This document explains how to integrate CAS and WebSphere to enable transparent Single Sign On using the Trust Association Interceptor interface.
Compatible with WebSphere version 5.0.2 and above, JDK 1.3 and above
As mentioned above, this implementation of a CAS Client is based on the Trust Association Interceptor (TAI) interface.
This interface has been especially designed to handle third parties security mechanisms.
It handles unauthenticated requests to protected resources, and try to validate the request against a third party.
If it succeed, it allows the WebSphere application server to create a Subject using information retrieved from third party.
Figure : Authentication Customization points
|
See : IBM WebSphere Developer Technical Journal: Advanced authentication in WebSphere Application Server
In the following <WPSInstallDirectory>
is assumed to be your Websphere install path.
<WPSInstallDirectory>/AppServer/lib/ext
WebSphere admin console
Security > Authentication Mechanisms > LTPA > Trust Associations > Interceptors
new
Interceptor Classname :
For WAS version 5.1.1 and above use com.octo.cas.client.websphere.CasTAI511
For WAS version above 5.0.2 and under 5.1.1 use com.octo.cas.client.websphere.CasTAI502
Custom Properties
required properties :
CAS_VALIDATION_URL
= your cas server url, ex : 'https://myCasServer/cas/serviceValidate'PRINCIPAL_PREFIX
= prefix to add to principal, in order to allow mapping for groups, ex : 'uid='; default is ""PRINCIPAL_SUFFIX
= suffix to add to principal, in order to allow mapping for groups, ex : ',OU=myOu, O=myCompany' default is ""CAS_CALLBACK_PROXY_URL
= the address that your CAS server will call to send a Proxy Granting Ticket, ex : 'https://myWebsphereServer:port', required only if STORE_PROXY_TICKET='true'; default is ""CAS_CALLBACK_PROXY_SERVLET
= the servlet that your CAS server will call to send a Proxy Granting Ticket, ex: '/CasProxyServlet', required only if STORE_PROXY_TICKET='true'; default is "/CasProxyServlet"DEBUG
= enable debug to stdout 'true' or 'false', default is falseSTORE_PROXY_TICKET
= 'true' to enable WAS to act as a proxy for CAS credentials; default is falseCAS_REALM_NAME
= The realm of this TAI. Default is "CAS_REALM"<WPSInstallDirectory>/AppServer/logs/server1/SystemOut.log
\************\* End Display Current Environment \************\* [9/26/05 11:28:50:969 CEST] 70a6da14 ManagerAdmin I TRAS0017I: The startup trace state is SystemOut=all=enabled. [9/26/05 11:28:53:906 CEST] 70a6da14 AdminInitiali A ADMN0015I: AdminService initialized [9/26/05 11:28:56:969 CEST] 70a6da14 Configuration A SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.security.auth.login.Configuration. [9/26/05 11:28:57:156 CEST] 70a6da14 Parser E SECJ4046E: Duplicate login config name system.WEB_INBOUND. Will over write. [9/26/05 11:28:57:188 CEST] 70a6da14 Parser E SECJ4046E: Duplicate login config name system.RMI_OUTBOUND. Will over write. [9/26/05 11:28:57:188 CEST] 70a6da14 Parser E SECJ4046E: Duplicate login config name system.RMI_INBOUND. Will over write. [9/26/05 11:28:57:188 CEST] 70a6da14 Parser E SECJ4046E: Duplicate login config name system.DEFAULT. Will over write. [9/26/05 11:28:57:203 CEST] 70a6da14 SecurityDM I SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.SecurityDM registered successfully: true. [9/26/05 11:28:57:656 CEST] 70a6da14 SecurityCompo I SECJ0309I: Java 2 Security is disabled. [9/26/05 11:28:57:672 CEST] 70a6da14 SecurityCompo I SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class. [9/26/05 11:28:57:688 CEST] 70a6da14 TrustAssociat A SECJ0121I: Trust Association Init class com.octo.cas.client.websphere.CasTAI511 loaded successfully [9/26/05 11:28:57:703 CEST] 70a6da14 SystemOut O CasTAIHelper configuration : CAS_REALM_NAME='CAS_REALM' CAS_VALIDATION_URL='https://myCasServer/cas/serviceValidate' STORE_PROXY_TICKET='true' CAS_CALLBACK_PROXY_URL='https://myWebsphereServer:9444' CAS_CALLBACK_PROXY_SERVLET='/CasProxyServlet' PRINCIPAL_PREFIX='uid=' PRINCIPAL_SUFFIX=',OU=myOu, O=myCompany' DEBUG='true' [9/26/05 11:28:57:703 CEST] 70a6da14 TrustAssociat A SECJ0122I: Trust Association Init Interceptor signature: 1.0.0 [9/26/05 11:28:57:719 CEST] 70a6da14 SecurityCompo I SECJ0240I: Security service initialization completed successfully [9/26/05 11:28:59:375 CEST] 70a6da14 SchedulerServ I SCHD0036I: The Scheduler Service is initializing. [9/26/05 11:28:59:406 CEST] 70a6da14 SchedulerServ I SCHD0037I: The Scheduler Service has been initialized. |
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O has ticket? =true [20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O request url=[https://myWebsphereServer:9444/myApp/secured.jsp] [20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O try to get ticket [20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O ticket not null : ST-1060-EjPuGnlzP3oXax7TsdKg [20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O new ticket validator [20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O serviceUrl generated: https%3A//myWebsphereServer%3A9444/myApp/secured.jsp [20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O set validation url : [https://myCasServer/cas/serviceValidate] [20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O set service : https%3A//myWebsphereServer%3A9444/myApp/secured.jsp [20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O set ticket : ST-1060-EjPuGnlzP3oXax7TsdKg [20/10/06 11:56:34:690 CEST] 5dfe484b SystemOut O validation done [20/10/06 11:56:34:690 CEST] 5dfe484b SystemOut O got xml response : <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>MyCasUserId</cas:user> </cas:authenticationSuccess> </cas:serviceResponse> |
(only required if you need ProxyTicket ie you specify STORE_PROXY_TICKET='true'
)
Add the following code in your web.xml
<context-param> <param-name>edu.yale.its.tp.cas.proxyUrl</param-name> <param-value>[https://myWebsphereServer/cas/proxy]</param-value> </context-param> <!--Cas proxy ticket receptor Servlet--> <servlet> <servlet-name>CasProxyServlet</servlet-name> <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class> <load-on-startup>0</load-on-startup> </servlet> <!--Cas proxy ticket receptor mapping--> <servlet-mapping> <servlet-name>CasProxyServlet</servlet-name> <url-pattern>/CasProxyServlet</url-pattern> </servlet-mapping> |
This means that all applications running in this application server must declare the Proxy Ticket Receptor Servlet if you use it.
invalid service
exception, this is certainly due to your login redirection : be sure to have url encoded target redirection url that you pass as the service
parameter.