[cas-dev] Decoupling CAS' AuthN and Ticketing (Was Re: SPNEGO)

Scott Battaglia scott_battaglia at rutgers.edu
Wed Jun 14 13:38:37 EDT 2006 

Steve,

Thanks  for those detailed instructions!  Just a note that as of CAS 
3.0.5 RC1, the jar file for the adaptor-trusted should be included in 
the Maven repository.

CAS 3.0.6 will also include SPNEGO support (it was contributed by 
someone who modified the code I had).  As soon as 3.0.5 is out the door, 
I'll start working on supporting SPNEGO natively.

-Scott

Stephen A. Cochran wrote:
> On Jun 13, 2006, at 3:54 PM, Scott Battaglia wrote:
>
>
>   
>> 1.  You'll need to configure
>> org.jasig.cas.adaptors.trusted.authentication.handler.support.Principa 
>> lBearingCredentialsAuthenticationHandler
>> as an authentication handler (no properties)
>>
>> 2.  You'll need to configure
>> org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBeari 
>> ngCredentialsToPrincipalResolver
>> as a CredentialsToPrincipalResolver (no properties)
>>
>> And then depending on whether you expect the user to be in the remote
>> user or the UserPrincipal part of the request, you would need to  
>> enable
>> one of the web.flow classes in your cas-servlet.xml (there are  
>> examples
>> in there) and then add it to the login-flow.xml (you can probably  
>> follow
>> the X.509 example).
>>
>>     
>
> For the lists's benefit and since it took me a while to find the  
> PBCAction file, here's the detailed steps to get SPNEGO working.
>
> First, get mod_auth_kerb working in apache for some test directory  
> (see sample keberos apache config below). Also get mod_jk working  
> correctly for cas.
>
> To modify cas to trust the remote_user env var set by mod_auth_kerb:
>
> Download PrincipalBearingCredentialsAuthenticationHandler.java,    
> PrincipalBearingCredentialsToPrincipalResolver.java,  
> PrincipalBearingCredentials.java, and  
> PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction.java  
> from the source into localPlugins. I searched on the filenames in the  
> fisheye source viewer and used wget to get the raw files.
>
> Add the AuthenticationHandler and PrincipalResolver to the  
> deployerConfigContext.xml file (The AuthenticationHander should  
> probably be the first one since they are handled in order):
>
> <bean  
> class="edu.dartmouth.cas.authentication.principal.PrincipalBearingCreden 
> tialsToPrincipalResolver" />
>
> <bean  
> class="org.jasig.cas.adaptors.trusted.authentication.handler.support.Pri 
> ncipalBearingCredentialsAuthenticationHandler" />
>
> Modify the cas-servlet.xml file adding the following:
>
>          <bean
>                  id="spnegoCheck"
>                  parent="abstractCasLoginAction"
>                   
> class="org.jasig.cas.adaptors.trusted.web.flow.PrincipalFromRequestRemot 
> eUserNonInteractiveCredentialsAction" />
>
> Modify the login-flow.xml file adding the following:
>
>          <action-state id="startAuthenticate">
>                  <action bean="spnegoCheck" />
>                  <transition on="success"  
> to="sendTicketGrantingTicket" />
>                  <transition on="error" to="viewLoginForm" />
>          </action-state>
>
> The above could be chained with the x509 changes to check for  
> remote_user, then check for pki, and then fall back to the login  
> form. That's currently how we're set up:
>
>          <action-state id="startAuthenticate">
>                  <action bean="spnegoCheck" />
>                  <transition on="success"  
> to="sendTicketGrantingTicket" />
>                  <transition on="error" to="x509Check" />
>          </action-state>
>
>          <action-state id="x509Check">
>                  <action bean="x509Check" />
>                  <transition on="success"  
> to="sendTicketGrantingTicket" />
>                  <transition on="error" to="viewLoginForm" />
>          </action-state>
>
>
> Rebuild (make sure you have servlet.jar either in your classpath or  
> the localPlugin/lib directory) and redeploy. Configure apache to use  
> kerberos on the cas URL (mod_auth_kerb happens before mod_jk so no  
> problem there):
>
> Krb5Keytab /etc/httpd/conf/keytab
> LoadModule      auth_kerb_module        modules/mod_auth_kerb.so
>
> <Location "/cas/login">
>          AuthType Kerberos
>          AuthName "Kerberos Login"
>          Require valid-user
>          KrbMethodNegotiate on
>          KrbMethodK5Passwd off
>          KrbAuthRealms   DARTMOUTH.EDU
>          KrbServiceName  HTTP/login.dartmouth.edu at DARTMOUTH.EDU
>          Krb5Keytab /etc/httpd/conf/keytab
> </Location>
>
> Restart and it all should work. I'm in the process of cleaning up all  
> our documentation, once I have it presentable I'll put it up on the  
> wiki as well.
>
> Steve Cochran
> Dartmouth College
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>

More information about the cas mailing list