Harry, I'd recommend managing your CAS instance using the Maven2 WAR Overlay method. It cleanly separates your configuration and also manages your dependencies.
https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method <https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method> Cheers, Scott On Tue, Mar 29, 2011 at 3:22 PM, Harry Hoffman <[email protected]>wrote: > Hi All, > > I'm hoping for some feedback (and to help other poor souls like myself who > stumbled around trying to setup CAS). > > Below are all of the steps plus a example deployerConfigContext.xml that > will get CAS up and running and allow authentication to either LDAP or AD > (via LDAP). > > There's still a ton to configure for the actual CAS setup but I'm hoping > that this is a bit more straightforward than some of what's in the wiki: > > > Cheers, > Harry > > # How to setup cas-server-3.4.7 under Linux and tomcat auth'ing via LDAP or > AD > # credentials > # A couple of assumptions: > # Apache and Tomcat are already configured > # You have created a user in AD for binding via LDAP > # Your SunOne LDAP server allows anonymous binds for password comparison > # You have downloaded spring-ldap-<VERSION>.jar to /tmp > # You have downloaded commons-pool-<VERSION>.jar to /tmp > # > # > cd /tmp && wget > http://downloads.jasig.org/cas/cas-server-3.4.7-release.tar.gz > tar xzpf cas-server-3.4.7-release.tar.gz mkdir /app/tomcat/webapps/cas && > chown root.tomcat /app/tomcat/webapps/cas cd /app/tomcat/webapps/cas && > unzip /tmp/cas-server-3.4.7/modules/cas-server-webapp-3.4.7.war > vim /app/tomcat/webapps/cas/WEB-INF/deployerConfigContext.xml > cp /tmp/cas-server-3.4.7/modules/cas-server-support-ldap-3.4.7.jar > /app/tomcat/webapps/cas/WEB-INF/lib/ > cp /tmp/spring-ldap-1.3.0.RELEASE-all.jar > /app/tomcat/webapps/cas/WEB-INF/lib/ > cp /tmp/commons-pool-1.5.5.jar /app/tomcat/webapps/cas/WEB-INF/lib/ > > > > cat /app/tomcat/webapps/cas/WEB-INF/deployerConfigContext.xml > > > <?xml version="1.0" encoding="UTF-8"?> > <!-- > | deployerConfigContext.xml centralizes into one file some of the > declarative configuration that > | all CAS deployers will need to modify. > | > | This file declares some of the Spring-managed JavaBeans that make > up a CAS deployment. > | The beans declared in this file are instantiated at context > initialization time by the Spring > | ContextLoaderListener declared in web.xml. It finds this file > because this > | file is among those declared in the context parameter > "contextConfigLocation". > | > | By far the most common change you will need to make in this file > is to change the last bean > | declaration to replace the default > SimpleTestUsernamePasswordAuthenticationHandler with > | one implementing your approach for authenticating usernames and > passwords. > +--> > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xmlns:sec="http://www.springframework.org/schema/security"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-3.0.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-3.0.xsd";> > <!-- > | This bean declares our AuthenticationManager. The > CentralAuthenticationService service bean > | declared in applicationContext.xml picks up this > AuthenticationManager by reference to its id, > | "authenticationManager". Most deployers will be able to > use the default AuthenticationManager > | implementation and so do not need to change the class of > this bean. We include the whole > | AuthenticationManager here in the userConfigContext.xml so > that you can see the things you will > | need to change in context. > +--> > <bean id="authenticationManager" > > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <!-- > | This is the List of CredentialToPrincipalResolvers > that identify what Principal is trying to authenticate. > | The AuthenticationManagerImpl considers them in > order, finding a CredentialToPrincipalResolver which > | supports the presented credentials. > | > | AuthenticationManagerImpl uses these resolvers for > two purposes. First, it uses them to identify the Principal > | attempting to authenticate to CAS /login . In the > default configuration, it is the DefaultCredentialsToPrincipalResolver > | that fills this role. If you are using some other > kind of credentials than UsernamePasswordCredentials, you will need to > replace > | DefaultCredentialsToPrincipalResolver with a > CredentialsToPrincipalResolver that supports the credentials you are > | using. > | > | Second, AuthenticationManagerImpl uses these > resolvers to identify a service requesting a proxy granting ticket. > | In the default configuration, it is the > HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. > | You will need to change this list if you are > identifying services by something more or other than their callback URL. > +--> > <property name="credentialsToPrincipalResolvers"> > <list> > <!-- > | > UsernamePasswordCredentialsToPrincipalResolver supports the > UsernamePasswordCredentials that we use for /login > | by default and produces > SimplePrincipal instances conveying the username from the credentials. > | > | If you've changed your > LoginFormAction to use credentials other than UsernamePasswordCredentials > then you will also > | need to change this bean > declaration (or add additional declarations) to declare a > CredentialsToPrincipalResolver that supports the > | Credentials you are using. > +--> > <bean > > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToP > rincipalResolver" /> > <!-- > | > HttpBasedServiceCredentialsToPrincipalResolver supports > HttpBasedCredentials. It supports the CAS 2.0 approach of > | authenticating services by SSL > callback, extracting the callback URL from the Credentials and representing > it as a > | SimpleService identified by that > callback URL. > | > | If you are representing services > by something more or other than an HTTPS URL whereat they are able to > | receive a proxy callback, you will > need to change this bean declaration (or add additional declarations). > +--> > <bean > > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToP > rincipalResolver" /> > </list> > </property> > > <!