The Java CAS Client >=3.1.12 supports the Java Authentication and Authorization Service (JAAS) framework, which provides authnz facilities to CAS-enabled JEE applications.

The Jasig Java CAS client added support for JAAS in version 3.1.11 with specific support for JBoss Application Server version 4.2.3 and higher. After release we discovered a problem on JBoss that required additional features that appear in version 3.1.12. It is strongly recommended that version 3.1.12 be used in production applications. The JAAS integration should be generalizable to any JEE container such as WebSphere, but additional development would be required. If you are interested in collaborating to adapt the JAAS support for other JEE containers, please post a note to the cas-dev mailing list.

Overview

A general JAAS authentication module, CasLoginModule, was added in version 3.1.11 with the specific purpose of providing authentication and authorization services to CAS-enabled JEE applications. The design of the module is simple: given a service URL and a service ticket in a NameCallback and PasswordCallback, respectively, the module contacts the CAS server and attempts to validate the ticket. In keeping with CAS integration for Java applications, a JEE container-specific servlet filter is needed to protect JEE Web applications. The JBoss WebAuthentication component provided a convenient integration piece between a servlet filter and the JAAS framework, so a complete integration solution is available only for JBoss AS versions that provide the WebAuthentication class (4.2.3 and 5.x). The JAAS support should be extensible to any JEE container with additional development.

Configuration

The following configuration instructions make the following assumptions:

  1. Jasig Java CAS client 3.1.12 or later
  2. JBoss AS container supporting the WebAuthentication class
  3. Ability to configure JAAS authentication modules for entire container or deployment descriptor of JEE application

Dependencies

The following Jasig Java CAS Client modules are needed for JAAS support in JBoss:

Note that the above modules have their own dependencies as seen from the output of the mvn dependency:tree command:

