Overview
In installations using Jasig CAS for authentication WebProxy Portlet can be configured to obtain its own proxy tickets. These tickets are not usable to authenticate to CAS-enabled Web sites. Instead, WebProxy Portlet can validate its proxy ticket, ask for its own Proxy Granting Ticket, and then ask for a proxy ticket for a service to access. The rest of this document outlines how to configure WebProxy Portlet to do this.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- The following 4 beans are needed for proxy CAS authentication. The first 3 are from the
Jasig Java CAS Client.
proxyStorage is a common storage that the ticket validator and filter use to keep a PGT for a Principal
ticketValidator is used to validateWebProxy portlet's proxy ticket and request its own PGT. In this
example, it is configured to accept any proxy. Its constructor argument must
be set to the CAS URL. proxyCallbackUrl must be set to the WebProxy Portlet's
proxy ticket receptor (configured in web.xml).
proxyFilter is a filter that will receive the proxy tickets requested by ticketValidator. Its
proxyReceptorUrl shown in this example should be sufficient and must be relative to
WebProxy Portlet's own "base" URL. The service property is not used by this filter
as it does not perform ticket validation.
casAuthenticationHandler is WebProxy Portlet's own bean that handles the CAS proxy authentication
as per the CAS protocol specification. The myService property must be
set to the fully-qualified "base" URL of the portlet itself. It is passed
to CAS for ticket validation, and it must match what uPortal used when it
obtained the proxy ticket for the portlet.
-->
<!--
<bean name="proxyStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
<bean id="ticketValidator" class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator">
<constructor-arg index="0" value="https://cas.university.edu/cas" />
<property name="proxyCallbackUrl" value="https://portal.university.edu/WebProxyPortlet/CasProxyReceptor" />
<property name="acceptAnyProxy" value="true" />
<property name="proxyGrantingTicketStorage" ref="proxyStorage" />
</bean>
<bean name="proxyFilter" class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter">
<property name="service" value="https://my.local.service.com/cas-client" />
<property name="proxyReceptorUrl" value="/CasProxyReceptor" />
<property name="ticketValidator" ref="ticketValidator" />
<property name="proxyGrantingTicketStorage" ref="proxyStorage" />
</bean>
<bean name="casAuthenticationHandler" class="edu.wisc.my.webproxy.beans.security.CasAuthenticationHandler">
<property name="ticketValidator" ref="ticketValidator" />
<property name="myService" value="http://portal.university.edu/WebProxyPortlet" />
</bean>
-->
|
Enabling the Proxy Granting Ticket Receptor
Jasig Java CAS Client contains a Web filter that can receive Proxy Granting Tickets. WebProxy Portlet is configured to retrieve these at an endpoint "/CasProxyReceptor" in the above example. To configure that endpoint, please add the following section to WebProxy Portlet's web.xml as illustrated below:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- The following section should be enabled to add support for proxy CAS authentication
The servlet mapping is completely fake and uses the ProxyServlet definition. The Jasig
Java CAS client filter intercepts a call to this endpoint and grabs the proxy ticket
received from CAS.
-->
<servlet-mapping>
<servlet-name>ProxyServlet</servlet-name>
<url-pattern>/CasProxyReceptor/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>CAS Proxy Filter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>proxyFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Proxy Filter</filter-name>
<url-pattern>/CasProxyReceptor/*</url-pattern>
</filter-mapping>
|
You will notice that the new endpoint, "/CasProxyReceptor" is mapped to an existing ProxyServlet. This is OK because the Jasig Java CAS Client will actually intercept the CAS callbacks with the PGT and the servlet will not be invoked.