CAS token manager (addon)
This documentation shows how to install esup-cas-tokenmanager (view Github repo)
Cas addon Ticket Manager
Project introduction
CAS Addon Ticket Manager aims to integrate in the CAS server. It exposes some TicketRegistry's data through a WebService. An external webapp will be able to manage user tickets. This addon brings authentication meta data built on top of CAS credentials.
Requirements
Some requirements are optionnal
- CAS 4.0.0+
- LDAP Authentication
- Long term session (optionnal)
- Authentication through REST API (optionnal)
Install
CAS : pom.xml
<modules> ... <module>cas-addon-ticket-management</module> ... </modules>
cas-server-webapp : pom.xml
<dependency> <groupId>org.esupportail.cas.addon</groupId> <artifactId>cas-addon-ticket-management</artifactId> <version>${cas-addon-ticket-management.version}</version> </dependency>
cas-server-webapp : web.xml
Please update cors.allowOrigin to avoid non-authorized apps to access the token-service REST API
<filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/rest/*</url-pattern> </filter-mapping> ... <servlet> <servlet-name>token-service</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>token-service</servlet-name> <url-pattern>/rest/*</url-pattern> </servlet-mapping> <filter> <filter-name>CORS</filter-name> <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class> </filter> <filter-mapping> <filter-name>CORS</filter-name> <servlet-name>token-service</servlet-name> <init-param> <param-name>cors.allowOrigin</param-name> <param-value>*</param-value> </init-param> <init-param> <param-name>cors.supportedMethods</param-name> <param-value>GET, POST, DELETE</param-value> </init-param> </filter-mapping>
cas-server-webapp: securityContext.xml
<sec:http auto-config="true" entry-point-ref="notAuthorizedEntryPoint" pattern="/rest/**" use-expressions="true"> <sec:intercept-url access="hasIpAddress('${cas.securityContext.status.allowedSubnet}')" pattern="/rest/**"/> </sec:http>
cas-server-webapp : token-service-servlet.xml
This file doesn't exist and contains all configuration relative to the addon. Please copy/paste the following code in a file : cas/cas-server-webapp/src/main/webapp/WEB-INF/token-service-servlet.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd"> <context:annotation-config /> <context:component-scan base-package="org.esupportail.cas.addon.service"/> <mvc:annotation-driven/> <bean class="org.esupportail.cas.addon.utils.TicketRegistryUtils"/> </beans>
Config for optionnal features
cas-server-webapp : login-webflow.xml
<!-- var[name=credential] tag already exists and you just need to update the class attribute --> <var name="credential" class="org.esupportail.cas.addon.authentication.ExtrasInfosRememberMeUsernamePasswordCredential" /> ... <view-state id="viewLoginForm" view="casLoginView" model="credential"> <binder> ... <binding property="userAgent" /> <binding property="ipAddress" /> </binder> ... </view-state>
cas-server-webapp: deployerConfigContext.xml
<bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> ... <property name="authenticationMetaDataPopulators"> <util:list> ... <bean class="org.esupportail.cas.addon.authentication.principal.ExtrasInfosAuthenticationMetaDataPopulator" /> </util:list> </property> ... </bean>
cas-server-webapp: casLoginView.jsp
<input type="hidden" name="ipAddress" value="${pageContext.request.remoteAddr}"/> <input type="hidden" name="userAgent" value="${header['user-agent']}" />
Support new Credentials in CAS REST API
If you want to get access to authentication meta data through CAS REST API, please update the following file : src/main/java/org/jasig/cas/integration/restlet/TicketResource.java in the obtainCredentials method.
final ExtrasInfosRememberMeUsernamePasswordCredential c = new ExtrasInfosRememberMeUsernamePasswordCredential();
Ticket management webapp
Configuration
Open config.properties and update with your own informations
ldap.authn.baseDn : root LDAP branch
ldap.baseSearch : LDAP branch where users are stored
ldap.group.base : LDAP branch where groups are stored
ldap.group.attributeName : LDAP attribute containing group name
security.adminRole : adminRole must correspond to a LDAP group.
Let's take a group with the name admin. Users that belongs to this group will be given the security role : ROLE_ADMIN (case sensitive)
Build
Simply run
mvn clean package install
Deploy
Copy/paste target/cas-ticket-management.war in your Tomcat's webapp folder.
Integration as a portlet in uPortal
This servlet can be easily integrate in uPortal into an iframe.
User interface are built on top of Twitter Bootstrap 3.1 and therefore are responsive.
This servlet integrates a JavaScript snippet made by Pascal Rigaux to resize an iframe depending on its content. If you want this feature to work you will need to include a JavaScript snippet in the portal too (view Github repo : https://github.com/EsupPortail/iframe-autoheight-using-postMessage).