Warning | ||
---|---|---|
| ||
CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link. |
Trusted Authentication Handler
Including the Handler
In the pom.xml file for your CAS webapp (the default is ${project.home}/cas-server-webapp/pom.xml) Maven2 WAR Overlay, add the following dependency:
Code Block | ||||
---|---|---|---|---|
| ||||
<dependency> <groupId>${project.groupId}<<groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-spnego</artifactId> <artifactId>cas-server-support-trusted</artifactId> <version>${projectcas.version}</version> </dependency> |
...
The CAS 3 Login Webflow needs to be modified. This webflow is located in /WEB-INF/login-webflow.xml. There are 2 is one new action states which are placed state to place before the state viewLoginForm.
Code Block | ||||
---|---|---|---|---|
| ||||
<action-state id="remoteAuthenticate">
<action bean="principalFromRemoteAction" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
</action-state>
|
In 3.4.2 and later, change <action bean="principalFromRemoteAction" /> to <evaluate expression="principalFromRemoteAction" />.
And 2 3 existing transitions need to be update:
- In the decision-state gatewayRequestCheck, replace reference to viewLoginForm by remoteAuthenticate
- In the decision-state renewRequestCheck, replace reference to viewLoginForm by remoteAuthenticate
- In the action-state generateServiceTicket, replace reference to viewLoginForm by remoteAuthenticate
In 3.4.12 (before?) ignore the above 3 transition declarations. Update the "generateLoginTicket" action-state to have the following transition.
<transition on="generated" to="remoteAuthenticate" />
/WEB-INF/cas-servlet.xml
Add the bean needed for the login flow :
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="principalFromRemoteAction" class="org.jasig.cas.adaptors.trusted.web.flow.PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction"
p:centralAuthenticationService-ref="centralAuthenticationService" />
|
...
- org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver as credentialsToPrincipalResolvers
org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler as authenticationHandlers
Code Block xml xml <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <!-- ... the others credentialsToPrincipalResolvers ... --> <bean class="org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler" /> <!-- ... the others authenticationHandlers... --> </list> </property> </bean>
...
Inside the ${project.home}/cas-server-webapp/ folder, run the command :
No Format |
---|
mvn package
|
You may now deploy the new webapp.
...
If you are using, a frontal Apache with mod_jk and Apache is handling the REMOTE_USER, you have to check the AJP connector in your Tomcat server.xml file. You should add the parameter tomcatAuthentication to false
Code Block | ||||
---|---|---|---|---|
| ||||
Connector port="8009"
enableLookups="false" redirectPort="8443" debug="0"
protocol="AJP/1.3"
tomcatAuthentication="false" />
|