cas enhancement
TRANSCRIPT
Albert [email protected]
Why SSO (Single-Sign On)? Central Authentication Service (CAS) CAS Installation As-Is and To-be Process Modification Process
web browser
app. #1 app. #2 app. #3
without SSO
service
web browser
app. #1 app. #2 app. #3
with SSO
service
One authentication serverOne authentication server
•From applications to the authentication server (when not authenticated)•From the authentication server to applications (when authenticated)
•From applications to the authentication server (when not authenticated)•From the authentication server to applications (when authenticated)
Cookies, CGI parametersCookies, CGI parameters
Security◦ Password is never transmitted to applications◦ Opaque tickets are used
N-tier installations◦ Without transmitting any password!
Portability (client libraries)◦ Java, Perl, JSP, ASP, PHP, PL/SQL, Apache and PAM
modules Permanence
◦ Developed by Yale University◦ World-wide used (mainly Universities)◦ Adopted by all the French educational community
J2EE platform◦ Very light code (about 1000 lines)
Open source Integrated into uPortal
CAS 3 offers…◦ CAS 2 compliance out of the box◦ Unit/Integration Tests and Compliance Tests◦ Proper domain model◦ Revamped architecture◦ Support for well-known modifications
Built on popular open-source frameworks◦ Spring Framework◦ Quartz◦ xFire◦ Jakarta Commons◦ Log4j◦ Maven
Design Philosophy: don’t reinvent the wheel
Loose coupling of components◦ Via Dependency Injection◦ Declarative configuration via XML files
Coding to interfaces◦ Swap implementations to suite needs◦ Implementations adhere to contract◦ Example: TicketRegistry
Uses Design Patterns◦ Patterns allow for a common understanding◦ Example: Template Design Pattern
Layered Architecture◦ Separation of UI concerns from business concerns◦ Allows for better re-use of code◦ Example: Web Tier vs. Web Service
Use of AOP to separate cross-cutting concerns for business logic◦ Allows for major additions to functionality without
modifying core code◦ Example: auditing
Use of Spring Workflow allows for declarative reconfiguration of Login process
SSO solution from Yale University
◦ http://www.ja-sig.org/products/cas/index.html
Authentication once to access multiple applications
An open and well-documented protocol
A library of clients for Java, PHP, Perl, Apache and …
Service 2Service 2
Resource Resource
CASCAS
Login Validate
Service 1Service 1
Resource Resource 1. Initial request
2. Authentication (send serviceId)
3. Ticket transfer (send ticket)
4. Validate Ticket5. Access resource
encrypted cookie
SSO make it possible for users to login once and access different service
SSO make it possible for users to login once and access different service
PW
Service 2Service 2
Resource Resource
CASCAS
Login Validate
Service 1Service 1
Resource Resource
1. Initial request
2. Authentication (send serviceId)
3. Ticket transfer (send ticket)
4. Validate Ticket
5. Access resource
encrypted cookie
2a. User need NOT to provide id/password again ( with SSO cookie exist)
Service 1Service 1
ResourceResource1. Initial request
loginlogin
2. Authentication
3. Access resource
Service 2Service 2
loginlogin
Resource Resource
2. Authentication again
1. Initial request
3. Access resource
Multiple user databaseMultiple loginMultiple user databaseMultiple login
PW
PW
Service 2Service 2
Resource Resource
CASCAS
Login Validate
Service 1Service 1
Resource Resource 1. Initial request
2. Authentication (send serviceId)
3. Ticket transfer (send ticket)
4. Validate Ticket
5. Access resource
encrypted cookie
SSO make it possible for users to login once and access different service
SSO make it possible for users to login once and access different service
PW
Service 2Service 2
Resource Resource
CASCAS
Login Validate
Service 1Service 1
Resource Resource
1. Initial request
2. Authentication (send serviceId)
3. Ticket transfer (send ticket)
4. Validate Ticket
5. Access resource
encrypted cookie
2a. User does NOT need to provide id/password again ( with SSO cookie exist)
ServiceService
CASCAS
Login state
?
ID and Passwor
dCorrect?
Validation url
Initial request
Redirect to CAS (send serviceId)
Y
N
NLogin again
Id and password
Ticket transfer (Send ticket and set SSO cookie)
Ticket Validat
ion
Use resource
N
Save login state
Y
Y
Ticket validation
You will get this kind of error message as you access the CAS login page: org.apache.jasper.JasperException: /WEB-INF/view/jsp/default/ui/casLoginView.jsp(48,35) Attribute value request.getQueryString() == null ? "" : request.getQueryString().replaceAll("&locale=([A-Za-z][A-Za-z]_)?[A-Za-z][A-Za-z]|^locale=([A-Za-z][A-Za-z]_)?[A-Za-z][A-Za-z]", "") is quoted with " which must be escaped when used within the value◦ Apparently Tomcat changed the way they handle quotation
marks in JSP pages to use strict checking: https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
Temp solution: go to Tomcat 5.5\webapps\cas-server-webapp-3.2\WEB-INF\view\jsp\default\ui, and modify casLoginView.jsp, delete line 48:
Just provide same user name and password, then you can pass the validationJust provide same user name and password, then you can pass the validation
Modify this return pageModify this return page
Find mapping servlet controller from applicationCotext.xml
Create a new login successful page Modification principal
◦ Modified the server side API instead of client side. Therefore, client will not need to any modification.
◦ Just use new a URL pattern, ex. serviceValidateByMail, to let servlet controller to do validation and return to new successful login page.
Add one more view property◦ casServiceSuccessViewByMail.
(class)=org.springframework.web.servlet.view.JstlView◦ casServiceSuccessViewByMail.url=/WEB-INF/view/jsp/protocol/
2.0/casServiceValidationByMailSuccess.jsp
In org.jasig.cas.web packageIn org.jasig.cas.web package