[INFO] ------------------------------------------------------------------------
[INFO] Building JA-SIG CAS Client for Java - Core
[INFO]    task-segment: [dependency:tree]
[INFO] ------------------------------------------------------------------------
[INFO] [dependency:tree {execution: default-cli}]
[INFO] org.jasig.cas.client:cas-client-core:jar:3.1.12-SNAPSHOT
[INFO] +- xml-security:xmlsec:jar:1.3.0:runtime
[INFO] +- org.opensaml:opensaml:jar:1.1:provided
[INFO] +- org.springframework:spring-beans:jar:2.5.6.SEC01:provided
[INFO] +- org.springframework:spring-test:jar:2.5.6.SEC01:test
[INFO] +- org.springframework:spring-core:jar:2.5.6.SEC01:test
[INFO] +- org.springframework:spring-context:jar:2.5.6.SEC01:test
[INFO] |  \- aopalliance:aopalliance:jar:1.0:test
[INFO] +- log4j:log4j:jar:1.2.15:test
[INFO] |  \- javax.mail:mail:jar:1.4:test
[INFO] |     \- javax.activation:activation:jar:1.1:test
[INFO] +- junit:junit:jar:3.8.1:test
[INFO] +- commons-logging:commons-logging:jar:1.1:compile
[INFO] \- javax.servlet:servlet-api:jar:2.4:provided (scope not updated to compile)
[INFO] ------------------------------------------------------------------------
[INFO] Building JA-SIG CAS Client for Java - JBoss Integration
[INFO]    task-segment: [dependency:tree]
[INFO] ------------------------------------------------------------------------
[INFO] [dependency:tree {execution: default-cli}]
[INFO] org.jasig.cas.client:cas-client-integration-jboss:jar:3.1.12-SNAPSHOT
[INFO] +- org.jasig.cas.client:cas-client-core:jar:3.1.12-SNAPSHOT:compile
[INFO] +- org.jboss.jbossas:jboss-as-tomcat:jar:5.1.0.GA:provided
[INFO] |  +- apache-xerces:xml-apis:jar:2.9.1:provided
[INFO] |  +- javax.faces:jsf-impl:jar:1.2_12:provided
[INFO] |  +- jacorb:jacorb:jar:2.3.0jboss.patch6-brew:provided
[INFO] |  +- javax.security:jaas:jar:1.0.01:provided
[INFO] |  +- javax.transaction:jta:jar:1.1:provided
[INFO] |  +- org.jboss.logging:jboss-logging-spi:jar:2.1.0.GA:provided
[INFO] |  +- org.jboss.security:jboss-security-spi:jar:2.0.3.SP1:provided
[INFO] |  +- jboss:jboss-serialization:jar:1.0.3.GA:provided
[INFO] |  +- org.jboss.integration:jboss-deployment-spi:jar:5.1.0.GA:provided
[INFO] |  +- org.jboss.security:jbosssx-client:jar:2.0.3.SP1:provided
[INFO] |  +- jboss.web:jbossweb:jar:2.1.3.GA:provided
[INFO] |  +- org.jboss.ws.native:jbossws-native-jaxws:jar:3.1.2.GA:provided
[INFO] |  |  \- org.jboss.ws.native:jbossws-native-saaj:jar:3.1.2.GA:provided
[INFO] |  +- jgroups:jgroups:jar:2.6.10.GA:provided
[INFO] |  +- log4j:log4j:jar:1.2.14:provided
[INFO] |  +- org.jboss:jboss-common-core:jar:2.2.14.GA:provided
[INFO] |  +- org.jboss.metadata:jboss-metadata:jar:1.0.1.GA:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-ext-api:jar:1.0.0:provided
[INFO] |  |  +- org.jboss.javaee:jboss-jms-api:jar:1.1.0.GA:provided
[INFO] |  |  +- org.jboss.javaee:jboss-transaction-api:jar:1.0.1.GA:provided
[INFO] |  |  +- jboss.jbossws:jboss-jaxws:jar:3.0.1-native-2.0.4.GA:provided
[INFO] |  |  +- org.jboss:jboss-mdr:jar:2.0.0.GA:provided
[INFO] |  |  \- sun-jaxb:jaxb-api:jar:2.1.4:provided
[INFO] |  +- org.jboss:jboss-vfs:jar:2.1.2.GA:provided
[INFO] |  +- org.jboss.ws:jbossws-spi:jar:1.1.2.GA:provided
[INFO] |  |  +- org.apache.ant:ant:jar:1.7.0:provided
[INFO] |  |  |  \- org.apache.ant:ant-launcher:jar:1.7.0:provided
[INFO] |  |  +- dom4j:dom4j:jar:1.6.1:provided
[INFO] |  |  |  \- xml-apis:xml-apis:jar:1.0.b2:provided
[INFO] |  |  \- gnu-getopt:getopt:jar:1.0.13:provided
[INFO] |  +- org.jboss:jbossxb:jar:2.0.1.GA:provided
[INFO] |  |  +- org.jboss:jboss-reflect:jar:2.0.2.GA:provided
[INFO] |  |  +- apache-xerces:xercesImpl:jar:2.9.1:provided
[INFO] |  |  +- wutka-dtdparser:dtdparser121:jar:1.2.1:provided
[INFO] |  |  \- javax.activation:activation:jar:1.1.1:provided
[INFO] |  +- org.jboss.aop:jboss-aop:jar:2.1.1.GA:provided
[INFO] |  |  +- javassist:javassist:jar:3.10.0.GA:provided
[INFO] |  |  +- qdox:qdox:jar:1.6.1:provided
[INFO] |  |  +- trove:trove:jar:2.1.1:provided
[INFO] |  |  \- org.jboss.logging:jboss-logging-log4j:jar:2.0.5.GA:provided
[INFO] |  +- org.jboss.javaee:jboss-jaspi-api:jar:1.0.0.GA:provided
