Versions Compared

Old Version 6

changes.mady.by.user Adam Rybicki

Saved on

compared with

New Version 7

changes.mady.by.user Misagh Moayyed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The filter's main configuration must be added to WebAdvisor's web.xml file. Start by extracting this file from the original WebAdvisor WAR file, DEVSSOPO.war in this project, and placing it in src/main/webapp/WEB-INF. Next, open doc/addition to web.xml and make sure that all of the configuration options are set correctly. The contents of this file are below:

Code Block
xml
xml
   <!-- Added by arybicki@unicon.net -->

  <filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
    <init-param>
      <param-name>casServerLoginUrl</param-name>
      <param-value>https://login.esc.edu/cas/login</param-value>
    </init-param>
    <init-param>
      <param-name>serverName</param-name>
      <param-value>https://webadvsrv.esc.edu</param-value>
    </init-param>
  </filter>
  
  <filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
    <init-param>
      <param-name>casServerUrlPrefix</param-name>
      <param-value>https://login.esc.edu/cas</param-value>
    </init-param>
    <init-param>
      <param-name>serverName</param-name>
      <param-value>https://webadvsrv.esc.edu</param-value>
    </init-param>
    <init-param>
      <param-name>proxyCallbackUrl</param-name>
      <param-value>https://webadvsrv.esc.edu/DEVSSOPO/CasProxyServlet</param-value>
    </init-param>
    <init-param>
      <param-name>proxyReceptorUrl</param-name>
      <param-value>/CasProxyServlet</param-value>
    </init-param>
  </filter>
  
  <filter>
    <filter-name>WebAdvisor Authentication Filter</filter-name>
    <filter-class>edu.esc.cas.client.webadvisor.filter.WebAdvisorLoginFilter</filter-class>
    <init-param>
      <param-name>log4jLocation</param-name>
      <param-value>classpath:log4j.xml</param-value>
    </init-param>
    <init-param>
      <param-name>clearPassURL</param-name>
      <param-value>https://login.esc.edu/cas/clearPass</param-value>
    </init-param>
    <init-param>
      <param-name>loginPattern</param-name>
      <param-value>SS=LGRQ</param-value>  <!-- This is what the filter uses to trigger redirect to CAS authentication -->
    </init-param>
    <init-param>
      <param-name>logoutPattern</param-name>
      <param-value>pid=UT-LORQ</param-value>  <!-- This is what the filter uses to trigger removal of CAS assertion -->
    </init-param>
    <init-param>
      <param-name>loginURI</param-name>
      <param-value>/DEVSSOPO/Login</param-value>  <!-- This is where the filter redirects to to perform authentication -->
    </init-param>
    <init-param>
      <param-name>webadvisorSSOURL</param-name>
      <param-value>https%3A%2F%2Fwebadvsrv.esc.edu%2FDEVSSOPO%2Fsso%3FCONSTITUENCY%3DWBST%26type%3DP%26pid%3DST-XWESTGRADE</param-value>  <!-- This is the endpoint to which the request for user's SSO token will be sent -->
    </init-param>
    <init-param>
      <param-name>webadvisorLoginURL</param-name>
      <param-value>https%3A%2F%2Fwebadvsrv.esc.edu%2FDEVSSOPO%2Fst%3FCONSTITUENCY%3DWBST%26type%3DP%26pid%3DST-XWESTGRADE</param-value>  <!-- This is where the SSO token will be sent for authentication -->
    </init-param>
    <init-param>
      <param-name>mainMenuURI</param-name>
      <param-value>/DEVSSOPO/</param-value>  <!-- This is where the filter redirects to after WebAdvisor login -->
    </init-param>
    <init-param>
      <param-name>browserHeadersToForward</param-name>  <!-- Forward these HTTP headers with the WebAdvisor login -->
      <param-value>cookie host user-agent accept accept-language accept-encoding accept-charset</param-value>
    </init-param>
    <init-param>
      <param-name>webAdvisorHeadersToForward</param-name>  <!-- Return these WebAdvisor HTTP headers after authentication -->
      <param-value>Set-Cookie Content-Type Content-Length</param-value>
    </init-param>
  </filter>
  
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/CasProxyServlet</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/Login</url-pattern>
  </filter-mapping>
  
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/Login</url-pattern>
  </filter-mapping>
  
  <filter-mapping>
    <filter-name>WebAdvisor Authentication Filter</filter-name>  <!-- This filter must come AFTER the Jasig CAS Client filters above -->
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <!-- End of the addition by arybicki@unicon.net -->

...

The only other place to configure the filter is the filter's logging. This also configures logging of the Jasig CAS Client for Java. The configuration file is src/main/webapp/WEB-INF/classes/log4j.xml and it looks like this:

Code Block
xml
xml

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">

<log4j:configuration debug="false" xmlns:log4j="http://jakarta.apache.org/log4j/">
  <!--
      This default ConsoleAppender is used to log all NON perf4j messages
      to System.out
    -->
  <appender name="console" class="org.apache.log4j.ConsoleAppender">
    <layout class="org.apache.log4j.PatternLayout">
      <param name="ConversionPattern" value="%d %p [%c] - &lt;%m&gt;%n" />
    </layout>
  </appender>

  <appender name="casclient" class="org.apache.log4j.RollingFileAppender">
    <param name="File" value="${catalina.base}/logs/casclient.log" />
    <param name="MaxFileSize" value="512KB" />
    <param name="MaxBackupIndex" value="3" />
    <layout class="org.apache.log4j.PatternLayout">
      <param name="ConversionPattern" value="%d %p [%c] - %m%n" />
    </layout>
  </appender>

  <logger name="org.jasig" additivity="true">
    <level value="DEBUG" />
    <appender-ref ref="casclient" />
  </logger>

  <logger name="edu.esc.cas" additivity="true">
    <level value="DEBUG" />
    <appender-ref ref="casclient" />
  </logger>

  <!--
      The root logger sends all log statements to System.out.
    -->
  <root>
    <level value="ERROR" />
    <appender-ref ref="console" />
  </root>
</log4j:configuration>

The example above places the filter's log in file casclient.log in Tomcat's logs sub-directory. For production installations, Unicon recommends to change the log level settings set to DEBUG in the example above to INFO.

Attachments

Info
titleEclipse Project

You may be able to use this eclipse project as a starting point.

 

Error Reporting

In case of unrecoverable errors, the filter displays a fairly generic error message. Unicon encourages implementers to improve the looks of this message because it will be displayed to end users in cases of unrecoverable errors. The error page does not and should not include details about the error's cause. Since this is a security-sensitive application, adding details to error messages could aid adversaries. Instead, errors are added to the log file.