Hello everyone,
I've been recently struggling with the CasLoginModule, WebAuthentication,
WebAuthenticationFilter and JBoss 5.1.0.GA quartet. My aim is to create a
centralized authentication and authorization server using CAS and LDAP as
its backend and CAS-ify several different client systems. In order to
satisfy the "authorization" part, permissions (based on group membership in
LDAP) are returned as an attribute. The server part turned out to be pretty
easy, so did the Spring Security client. Excellent work, guys!
Then I moved to JEE-based clients. My requirement is to secure both business
layer (EJBs) and presentation layer (servlets) by accessing authentication
and authorization info via JAAS and Servlet API (@RolesAllowed in EJBs,
request.isUserInRole() and so on in servlets). The CasLoginModule along with
WebAuthentication seemed a nice solution, unfortunately, I couldn't force it
to work.
This is what I've done so far:
1. I've uncommented the org.apache.catalina.authenticator.SingleSignOn valve
in server/default/deploy/jbossweb.sar/server.xml (together with the "access
log" valve, the latter works for sure)
2. I've copied cas-client-core-3.1.12.jar and
cas-client-integration-jboss-3.1.12.jar into server/default/lib/ so the
server is able to instantiate the login module
3. I've created an application policy in server/default/login-config.xml:
<application-policy name="cas">
<authentication>
<login-module code="org.jasig.cas.client.jaas.CasLoginModule"
flag="required"/>
<module-option
name="ticketValidatorClass">org.jasig.cas.client.validation.Saml11TicketValidator</module-option>
<module-option
name="casServerUrlPrefix">https://localhost:9443/cas</module-option>
<module-option name="tolerance">20000</module-option>
<module-option
name="service">https://localhost:8443/test-jaas</module-option>
<module-option name="defaultRoles">admin,operator</module-option>
<module-option
name="roleAttributeNames">memberOf,eduPersonAffiliation,authorities</module-option>
<module-option
name="principalGroupName">CallerPrincipal</module-option>
<module-option name="roleGroupName">Roles</module-option>
<module-option name="cacheAssertions">true</module-option>
<module-option name="cacheTimeout">480</module-option>
</authentication>
</application-policy>
4. this application policy is referenced in both WEB-INF/jboss-web.xml in
the WAR and META-INF/jboss.xml in the EJB-JAR:
<jboss-web>
<security-domain>java:/jaas/cas</security-domain>
</jboss-web>
<jboss>
<security-domain>java:/jaas/cas</security-domain>
</jboss>
5. the context-param called "service" is specified in the web.xml and points
to the CAS installation, the same value as "service" login module property,
it's simply required by AbstractCasFilter
6. org.jasig.cas.client.session.SingleSignOutHttpSessionListener is present
in the web.xml, org.jasig.cas.client.session.SingleSignOutFilter,
org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter are
provided and bound to /*.
7. methods of the stateless EJB are protected via @RolesAllowed annotation,
pages of the webapp are protected via security-constraint(s).
(Please note that if a different login module (e.g. the properties-based
org.jboss.security.auth.spi.UsersRolesLoginModule) in "cas"
application-policy and e.g. BASIC authentication is specified, the EJB and
webapp work as desired.)
Now, I'm a bit confused on how it should work.
1. Should the WebAuthenticationFilter (or any other member of this quartet)
redirect me to CAS login site if I'm not logged in? This is the behavior I
would expect (and this is what I get when using Spring Security client), but
I haven't noticed anything which would trigger the redirect. My requests
always fall into the branch which says "User principal not found. Removing
CAS assertion from session to force reauthentication." and I get 403. If
not, how am I supposed to provided the ticket value? Should I just write
another filter that would redirect to CAS in absence of ticket parameter or
valid user principal in request? Is this really so simple? How do I detect
the fact that I need (or do not need) the authentication at all (some pages
are public, no need to visit CAS login page). Perhaps there exists a filter
which would acomplish this task?
2. As part of my investigation I've manually entered an URL like
https://localhost:8443/test-jaas/?ticket=ST-6-yfvbdHzzzlLUyoLvjcve-cas in
the address bar of the browser in order to enter the first if-branch of the
WebAuthenticationFilter (as the "ticket" request parameter was present). The
WebAuthentication.login(String, String) returned false, but no activity on
the CAS server has been logged, nor a single log message originating from
the CasLoginModule on the service provider side. It seems to me that the
CasLoginModule hasn't been used at all. The classes provide almost no
logging and I couldn't figure out what's going on. What could went wrong?
How do I check if the login module has been invoked at all?
3. How should be the web.xml descriptor defined in terms of login-config?
Which auth-method should be used, if any? BASIC, DIGEST? None of them seems
appropiate - I would just expect a redirect. How about the "realm" - should
its name the same as the name of the application-policy and security-domain?
I've noticed that this term in used later by the WebAuthentication class.
Nevertheless, I cannot specify the realm without an auth-method - JBoss
reports a deployment error.
Is there anything I've forgotten to do or simply misunderstood?
I will appreciate any help or clarification, best regards, Maciek
PS: I attach the following files:
http://jasig.275507.n4.nabble.com/file/n3044438/web.xml web.xml of my
webapp, its neighbour
http://jasig.275507.n4.nabble.com/file/n3044438/jboss-web.xml jboss-web.xml
, the META-INF/ http://jasig.275507.n4.nabble.com/file/n3044438/jboss.xml
jboss.xml of the EJB-JAR, server/default/conf/
http://jasig.275507.n4.nabble.com/file/n3044438/login-config.xml
login-config.xml and server/default/deploy/jbossweb.sar/
http://jasig.275507.n4.nabble.com/file/n3044438/server.xml server.xml . I
also apologize if this message has been reposted.
--
View this message in context:
http://jasig.275507.n4.nabble.com/Problems-with-CAS-ifying-a-JEE-application-using-JAAS-tp3044438p3044438.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
