Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titleNew CAS documentation site

CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

JAAS Authentication Handler

Briefly, JAAS is a standard API provided by Java 1.4 and higher which provides PAM-like authentication and authorization. An external file is used to configure JAAS. Using JAAS with CAS allows modification of the authentication process without having to rebuild and redeploy CAS, and allows for PAM-style multi-module "stacked" authentication.

...

Like other handlers, the JAAS Authentication Handler is simply configured in the deployerConfigContext.xml. Within the AuthenticationManager's "authenticationHandlers" property, place the following configuration (replacing the example Test handler):

Code Block
xml
xml

<bean class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" />

...

The path to the JAAS Configuration file is specified for this JVM as a system property, i.e. -Djava.security.auth.krb5login.conf=/etc/krb5config=jaas.conf , or a default can be specified for an entire Java Runtime Environment by changing the {jre-home}/lib/security/java.security properties file to add a "Default login configuration file" under the property "login.config.url.1=file:..." (find the comment example in the current file).

Code Block

/**
* Login Configuration for JAAS. First try Kerberos, then LDAP, then AD
* Note that a valid krb5.conf must be supplied to the JVM for Kerberos auth
* -Djava.security.krb5.conf=/etc/krb5.conf
*/
CAS {
com.ibm.security.auth.module.Krb5LoginModule sufficient
debug=FALSE;
edu.uconn.netid.jaas.LDAPLoginModule sufficient
java.naming.provider.url="ldap://ldap.my.org:389/dc=my,dc=org"
java.naming.security.principal="uid=cas,dc=my,dc=org"
java.naming.security.credentials="password"
Attribute="uid"
startTLS="true";
edu.uconn.netid.jaas.LDAPLoginModule sufficient
java.naming.provider.url="ldaps://ad.my.org:636/dc=ad,dc=my,dc=org"
java.naming.security.principal="cas@ad.my.org"
java.naming.security.credentials="password"
Attribute="sAMAccountName";
};

If you enable the Krb5LoginModule and authenticate the userid and password against a Kerberos KDC, then Java must be told the name of the Kerberos Realm and the network name of the KDC. Again, this can be done with system properties (java.security.krb5.realm and java.security.krb5.kdc) or by copying a Unix krb5.conf file into the {jre-home}/lib/security directory. Note that SPEGNO SPNEGO also uses Kerberos and sets the same system properties. So if you are planning to use both JAAS and SPEGNO SPNEGO with Kerberos, read about SPEGNO configuration SPNEGO configuration when planning JAAS.

NOTE

If using jre 1.6, you will need to use "com.sun.security.auth.module.Krb5LoginModule sufficient" for Kerberos V5 to work correctly.