[cas-dev] Decoupling CAS' AuthN and Ticketing (Was Re: SPNEGO)
Stephen A. Cochran
stephen.a.cochran at Dartmouth.EDU
Wed Jun 14 13:05:09 EDT 2006
On Jun 13, 2006, at 3:54 PM, Scott Battaglia wrote:
> 1. You'll need to configure
> org.jasig.cas.adaptors.trusted.authentication.handler.support.Principa
> lBearingCredentialsAuthenticationHandler
> as an authentication handler (no properties)
>
> 2. You'll need to configure
> org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBeari
> ngCredentialsToPrincipalResolver
> as a CredentialsToPrincipalResolver (no properties)
>
> And then depending on whether you expect the user to be in the remote
> user or the UserPrincipal part of the request, you would need to
> enable
> one of the web.flow classes in your cas-servlet.xml (there are
> examples
> in there) and then add it to the login-flow.xml (you can probably
> follow
> the X.509 example).
>
For the lists's benefit and since it took me a while to find the
PBCAction file, here's the detailed steps to get SPNEGO working.
First, get mod_auth_kerb working in apache for some test directory
(see sample keberos apache config below). Also get mod_jk working
correctly for cas.
To modify cas to trust the remote_user env var set by mod_auth_kerb:
Download PrincipalBearingCredentialsAuthenticationHandler.java,
PrincipalBearingCredentialsToPrincipalResolver.java,
PrincipalBearingCredentials.java, and
PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction.java
from the source into localPlugins. I searched on the filenames in the
fisheye source viewer and used wget to get the raw files.
Add the AuthenticationHandler and PrincipalResolver to the
deployerConfigContext.xml file (The AuthenticationHander should
probably be the first one since they are handled in order):
<bean
class="edu.dartmouth.cas.authentication.principal.PrincipalBearingCreden
tialsToPrincipalResolver" />
<bean
class="org.jasig.cas.adaptors.trusted.authentication.handler.support.Pri
ncipalBearingCredentialsAuthenticationHandler" />
Modify the cas-servlet.xml file adding the following:
<bean
id="spnegoCheck"
parent="abstractCasLoginAction"
class="org.jasig.cas.adaptors.trusted.web.flow.PrincipalFromRequestRemot
eUserNonInteractiveCredentialsAction" />
Modify the login-flow.xml file adding the following:
<action-state id="startAuthenticate">
<action bean="spnegoCheck" />
<transition on="success"
to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
</action-state>
The above could be chained with the x509 changes to check for
remote_user, then check for pki, and then fall back to the login
form. That's currently how we're set up:
<action-state id="startAuthenticate">
<action bean="spnegoCheck" />
<transition on="success"
to="sendTicketGrantingTicket" />
<transition on="error" to="x509Check" />
</action-state>
<action-state id="x509Check">
<action bean="x509Check" />
<transition on="success"
to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
</action-state>
Rebuild (make sure you have servlet.jar either in your classpath or
the localPlugin/lib directory) and redeploy. Configure apache to use
kerberos on the cas URL (mod_auth_kerb happens before mod_jk so no
problem there):
Krb5Keytab /etc/httpd/conf/keytab
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location "/cas/login">
AuthType Kerberos
AuthName "Kerberos Login"
Require valid-user
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbAuthRealms DARTMOUTH.EDU
KrbServiceName HTTP/login.dartmouth.edu at DARTMOUTH.EDU
Krb5Keytab /etc/httpd/conf/keytab
</Location>
Restart and it all should work. I'm in the process of cleaning up all
our documentation, once I have it presentable I'll put it up on the
wiki as well.
Steve Cochran
Dartmouth College
More information about the cas
mailing list