[INFO] |  +- org.jboss.jbossas:jboss-as-connector:jar:5.1.0.GA:provided
[INFO] |  |  +- org.jboss.jbossas:jboss-as-profileservice:jar:5.1.0.GA:provided
[INFO] |  |  |  +- org.jboss.jbossas:jboss-as-aspects:jar:5.1.0.GA:provided
[INFO] |  |  |  |  +- org.jboss.aop:jboss-aop-aspects:jar:2.1.1.GA:provided
[INFO] |  |  |  |  |  \- org.beanshell:bsh:jar:1.3.0:provided
[INFO] |  |  |  |  +- org.jboss.aop:jboss-aop-asintegration-core:jar:2.1.1.GA:provided
[INFO] |  |  |  |  |  \- org.jboss.aop:pluggable-instrumentor:jar:2.1.1.GA:provided
[INFO] |  |  |  |  +- org.jboss.aop:jboss-aop-asintegration-jmx:jar:2.1.1.GA:provided
[INFO] |  |  |  |  +- org.jboss.aop:jboss-aop-asintegration-mc:jar:2.1.1.GA:provided
[INFO] |  |  |  |  \- org.jboss.test:jboss-test:jar:1.1.4.GA:provided
[INFO] |  |  |  |     +- org.apache.ant:ant-junit:jar:1.7.0:provided
[INFO] |  |  |  |     +- jboss.profiler.jvmti:jboss-profiler-jvmti:jar:1.0.0.CR5:provided
[INFO] |  |  |  |     \- org.jboss.jbossas:jboss-server-manager:jar:1.0.2.GA:provided
[INFO] |  |  |  \- org.jboss.integration:jboss-profileservice-spi:jar:5.1.0.GA:provided
[INFO] |  |  +- quartz:quartz:jar:1.5.2:provided
[INFO] |  |  +- javax.mail:mail:jar:1.4:provided
[INFO] |  |  +- org.jboss.microcontainer:jboss-aop-mc-int:jar:2.0.6.GA:provided
[INFO] |  |  +- org.jboss.jbossas:jboss-as-system:jar:5.1.0.GA:provided
[INFO] |  |  +- org.jboss.integration:jboss-transaction-spi:jar:5.1.0.GA:provided
[INFO] |  |  +- org.jboss.integration:jboss-integration:jar:5.1.0.GA:provided
[INFO] |  |  +- org.jboss.jbossas:jboss-as-main:jar:5.1.0.GA:provided
[INFO] |  |  |  \- org.jboss.logbridge:jboss-logbridge:jar:1.0.0.GA:provided
[INFO] |  |  |     \- org.jboss.logmanager:jboss-logmanager:jar:1.0.0.GA:provided
[INFO] |  |  +- org.jboss.man:jboss-metatype:jar:2.1.0.SP1:provided
[INFO] |  |  \- org.jboss.man:jboss-managed:jar:2.1.0.SP1:provided
[INFO] |  +- org.jboss.jbossas:jboss-as-ejb3:jar:5.1.0.GA:provided
[INFO] |  |  +- cglib:cglib:jar:2.1.3:provided
[INFO] |  |  +- org.hibernate:hibernate-core:jar:3.3.1.GA:provided
[INFO] |  |  |  +- antlr:antlr:jar:2.7.6:provided
[INFO] |  |  |  \- commons-collections:commons-collections:jar:3.1:provided
[INFO] |  |  +- org.hibernate:hibernate-annotations:jar:3.4.0.GA:provided
[INFO] |  |  |  +- org.hibernate:hibernate-commons-annotations:jar:3.1.0.GA:provided
[INFO] |  |  |  \- org.slf4j:slf4j-api:jar:1.4.2:provided
[INFO] |  |  +- org.jboss.remoting:jboss-remoting:jar:2.5.1:provided
[INFO] |  |  +- org.hibernate:hibernate-entitymanager:jar:3.4.0.GA:provided
[INFO] |  |  +- org.jboss.cluster:jboss-ha-client:jar:1.1.1.GA:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-as-int:jar:1.1.5:provided
[INFO] |  |  |  +- org.jboss.ejb3:jboss-ejb3:pom:1.1.5:provided
[INFO] |  |  |  |  +- org.jboss.ejb3:jboss-ejb3-core:jar:1.1.5:provided
[INFO] |  |  |  |  \- org.jboss.ejb3:jboss-ejb3-deployers:jar:1.0.0:provided
[INFO] |  |  |  \- org.jboss.ejb3:jboss-ejb3-mc-int:jar:1.0.1:provided
[INFO] |  |  +- org.jboss.naming:jnp-client:jar:5.0.3.GA:provided
[INFO] |  |  +- org.jboss.microcontainer:jboss-kernel:jar:2.0.6.GA:provided
[INFO] |  |  \- org.jboss.integration:jboss-corba-ots-spi:jar:5.1.0.GA:provided
[INFO] |  +- org.jboss.ejb3:jboss-ejb3-core:jar:client:1.1.5:provided
[INFO] |  |  +- org.jboss.integration:jboss-jca-spi:jar:5.0.3.GA:provided
[INFO] |  |  +- org.jboss.cache:jbosscache-core:jar:3.1.0.GA:provided
[INFO] |  |  +- org.jboss.aspects:jboss-remoting-aspects:jar:1.0.2:provided
[INFO] |  |  |  +- org.jboss.aspects:jboss-transaction-aspects:jar:1.0.0.GA:provided
[INFO] |  |  |  \- org.jboss.aspects:jboss-security-aspects:jar:1.0.0.GA:provided
[INFO] |  |  |     \- javax.security:jacc:jar:1.0:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-cache:jar:1.0.0:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-common:jar:1.0.0:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-endpoint:jar:0.1.0:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-security:jar:1.0.0:provided
[INFO] |  |  |  \- org.jboss.aspects:jboss-current-invocation-aspects:jar:1.0.0.CR1:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-timerservice-spi:jar:1.0.0:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-ext-api-impl:jar:1.0.0:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-interceptors:jar:1.0.2:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-metadata:jar:1.0.0:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-proxy-impl:jar:1.0.2:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-proxy-clustered:jar:1.0.1:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-proxy-spi:jar:1.0.0:provided
[INFO] |  |  +- org.jboss.ejb3:jboss-ejb3-transactions:jar:1.0.0:provided
[INFO] |  |  +- org.jboss.jpa:jboss-jpa-deployers:jar:1.0.0-CR1:provided
[INFO] |  |  +- org.jboss.security:jbosssx:jar:2.0.2.SP2:provided
[INFO] |  |  +- sun-jaxws:jaxws-api:jar:2.1.1:provided
[INFO] |  |  \- sun-jaxws:jsr181-api:jar:2.1.1:provided
[INFO] |  +- org.jboss.javaee:jboss-jacc-api:jar:1.1.0.GA_SP1:provided
[INFO] |  |  \- jboss.web:servlet-api:jar:2.1.1.GA:provided
[INFO] |  +- org.jboss.javaee:jboss-jca-api:jar:1.5.0.GA:provided
[INFO] |  +- org.jboss.javaee:jboss-ejb-api:jar:3.0.0.GA:provided
[INFO] |  |  \- org.jboss.ws.native:jbossws-native-jaxrpc:jar:3.0.4.GA:provided
[INFO] |  +- org.hibernate:ejb3-persistence:jar:1.0.2.GA:provided
[INFO] |  +- org.jboss.cluster:jboss-ha-server-api:jar:1.1.1.GA:provided
[INFO] |  +- org.jboss.cluster:jboss-ha-server-cache-spi:jar:2.0.0.GA:provided
[INFO] |  +- org.jboss.cluster:jboss-ha-server-cache-jbc:jar:2.0.0.GA:provided
[INFO] |  +- org.jboss.jbossas:jboss-as-iiop:jar:5.1.0.GA:provided
[INFO] |  |  +- apache-avalon:avalon-framework:jar:4.1.5:provided
[INFO] |  |  \- org.jboss.integration:jboss-classloading-spi:jar:5.1.0.GA:provided
[INFO] |  +- org.jboss.jbossas:jboss-as-j2se:jar:5.1.0.GA:provided
[INFO] |  +- org.jboss.jbossas:jboss-as-security:jar:5.1.0.GA:provided
[INFO] |  |  +- org.jboss.security:jbossxacml:jar:2.0.3:provided
[INFO] |  |  \- org.apache:xmlsec:jar:1.4.2:provided
[INFO] |  +- org.jboss.jbossas:jboss-as-server:jar:5.1.0.GA:provided
[INFO] |  |  +- org.jboss.jbossas:jboss-as-deployment:jar:5.1.0.GA:provided
[INFO] |  |  |  \- org.jboss.javaee:jboss-jad-api:jar:1.2.0.GA:provided
[INFO] |  |  +- org.jboss.bootstrap:jboss-bootstrap:jar:1.0.0-Beta-3:provided
[INFO] |  |  +- org.jboss.jbossas:jboss-as-jmx:jar:5.1.0.GA:provided
[INFO] |  |  |  +- org.jboss.jbossas:jboss-as-j2se:test-jar:tests:5.1.0.GA:provided
[INFO] |  |  |  \- org.jboss.jbossas:jboss-as-mbeans:jar:5.1.0.GA:provided
[INFO] |  |  +- bcel:bcel:jar:5.1:provided
[INFO] |  |  +- jpl-util:jpl-util:jar:1.0:provided
[INFO] |  |  +- jpl-pattern:jpl-pattern:jar:1.0:provided
[INFO] |  |  \- org.jboss.naming:jnpserver:jar:5.0.3.GA:provided
[INFO] |  +- org.jboss.jbossas:jboss-as-system-jmx:jar:5.1.0.GA:provided
[INFO] |  |  \- org.jboss.microcontainer:jboss-dependency:jar:2.0.6.GA:provided
[INFO] |  +- org.jboss.cl:jboss-classloader:jar:2.0.6.GA:provided
[INFO] |  +- org.jboss.deployers:jboss-deployers-core-spi:jar:2.0.7.GA:provided
[INFO] |  +- org.jboss.deployers:jboss-deployers-impl:jar:2.0.7.GA:provided
[INFO] |  |  \- org.jboss.cl:jboss-classloading:jar:2.0.6.GA:provided
[INFO] |  +- org.jboss.deployers:jboss-deployers-spi:jar:2.0.7.GA:provided
[INFO] |  +- org.jboss.deployers:jboss-deployers-structure-spi:jar:2.0.7.GA:provided
[INFO] |  |  \- org.jboss.deployers:jboss-deployers-client-spi:jar:2.0.7.GA:provided
[INFO] |  +- org.jboss.deployers:jboss-deployers-vfs:jar:2.0.7.GA:provided
[INFO] |  |  +- org.jboss.cl:jboss-classloading-vfs:jar:2.0.6.GA:provided
[INFO] |  |  +- org.jboss.deployers:jboss-deployers-core:jar:2.0.7.GA:provided
[INFO] |  |  \- org.jboss.deployers:jboss-deployers-client:jar:2.0.7.GA:provided
[INFO] |  +- org.jboss.deployers:jboss-deployers-vfs-spi:jar:2.0.7.GA:provided
[INFO] |  |  \- stax:stax-api:jar:1.0:provided
[INFO] |  +- oswego-concurrent:concurrent:jar:1.3.4-jboss-update1:provided
[INFO] |  +- net.jcip:jcip-annotations:jar:1.0:provided
[INFO] |  \- javax.faces:jsf-api:jar:1.2_12:provided
[INFO] +- junit:junit:jar:3.8.1:test
[INFO] +- commons-logging:commons-logging:jar:1.1:compile
[INFO] \- javax.servlet:servlet-api:jar:2.4:provided (scope not updated to compile)