-- > | Whereas CredentialsToPrincipalResolvers identify > who it is some Credentials might authenticate, > | AuthenticationHandlers actually authenticate > credentials. Here we declare the AuthenticationHandlers that > | authenticate the Principals that the > CredentialsToPrincipalResolvers identified. CAS will try these handlers in > turn > | until it finds one that both supports the > Credentials presented and succeeds in authenticating. > +--> > <property name="authenticationHandlers"> > <list> > <!-- > | This is the authentication handler > that authenticates services by means of callback via SSL, thereby > validating > | a server side SSL certificate. > +--> > <bean > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredenti > alsAuthenticationHandler" > p:httpClient-ref="httpClient" /> > <!-- > | This is the authentication handler > declaration that every CAS deployer will need to change before deploying > CAS > > | into production. The default > SimpleTestUsernamePasswordAuthenticationHandler authenticates > UsernamePasswordCredentials > | where the username equals the > password. You will need to replace this with an AuthenticationHandler that > implements your > | local authentication strategy. > You might accomplish this by coding a new such handler and declaring > | > edu.someschool.its.cas.MySpecialHandler here, or you might use one of the > handlers provided in the adaptors modules. > <bean > > > class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswo > rdAuthenticationHandler" /> > +--> > > > <!-- YOUR specific authentication sources. > Initially we wanted RADIUS via JRADIUS client but there seems to be bugs > | in the implementation (first logon > works all other logins have the user password munged). > | So, we'll configure authentication > via LDAP for both AD and our Sun LDAP servers. > --> > <!-- LDAP --> > <bean > class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"> > <property name="filter" > value="uid=%u,ou=people,dc=CHANGE,dc=ME,o=internet" /> > <property name="contextSource" ref="contextSource" /> > </bean> > <!-- AD --> > <bean > class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> > <property name="filter" value="samAccountName=%u" /> > <property name="searchBase" value="dc=CHANGE,dc=ME" /> > <property name="contextSource" ref="contextSourceAD" /> > <property > name="ignorePartialResultException" value="yes" /> > </bean> > > > > </list> > </property> > </bean> > > <!-- YOUR specific authentication sources. Initially we wanted > RADIUS via JRADIUS client but there seems to be bugs > | in the implementation (first logon works all other logins > have the user password munged). > | So, we'll configure authentication via LDAP for both AD > and our Sun LDAP servers. > --> > <!-- LDAP --> > <bean id="contextSource" > class="org.springframework.ldap.core.support.LdapContextSource"> > <property name="pooled" value="false"/> > <property name="urls"> > <list> > <value>ldaps://ldap.CHANGE.ME/</value> > </list> > </property> > </bean> > <!-- AD --> > <bean id="contextSourceAD" > class="org.springframework.ldap.core.support.LdapContextSource"> > <property name="pooled" value="true"/> > <property name="urls"> > <list> > <value>ldaps://AD1.change.me/</value> > <value>ldaps://AD2.change.me/</value> > <value>ldaps://AD3.change.me/</value> > <value>ldaps://AD4.change.me/</value> > <value>ldaps://AD5.change.me/</value> > </list> > </property> > <property name="userDn" value="[email protected]"/> > <property name="password" value="CHANGEME"/> > <property name="baseEnvironmentProperties"> > <map> > <entry> > <key> > > <value>java.naming.security.authentication</value> > </key> > <value>simple</value> > </entry> > </map> > </property> > </bean> > > > <!-- > This bean defines the security roles for the Services Management > application. Simple deployments can use the in-memory version. > More robust deployments will want to use another option, such as the > Jdbc version. > > The name of this should remain "userDetailsService" in order for > Spring Security to find it. > --> > <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" > authorities="ROLE_ADMIN" />--> > > <sec:user-service id="userDetailsService"> > <sec:user name="securityadmin" password="notused" > authorities="ROLE_ADMIN" /> > </sec:user-service> > > <!-- > Bean that defines the attributes that a service may return. This > example uses the Stub/Mock version. A real implementation > may go against a database or LDAP server. The id should remain > "attributeRepository" though. > --> > <bean id="attributeRepository" > > class="org.jasig.services.persondir.support.StubPersonAttributeDao"> > <property name="backingMap"> > <map> > <entry key="uid" value="uid" /> > <entry key="eduPersonAffiliation" > value="eduPersonAffiliation" /> > <entry key="groupMembership" > value="groupMembership" /> > </map> > </property> > </bean> > > <!-- > Sample, in-memory data store for the ServiceRegistry. A real > implementation > would probably want to replace this with the JPA-backed > ServiceRegistry DAO > The name of this bean should remain "serviceRegistryDao". > --> > <bean > id="serviceRegistryDao" > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> > <property name="registeredServices"> > <list> > <bean > class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="0" /> > <property name="name" value="HTTP" /> > <property name="description" value="Only Allows HTTP > Urls" /> > <property name="serviceId" value="http://**"; /> > </bean> > > <bean > class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="1" /> > <property name="name" value="HTTPS" /> > <property name="description" value="Only Allows > HTTPS Urls" /> > <property name="serviceId" value="https://**"; /> > </bean> > > <bean > class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="2" /> > <property name="name" value="IMAPS" /> > <property name="description" value="Only Allows > HTTPS Urls" /> > <property name="serviceId" value="imaps://**" /> > </bean> > > <bean > class="org.jasig.cas.services.RegisteredServiceImpl"> > <property name="id" value="3" /> > <property name="name" value="IMAP" /> > <property name="description" value="Only Allows IMAP > Urls" /> > <property name="serviceId" value="imap://**" /> > </bean> > </list> > </property> > </bean> > > <bean id="auditTrailManager" > class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> > </beans> > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
