Hello, Just wanted to follow up on this thread that Scott started for us a few weeks back. We were able to CAS-ify GroupWise with an alternate strategy that is a bit safer for our users and all server-side.
Our first strategy was the form fill page, as mentioned before, but required Javascript on the client side. If Javascript was off, the credentials would be rendered in the resulting JSP page. Obviously this is/was undesirable -- someone with knowledge of this process could grab a password by interrupting the normal flow of execution. It's difficult to guarantee security at the physical level in public areas, so this wasn't an acceptable strategy for the long-term. As a proof-of-concept for ClearPass utilization it worked fine. The second strategy we've been pursuing is/was passing BASIC credentials via the Authorization header. Novell/NetIQ supports this with their Access Manager product via the Linux Access Gateway (LAG) that we're using right now for SSO. To activate BASIC for all clients, we just added a wildcard to the "permitted BASIC authentication addresses" variable in webacc.cfg, which enabled us to pass a header from anywhere to the webacc servlet. To make BASIC happen between the gwCAS servlet and the webacc servlet, we implemented this strategy: 1) Create a servlet called gwCAS that proxies for the user to access ClearPass credentials. 2) Front the gwCAS servlet with the CAS Client for authentication/proxying. 3) Front the webacc servlet with a custom filter called GWSSOFilter that customizes the request sent to webacc. The GWSSOFilter intervenes on access of the webacc servlet, then modifies the request for that servlet by adding an Authorization header on behalf of the user using a request wrapper. The header data is received from gwCAS. After this, the filter proceeds to the webacc servlet with the modified request that contains the added header. The user is then logged in to GroupWise Webaccess. It's all transparent to the user and the end result is no form fill or client side scripting to login, and is secured over HTTPS. The only thing left is to work out Single Log Out and keep testing the code. -Ken -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
