Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titleNew CAS documentation site

CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

Trusted Authentication Handler

Including the Handler

In the pom.xml file for your CAS webapp (the default is ${project.home}/cas-server-webapp/pom.xml) Maven2 WAR Overlay, add the following dependency:

Code Block
xml
xml

<dependency>
     <groupId>${project.groupId}<<groupId>org.jasig.cas</groupId>
     <artifactId>cas-server-support-spnego</artifactId>
     <artifactId>cas-server-support-trusted</artifactId>
     <version>${projectcas.version}</version>
</dependency>

...

The CAS 3 Login Webflow needs to be modified. This webflow is located in /WEB-INF/login-webflow.xml. There are 2 is one new action states which are placed state to place before the state viewLoginForm.

Code Block
xml
xml

<action-state id="remoteAuthenticate">
  <action bean="principalFromRemoteAction" />
  <transition on="success" to="sendTicketGrantingTicket" />
  <transition on="error" to="viewLoginForm" />
</action-state>

In 3.4.2 and later, change <action bean="principalFromRemoteAction" /> to <evaluate expression="principalFromRemoteAction" />.

And 2 3 existing transitions need to be update:

  • In the decision-state gatewayRequestCheck, replace reference to viewLoginForm by remoteAuthenticate
  • In the decision-state renewRequestCheck, replace reference to viewLoginForm by remoteAuthenticate
  • In the action-state generateServiceTicket, replace reference to viewLoginForm by remoteAuthenticate

In 3.4.12 (before?) ignore the above 3 transition declarations. Update the "generateLoginTicket" action-state to have the following transition.

<transition on="generated" to="remoteAuthenticate" />

/WEB-INF/cas-servlet.xml

Add the bean needed for the login flow :

Code Block
xml
xml

<bean id="principalFromRemoteAction" class="org.jasig.cas.adaptors.trusted.web.flow.PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction"
p:centralAuthenticationService-ref="centralAuthenticationService" />

...

  • org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver as credentialsToPrincipalResolvers
  • org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler as authenticationHandlers

    Code Block
    xml
    xml
    
    <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
      <property name="credentialsToPrincipalResolvers">
        <list>
          <!--  ... the others credentialsToPrincipalResolvers ... -->
          <bean class="org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver" />
        </list>
      </property>
      <property name="authenticationHandlers">
        <list>
          <bean class="org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler" />
          <!--  ... the others authenticationHandlers... -->
        </list>
      </property>
    </bean>
    

...

Inside the ${project.home}/cas-server-webapp/ folder, run the command :

No Format

mvn package

You may now deploy the new webapp.

...

If you are using, a frontal Apache with mod_jk and Apache is handling the REMOTE_USER, you have to check the AJP connector in your Tomcat server.xml file. You should add the parameter tomcatAuthentication to false

Code Block
xml
xml

Connector port="8009"
  enableLookups="false" redirectPort="8443" debug="0"
  protocol="AJP/1.3"
  tomcatAuthentication="false" />