrate CAS and WebSphere to enable transparent Single Sign On using the Trust Association Interceptor interface.
Compatible with WebSphere version 5.0.2 and above, JDK 1.3 and above
As mentioned above, this implementation of a CAS Client is based on the Trust Association Interceptor (TAI) interface.
This interface has been especially designed to handle third parties security mechanisms.
It handles unauthenticated requests to protected resources, and try to validate the request against a third party.
If it succeed, it allows the WebSphere application server to create a Subject using information retrieved from third party.
Figure : Authentication Customization points
Installing the package
In the following
<WPSInstallDirectory> is assumed to be your Websphere install path.
- Copy CasClientWebsphere-x.x.x.jar\ and casclient-2.1.1.jar into
Deploying and configuring TAI
- Open the
WebSphere admin console
- navigate to
Security > Authentication Mechanisms > LTPA > Trust Associations > Interceptors
- Delete unused ones
- Clic on
Interceptor Classname :For WAS version 5.1.1 and above use
com.octo.cas.client.websphere.CasTAI511For WAS version above 5.0.2 and under 5.1.1 use
Custom Propertiesrequired properties :
CAS_VALIDATION_URL= your cas server url, ex : 'https://myCasServer/cas/serviceValidate'
PRINCIPAL_PREFIX= prefix to add to principal, in order to allow mapping for groups, ex : 'uid='; default is ""
PRINCIPAL_SUFFIX= suffix to add to principal, in order to allow mapping for groups, ex : ',OU=myOu, O=myCompany' default is ""
CAS_CALLBACK_PROXY_URL= the address that your CAS server will call to send a Proxy Granting Ticket, ex : 'https://myWebsphereServer:port', required only if STORE_PROXY_TICKET='true'; default is ""
CAS_CALLBACK_PROXY_SERVLET= the servlet that your CAS server will call to send a Proxy Granting Ticket, ex: '/CasProxyServlet', required only if STORE_PROXY_TICKET='true'; default is "/CasProxyServlet"
- optional properties
DEBUG= enable debug to stdout 'true' or 'false', default is false
STORE_PROXY_TICKET= 'true' to enable WAS to act as a proxy for CAS credentials; default is false
CAS_REALM_NAME= The realm of this TAI. Default is "CAS_REALM"
- navigate to _Security > Authentication Mechanisms > LTPA > Trust Associations
- Enable "Trust Associations" in console
- Navigate to _Security > Authentication Mechanisms > LTPA > SSO
- Enable SSO, with your domain name
- Save configuration and reboot the WebSphere server
Validate the installation
- You should see something like this in
- Try to automatically log in using TAI
- assuming you have an application with a protected url (by web.xml security configuration), let say https://myWebsphereServer:9444/myApp/secured.jsp
- try the following url : https://myCasServer/cas/login?service=https://myWebsphereServer:9444/myApp/secured.jsp
- you should see the following in <WPSInstallDirectory>/AppServer/logs/server1/SystemOut.log
Deploy the Proxy Ticket Receptor Servlet in the targeted web applications
(only required if you need ProxyTicket ie you specify
Add the following code in your web.xml
- Note that there is only one TAI configuration for WebSphere server.
This means that all applications running in this application server must declare the Proxy Ticket Receptor Servlet if you use it.
- First configure TAI Without proxy ticket enabled, and with debug.
- Enable proxy ticket if needed, if the cas validation process now fails :
- Try to call your proxy receptor servlet using the CAS_CALLBACK_PROXY_URL + contextPathOfYourApplication + CAS_CALLBACK_PROXY_SERVLET
- you should obtain a blank page with a 200 status
- otherwise your servlet is not properly configured
- else, this could come from a bad WebSphere certificate (the default one is self signed and thus not trusted by CAS)
- Turn debug off
- If you have an
invalid serviceexception, this is certainly due to your login redirection : be sure to have url encoded target redirection url that you pass as the