Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

JAAS Authentication Handler

Briefly, JAAS is a standard API provided by Java 1.4 and higher which provides PAM-like authentication and authorization. An external file is used to configure JAAS. Using JAAS with CAS allows modification of the authentication process without having to rebuild and redeploy CAS, and allows for PAM-style multi-module "stacked" authentication.

Core Classes

JaasAuthenticationHandler

The JaasAuthenticationHandler is a hook into the Java Authentication and Authorization Service and delegates all authentication to the underlying runtime and its configured JAAS file. Therefore it only has one property:

  • realm - the realm within the JAAS configuration file we are going to use. Defaults to CAS.

Configuration

Like other handlers, the JAAS Authentication Handler is simply configured in the deployerConfigContext.xml. Within the AuthenticationManager's "authenticationHandlers" property, place the following configuration (replacing the example Test handler):

<bean class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" />

Example jaas.conf File

Below, you'll find an example jaas.conf file which would contain your JAAS configuration information.

A JAAS Configuration file is configured as a system property, i.e. -Djava.security.krb5.conf=/etc/krb5.conf

/** 
 * Login Configuration for JAAS.   First try Kerberos, then LDAP, then AD
 * Note that a valid krb5.conf must be supplied to the JVM for Kerberos auth
 *   -Djava.security.krb5.conf=/etc/krb5.conf
 */
CAS {
  com.ibm.security.auth.module.Krb5LoginModule sufficient
	debug=FALSE;
  edu.uconn.netid.jaas.LDAPLoginModule sufficient
	java.naming.provider.url="ldap://ldap.my.org:389/dc=my,dc=org"
	java.naming.security.principal="uid=cas,dc=my,dc=org"
	java.naming.security.credentials="password"
	Attribute="uid"
	startTLS="true";
  edu.uconn.netid.jaas.LDAPLoginModule sufficient
	java.naming.provider.url="ldaps://ad.my.org:636/dc=ad,dc=my,dc=org"
	java.naming.security.principal="cas@ad.my.org"
	java.naming.security.credentials="password"
	Attribute="sAMAccountName";
};
  • No labels