Cas and Spring Security

Spring Security supports a lot of different authentication systems. One of that is the central authentication service (CAS) which allows the users to authenticate in a Web Application (or different Web Applications) using a unique central service.

In this article, I’ll show the integration of the CAS with Spring security framework. As usual, by using an example.

First of all, a bit preface. CAS is a system who’s released by Jasig consortium who took the project from the Yale University about ten years ago. More information about Jasig is at the official web page http://www.jasig.org/cas.

Cas is commonly used for providing Single-Sign-On at those applications who are allowed to use a specific CAS’s server to authenticate the same users in different Web Applications. I’ll used CAS as Web Application deployed.

The base concept of this authentication system is the sharing of a “ticket” released by the CAS once the application needs an authenticated user and the user has sent his credentials. Let me explain the idea using this wonderful sequence diagram made by David Ohsie.

The diagram is like that:

Cas_Spring

As I showed, the user request for a protected resource forwards the request to the CAS service. The Authentication service checks whenever the user credentials or tickets (if he’s already authenticated) and redirect the request to the protected resource. In one word, it works as a proxy.

It’s now time to work on the example for explaining how it works.

My example is about a photo albums with protected access. Every user (with different role) can access to some photos and denied access for the others. I’ve two albums. The first is about my first bicycle ride and the second my Ibiza holidays.

The users are stored in a Ldap archive exported in a ldif file (the password are base64 encoded). I generated it by using OpenDJ Ldap service with only two users and two roles.

The first user is mom@album.com with ROLE_PARENTS role. She can see only the first album (I don’t think that show her my Ibiza holidays is a good idea..).

The second user is matt@album.com with ROLE_FRIENDS role. He’s much interested at my holiday than my first bike ride.

I added another user admin@album.com to access the Service Management Console.

The exported file looks like this:


version: 1

dn: dc=photoalbum
objectClass: extensibleObject
objectClass: domain
objectClass: top
dc: photoalbum

dn: ou=Groups,dc=photoalbum
objectClass: organizationalUnit
objectClass: top
ou: Groups

dn: ou=Users,dc=photoalbum
objectClass: organizationalUnit
objectClass: top
ou: Users

dn: uid=mom@album.com,ou=Users,dc=photoalbum
objectClass: organizationalPerson
objectClass: person
objectClass: uidObject
objectClass: top
cn: LDAP User
sn: User
uid: mom@album.com
description: ROLE_PARENTS
userPassword:: bW9t

dn: uid=matt@album.com,ou=Users,dc=photoalbum
objectClass: organizationalPerson
objectClass: person
objectClass: uidObject
objectClass: top
cn: LDAP User
sn: User
uid: matt@album.com
description: ROLE_FRIENDS
userPassword:: bWF0dA==

dn: uid=admin@album.com,ou=Administrators,ou=Users,dc=photoalbum
objectClass: organizationalPerson
objectClass: person
objectClass: uidObject
objectClass: top
cn: LDAP Admin
sn: Admin
uid: admin@album.com
description: ROLE_ADMIN
userPassword:: YWRtaW4=

dn: cn=User,ou=Groups,dc=photoalbum
objectClass: groupOfUniqueNames
objectClass: top
cn: User
uniqueMember: uid=mom@album.com,ou=Users,dc=photoalbum
uniqueMember: uid=matt@album.com,ou=Users,dc=photoalbum
uniqueMember: uid=admin@album.com,ou=Users,dc=photoalbum

Having illustrated the application, I can focus on the configuration about CAS server and photo album application client.

I started my example using the code from Spring Security example (code chapter09.06-cas-server) but it doesn’t really matter download it, you can even start from the code at the Jasig web site.

Another step is needed before starting with the code. The communication between the Client and the Server will be available by using SSL connection. So, we need to configure the application server to accept SSL connections. In development enviroment is common to use a self-made certificate. The steps for that are:


C:\Program Files\Java\jdk1.7.0_04\bin>keytool.exe -genkey -alias cas -keyalg RSA
 -keystore C:\ssl\cas.keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  localhost
What is the name of your organization?
  [Unknown]:  localhost
What is the name of your City or Locality?
  [Unknown]:  Milan
What is the name of your State or Province?
  [Unknown]:  Italy
What is the two-letter country code for this unit?
  [Unknown]:  IT
Is CN=localhost, OU=localhost, O=localhost, L=Milan, ST=Italy, C=IT correct?
  [no]:  yes

Enter key password for <cas>
        (RETURN if same as keystore password):

C:\Program Files\Java\jdk1.7.0_04\bin>keytool.exe -export -alias cas -keypass ch
angeit  -file C:\ssl\cas.crt -keystore C:\ssl\cas.keystore
Enter keystore password:
Certificate stored in file <C:\ssl\cas.crt>

Once got the certificate, it’s time to configure tomcat SSL connection editing the server.xml file.


    <Connector SSLEnabled="true"
            maxThreads="150"
            port="8444"
            protocol="HTTP/1.1"
            scheme="https"
            secure="true"
            sslProtocol="TLS"
            keystoreFile="${catalina.home}/ssl/cas.keystore"
            keystorePass="changeit"/>

Then, double click on cas.cert and install Certificate in your browser. The result should be something like this.

certificate_cas

Before running the server application, it’s necessary to configure some files. The first is the cas.properties

server.prefix=https://localhost:8444/chapter09.06-cas-server
...
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
...
host.name=chapter09.06-cas-server
...

 The first part define the SSL host used for connecting the CAS server. The “cas.securityContext.serviceProperties.adminRoles” defines the user role to allow the access to the CAS Service Manager. The last configuration is the host name.

Also, I edited  the file cas-servlet.xml:


<bean id="logoutController" class="org.jasig.cas.web.LogoutController"
  p:centralAuthenticationService-ref="centralAuthenticationService"
  p:logoutView="casLogoutView"
  p:warnCookieGenerator-ref="warnCookieGenerator"
  p:
ticketGrantingTicketCookieGenerator-

ref="ticketGrantingTicketCookieGenerator"
    p:followServiceRedirects="true" />

Adding the highlighted code, the Cas logout page will be not the default page but the page defined by the client (I’ll show this further in the code).

Finally, It’s now time to start tomcat and go to the Home page (Login page). Cas server needs a secure connection, so put https url on your browser to access on SSL connection (https://localhost:8444/chapter09.06-cas-server/services/manage.html).

cas-login1

Now, put the admin credentials in the boxes (admin@album.com /admin) and you’ll access to the management console.

cas-management

The console lets you register new services and view connection and session statistics. Keep in mind that Cas server doesn’t hold any credentials information. It doesn’t work as Ldap or credential repository.

 In the next part, I’ll show the client side of this integration as soon as the article will be ready.

Advertisements

One thought on “Cas and Spring Security

  1. Pingback: Cas and Spring Security – Client | Tech Annotation

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s