Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Yale CAS Server implementation notes

Deploying Yale CAS Server

...

Obtain the Yale CAS Server 2.x zip distribution from the link above. Unzip.

Other resources

There are articles which may also help you getting started deploying CAS Server. The ESUP-Portail Quick start distribution may also be a better way to get started with CAS Server. You could always read the README distributed with CAS Server.

Getting started

Configuring Tomcat to vend CAS via SSL

...

Code Block
xml
xml
 <Connector port="443" 
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreFile="C:\j2sdk1.4.2_04\jre\lib\security\cacerts" keystorePass="changeit"/>

That keystoreFile path should point to your JRE's cacerts keystore. The default keystore password is "changeit" though you may have changed it.

Of course, this requires that your cacerts contains a key, self-signed or otherwise, for your server. There's more documentation on SSL certificate issues here.

Installing the .war into Tomcat

  1. Stop your Tomcat.
  2. Place the cas.war into your Tomcat's /webapps/ directory. A default cas.war is distributed in the /lib/ directory of the CAS server distrbtion. This default .war will work fine for trying CAS out for the first time.
  3. Start your Tomcat.

Trying it out

Open your web browser. Point it at your Tomcat instance. In the case of a self-signed certificate for localhost and a Tomcat configured to expose the CAS webapp on port 8080, point it at "https://localhost:8080/cas/".

Admire the default login screen. Make a mental note to change it to use your institution's colors and branding.

By default, any username and password pair such that the username equals the password will successfully authenticate. Try some pairs that don't match each other, and observe CAS coldly rejecting you. Then use the same word for both username and password, and observe yourself to be authenticated.

Open a new browser window. Go to "https://localhost:8080/cas/login?service=foo". Give it a username matching a password. It will try to redirect you to the service "foo", which does not exist. Notice the ticket request parameter in your web browser's address bar. Copy this ticket. Go to "https://localhost:8080/cas?serviceValidate?ticket=TICKETSTRING&service=foo", where TICKETSTRING is that String you copied. Notice CAS's validation success response. Congtratulations! You've just successfully validated a ticket.

Now try reloading the URL. Notice that ticket validation now fails. Service Tickets are one-time use.

Configuring and Customizing CAS

...