New CAS documentation site
CAS documentation has moved over to jasig.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.
Trusted Authentication Handler
Including the Handler
In the pom.xml file for your CAS Maven2 WAR Overlay, add the following dependency:
<dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-trusted</artifactId> <version>${cas.version}</version> </dependency>
Set Up CAS
Set up the login webflow
The CAS 3 Login Webflow needs to be modified. This webflow is located in /WEB-INF/login-webflow.xml. There is one new action state to place before the state viewLoginForm.
<action-state id="remoteAuthenticate"> <action bean="principalFromRemoteAction" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="viewLoginForm" /> </action-state>
In 3.4.2 and later, change <action bean="principalFromRemoteAction" /> to <evaluate expression="principalFromRemoteAction" />.
And 3 existing transitions need to be update:
- In the decision-state gatewayRequestCheck, replace reference to viewLoginForm by remoteAuthenticate
- In the decision-state renewRequestCheck, replace reference to viewLoginForm by remoteAuthenticate
- In the action-state generateServiceTicket, replace reference to viewLoginForm by remoteAuthenticate
In 3.4.12 (before?) ignore the above 3 transition declarations. Update the "generateLoginTicket" action-state to have the following transition.
<transition on="generated" to="remoteAuthenticate" />
/WEB-INF/cas-servlet.xml
Add the bean needed for the login flow :
<bean id="principalFromRemoteAction" class="org.jasig.cas.adaptors.trusted.web.flow.PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction" p:centralAuthenticationService-ref="centralAuthenticationService" />
/WEB-INF/deployerConfigContext.xml
In the bean authenticationManager, add:
- org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver as credentialsToPrincipalResolvers
org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler as authenticationHandlers
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <!-- ... the others credentialsToPrincipalResolvers ... --> <bean class="org.jasig.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredentialsToPrincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.adaptors.trusted.authentication.handler.support.PrincipalBearingCredentialsAuthenticationHandler" /> <!-- ... the others authenticationHandlers... --> </list> </property> </bean>
Build the cas-webapp
Inside the ${project.home}/cas-server-webapp/ folder, run the command :
mvn package
You may now deploy the new webapp.
Tomcat & Apache integration issue
If you are using, a frontal Apache with mod_jk and Apache is handling the REMOTE_USER, you have to check the AJP connector in your Tomcat server.xml file. You should add the parameter tomcatAuthentication to false
Connector port="8009" enableLookups="false" redirectPort="8443" debug="0" protocol="AJP/1.3" tomcatAuthentication="false" />