Most if not all of the JBoss dependencies above should be available to a JEE application deployed to JBoss AS.

Configure CasLoginModule

It is expected that for JEE applications both authentication and authorization services will be required for CAS integration. The following JAAS module configuration file excerpt demonstrates how to leverage SAML 1.1 attribute release in CAS to provide authorization data in addition to authentication:

cas {
  org.jasig.cas.client.jaas.CasLoginModule required
    ticketValidatorClass="org.jasig.cas.client.validation.Saml11TicketValidator"
    casServerUrlPrefix="https://cas.example.com/cas"
    tolerance="20000"
    service="https://webapp.example.com/webapp"
    defaultRoles="admin,operator"
    roleAttributeNames="memberOf,eduPersonAffiliation"
    principalGroupName="CallerPrincipal"
    roleGroupName="Roles"
    cacheAssertions="true"
    cacheTimeout="480";
}

For JBoss it is vitally important to use the above values for principalGroupName and roleGroupName. Additionally, the cacheAssertions and cacheTimeout are required since JBoss by default attempts to reauthenticate the JAAS principal with a fairly aggressive default timeout. Since CAS tickets are single-use authentication tokens by default, assertion caching is required to support periodic reauthentication. A full description of CasLoginModule configuration attributes follows.

Ticket validator configuration attributes, such as tolerance in the example above, are also supported.

Configure Servlet Filters

Integration with the servlet pipeline is required for a number of purposes:

The WebAuthenticationFilter performs these operations for the JBoss AS container. It is important to note that this filter simply collects the service URL and CAS ticket from the request and passes it to the JAAS pipeline. It is assumed that the CasLoginModule will be present in the JAAS pipeline to consume the data and perform ticket validation. The following web.xml excerpts demonstrate how to integrate WebAuthenticationFilter into a JEE Web application.

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
  xmlns="http://java.sun.com/xml/ns/j2ee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

  <!-- Facilitates CAS single sign-out -->
  <listener>
    <listener-class>
      org.jasig.cas.client.session.SingleSignOutHttpSessionListener
    </listener-class>
  </listener>

  <!-- Following is needed only if CAS single-sign out is desired -->
  <filter>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <filter-class>
      org.jasig.cas.client.session.SingleSignOutFilter
    </filter-class>
  </filter>

  <!-- Only 2 CAS filters are required for JAAS support -->
  <filter>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class>
  </filter>
  <filter>
    <filter-name>CASAuthenticationFilter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
    <init-param>
      <param-name>casServerLoginUrl</param-name>
      <param-value>https://cas.example.com/cas/login</param-value>
    </init-param>
  </filter>
  <!-- Other filters as needed -->

  <!-- CAS client filter mappings -->
  <!-- The order of the following filters is vitally important -->
  <filter-mapping>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <url-pattern>*.do</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASWebAuthenticationFilter</filter-name>
    <url-pattern>*.do</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CASAuthenticationFilter</filter-name>
    <url-pattern>*.do</url-pattern>
  </filter-mapping>


  <!-- Other configuration as needed -->
</web-app>