...
JAAS
...
Authentication
...
Handler
...
Briefly,
...
JAAS
...
is
...
a
...
standard
...
API
...
provided
...
by
...
Java
...
1.4
...
and
...
higher
...
which
...
provides
...
PAM-like
...
authentication
...
and
...
authorization.
...
An
...
external
...
file
...
is
...
used
...
to
...
configure
...
JAAS.
...
Using
...
JAAS
...
with
...
CAS
...
allows
...
modification
...
of
...
the
...
authentication
...
process
...
without
...
having
...
to
...
rebuild
...
and
...
redeploy
...
CAS,
...
and
...
allows
...
for
...
PAM-style
...
multi-module
...
"stacked"
...
authentication.
...
Links
Core Classes
JaasAuthenticationHandler
The JaasAuthenticationHandler is a hook into the Java Authentication and Authorization Service and delegates all authentication to the underlying runtime and its configured JAAS file. Therefore it only has one property:
- realm - the realm within the JAAS configuration file we are going to use. Defaults to CAS.
Configuration
Like other handlers, the JAAS Authentication Handler is simply configured in the deployerConfigContext.xml. Within the AuthenticationManager's "authenticationHandlers" property, place the following configuration (replacing the example Test handler):
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" />
{code}
h3. Example |
Example jaas.conf
...
File
...
Below,
...
you'll
...
find
...
an
...
example
...
jaas.conf
...
file
...
which
...
would
...
contain
...
your
...
JAAS
...
configuration
...
information.
...
The
...
path
...
to the JAAS Configuration file is specified for this JVM as a system property, i.e.
...
-Djava.security.krb5.conf=/etc/krb5.conf,
...
or
...
a
...
default
...
can
...
be
...
specified
...
for
...
an
...
entire
...
Java
...
Runtime
...
Environment
...
by
...
changing
...
the
...
{jre-home}/lib/security/java.security
...
properties
...
file
...
to
...
add
...
a
...
"Default
...
login
...
configuration
...
file"
...
under
...
the
...
property
...
"login.config.url.1=file:..."
...
(find
...
the
...
comment example in the current file).
...
| Code Block |
|---|
/** * Login Configuration for JAAS. First try Kerberos, then LDAP, then AD * Note that a valid krb5.conf must be supplied to the JVM for Kerberos auth * -Djava.security.krb5.conf=/etc/krb5.conf */ CAS { com.ibm.security.auth.module.Krb5LoginModule sufficient debug=FALSE; edu.uconn.netid.jaas.LDAPLoginModule sufficient java.naming.provider.url="ldap://ldap.my.org:389/dc=my,dc=org" java.naming.security.principal="uid=cas,dc=my,dc=org" java.naming.security.credentials="password" Attribute="uid" startTLS="true"; edu.uconn.netid.jaas.LDAPLoginModule sufficient java.naming.provider.url="ldaps://ad.my.org:636/dc=ad,dc=my,dc=org" java.naming.security.principal="cas@ad.my.org" java.naming.security.credentials="password" Attribute="sAMAccountName"; }; {code} |
If
...
you
...
enable
...
the
...
Krb5LoginModule
...
and
...
authenticate
...
the
...
userid
...
and
...
password
...
against
...
a
...
Kerberos
...
KDC,
...
then
...
Java
...
must
...
be
...
told
...
the
...
name
...
of
...
the
...
Kerberos
...
Realm
...
and
...
the
...
network
...
name
...
of
...
the
...
KDC.
...
Again,
...
this
...
can
...
be
...
done
...
with
...
system
...
properties
...
(java.security.krb5.realm
...
and
...
java.security.krb5.kdc)
...
or
...
by
...
copying
...
a
...
Unix
...
krb5.conf
...
file
...
into
...
the
...
{jre-home}/lib/security
...
directory.
...
Note
...
that
...
SPEGNO
...
also
...
uses
...
Kerberos
...
and
...
sets
...
the
...
same
...
system
...
properties.
...
So
...
if
...
you
...
are
...
planning
...
to
...
use
...
both
...
JAAS
...
and
...
SPEGNO
...
with
...
Kerberos,
...
read
...
about SPEGNO configuration when planning JAAS.