web.xml Method
The current Java CAS client can be found here: https://github.com/apereo/java-cas-client
To use the web.xml method, the Java CAS client must be built (using Spring) and the appropriate .jars placed in either the application’s /lib or Tomcat’s /lib directory.
To use the CAS 2.0 protocol, place the following in the web.xml of your application:
<filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://login.uconn.edu/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>server.name.uconn.edu</param-value> </init-param> <init-param> <param-name>renew</param-name> <param-value>true</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://login.uconn.edu/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>server.name.uconn.edu</param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter>
To use the SAML 1.1 protocol place the following in the web.xml of your application:
<filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://login.uconn.edu/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>server.name.uconn.edu</param-value> </init-param> <init-param> <param-name>renew</param-name> <param-value>true</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://login.uconn.edu/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>server.name.uconn.edu</param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter>
Filter mappings will have to be setup to configure what part of the application is placed behind CAS. Filter mappings will vary based on the layout of your application. Example filter mappings can be found below.
<filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/example/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/example/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/example/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/example/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping>
Tomcat Container Authentication (Valve)
This method was created by Marvin Addison of Jasig. It implements CAS authentication at the Tomcat container level rather than within the Java application itself.
Before modifying any configurations, you must obtain several .jar files and place them in your $TOMCAT_HOME/lib directory.
Found in CAS-Client under modules (can be downloaded from Jasig) :
- cas-client-core-$VERSION.jar
- cas-client-integration-tomcat-common-$VERSION.jar
- cas-client-integration-tomcat-v6-$VERSION.jar
- commons-logging-$VERSION.jar
- xmlsec-$VERSION.jar
- commons-codec-$VERSION.jar
Can be obtained from Apache and OpenSAML
- log4j-$VERSION.jar
- opensaml-1.1b.jar
The following should be added to the containers context.xml file found in $TOMCAT_HOME/conf/Catalina/localhost/
<!-- The following configuration uses the SAML 1.1 protocol and role data provided by the assertion to enable dynamic server-driven role data. The attribute used for role data is "memberOf". --> <Realm className="org.jasig.cas.client.tomcat.v6.AssertionCasRealm" roleAttributeName="memberOf" /> <Valve className="org.jasig.cas.client.tomcat.v6.Saml11Authenticator" encoding="UTF-8" casServerLoginUrl="https://login.example.com/cas/login" casServerUrlPrefix="https://login.example.com/cas/" serverName="your.server.example.com" /> <!-- Single sign-out support --> <Valve className="org.jasig.cas.client.tomcat.v6.SingleSignOutValve" artifactParameterName="SAMLart"/>
The attribute does not have to be memberOf, any attribute name can be specified within the context.xml.
Note that if leveraging attribute release data for authentication, modifications will have to be put in place within the application’s security.xml and web.xml. The configuration is specific to the application, however an example for PSI-Probe.
Example security.xml
<sec:filter-invocation-definition-source> <sec:intercept-url pattern="/adm/**" access="ROLE_ATTRIBUTE"/> <sec:intercept-url pattern="/sql/**,/adm/restartvm.ajax" access="ROLE_ATTRIBUTE"/> <sec:intercept-url pattern="/app/**" access="ROLE_ATTRIBUTE"/> <sec:intercept-url pattern="/**" access="ROLE_ATTRIBUTE"/> </sec:filter-invocation-definition-source>
Example web.xml
<context-param> <description>Role that can view session attribute values</description> <param-name>attribute.value.roles</param-name> <param-value>ROLE_ATTRIBUTE</param-value> </context-param> <auth-constraint> <role-name>$attribute_name</role-name> </auth-constraint> <security-role> <role-name>$attribute_name</role-name> </security-role>