Total Pageviews

Monday, December 13, 2010

CAS with ageci security

At my latest project I got the opportunity to use CAS server in combination with acegi security. With this setup it is possible to have a real single sign-on authentication over multiple contexts and servers.


On the acegi security site and the CAS site I could not find a tutorial to get this setup up and running correctly. It took me several days to get a hello world setup up and running. The biggest problem came across was outdated ageci security documentation. It seems that they did some refactoring in there code base! Additional I had some problem to get tomcat (https) configured correctly. This article will give you a guide on how to get this hello world setup up and running from scratch.

My setup is based on tomcat I used tomcat version 5.5.23 as my servlet engine. CAS needs to run on https, for https you need to sign your JDK by generating a certificate and add this to the jks keychain. WARNING generating the certificate use ‘localhost ’ as your name or common name, otherwise tomcat will not except this certificate.

$JAVA_HOME\bin\keytool -delete -alias tomcat -keypass changeit
    $JAVA_HOME\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
    $JAVA_HOME\bin\keytool -export -alias tomcat -keypass changeit -file server.crt
    $JAVA_HOME\bin\keytool -import -file server.crt -keypass changeit -keystore %JAVA_HOME\jre\lib\security\cacerts
    $JAVA_HOME\bin\keytool -import -file server.crt -keypass changeit

For tomcat to accept https request the next few lines should be added to the server.xml. The .keystore file can be found in your home folder.

<Connector port="8443" maxHttpHeaderSize="8192"
       maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
       enableLookups="false" disableUploadTimeout="true"
       acceptCount="100" scheme="https" secure="true"
       clientAuth="false" sslProtocol="TLS" keystoreFile="/path/to/.keystore"
       keystorePass="changeit"/>

To get CAS going download the latest 3.x release, I used 3.1 and drop the cas.war in tomcat. For a simple hello world application CAS doesn't need any more configuration. CAS will aunthenticate all user who have the same username as password, I will come back to this later on

Ageci security was for me alot more difficult to setup correctly. The article will only walk you through the basics, for more details I refer to the source code.
<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
   <property name="userMap">
     <value>
       marissa=marissa,ROLE_USER,ROLE_SUPERVISOR
       dianne=dianne,ROLE_USER
       scott=scott,ROLE_USER
       peter=peter,ROLE_USER
     </value>
   </property>
 </bean>

 <bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider">
  <property name="casAuthoritiesPopulator"><ref local="casAuthoritiesPopulator"/></property>
  <property name="casProxyDecider"><ref local="casProxyDecider"/></property>
  <property name="ticketValidator"><ref local="casProxyTicketValidator"/></property>
  <property name="statelessTicketCache"><ref local="statelessTicketCache"/></property>
  <property name="key"><value>my_password_for_this_auth_provider_only</value></property>
 </bean>

Ageci is set up around the inMemoryDaoImpl, four users are defined marissa, dianne, scott, and peter. This DAO is used to get the credentials for the users who are authenticated by CAS, CAS can only check if a user is authenticated. The CasAuthenticationProvider has a special field 'key' what should be set to some special phrase. This phrase is used with-in CAS to distinguish the different client applications. This is necessary for applications what need extra security for instance for some applications CAS needs to re-check the credentials of the user to match the security requirements.

1 comment: