/
CAS token manager (addon)

CAS token manager (addon)

Aug 25, 2014

 

This documentation shows how to install esup-cas-tokenmanager (view Github repo)

Cas addon Ticket Manager

Project introduction

CAS Addon Ticket Manager aims to integrate in the CAS server. It exposes some TicketRegistry's data through a WebService. An external webapp will be able to manage user tickets. This addon brings authentication meta data built on top of CAS credentials.

Requirements

Some requirements are optionnal

  • CAS 4.0.0+

  • LDAP Authentication

  • Long term session (optionnal)

  • Authentication through REST API (optionnal)

Install

CAS : pom.xml

pom.xml
<modules> ... <module>cas-addon-ticket-management</module> ... </modules>

cas-server-webapp : pom.xml

pom.xml
<dependency> <groupId>org.esupportail.cas.addon</groupId> <artifactId>cas-addon-ticket-management</artifactId> <version>${cas-addon-ticket-management.version}</version> </dependency>

cas-server-webapp : web.xml

Please update cors.allowOrigin to avoid non-authorized apps to access the token-service REST API

web.xml
<filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/rest/*</url-pattern> </filter-mapping> ... <servlet> <servlet-name>token-service</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>token-service</servlet-name> <url-pattern>/rest/*</url-pattern> </servlet-mapping> <filter> <filter-name>CORS</filter-name> <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class> </filter> <filter-mapping> <filter-name>CORS</filter-name> <servlet-name>token-service</servlet-name> <init-param> <param-name>cors.allowOrigin</param-name> <param-value>*</param-value> </init-param> <init-param> <param-name>cors.supportedMethods</param-name> <param-value>GET, POST, DELETE</param-value> </init-param> </filter-mapping>

cas-server-webapp: securityContext.xml

securityContext.xml
<sec:http auto-config="true" entry-point-ref="notAuthorizedEntryPoint" pattern="/rest/**" use-expressions="true"> <sec:intercept-url access="hasIpAddress('${cas.securityContext.status.allowedSubnet}')" pattern="/rest/**"/> </sec:http>

cas-server-webapp : token-service-servlet.xml

This file doesn't exist and contains all configuration relative to the addon. Please copy/paste the following code in a file : cas/cas-server-webapp/src/main/webapp/WEB-INF/token-service-servlet.xml

 

token-service-servlet.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd"> <context:annotation-config /> <context:component-scan base-package="org.esupportail.cas.addon.service"/> <mvc:annotation-driven/> <bean class="org.esupportail.cas.addon.utils.TicketRegistryUtils"/> </beans>

 

Config for optionnal features

cas-server-webapp : login-webflow.xml

login-webflow.xml
<!-- var[name=credential] tag already exists and you just need to update the class attribute --> <var name="credential" class="org.esupportail.cas.addon.authentication.ExtrasInfosRememberMeUsernamePasswordCredential" /> ... <view-state id="viewLoginForm" view="casLoginView" model="credential"> <binder> ... <binding property="userAgent" /> <binding property="ipAddress" /> </binder> ... </view-state>

cas-server-webapp: deployerConfigContext.xml

deployerConfigContext.xml
<bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> ... <property name="authenticationMetaDataPopulators"> <util:list> ... <bean class="org.esupportail.cas.addon.authentication.principal.ExtrasInfosAuthenticationMetaDataPopulator" /> </util:list> </property> ... </bean>

cas-server-webapp: casLoginView.jsp

casLoginView.jsp
<input type="hidden" name="ipAddress" value="${pageContext.request.remoteAddr}"/> <input type="hidden" name="userAgent" value="${header['user-agent']}" />

Support new Credentials in CAS REST API

If you want to get access to authentication meta data through CAS REST API, please update the following file : src/main/java/org/jasig/cas/integration/restlet/TicketResource.java in the obtainCredentials method. 

TicketResource.java
final ExtrasInfosRememberMeUsernamePasswordCredential c = new ExtrasInfosRememberMeUsernamePasswordCredential();

Ticket management webapp

Configuration

Open config.properties and update with your own informations

  • ldap.authn.baseDn : root LDAP branch

  • ldap.baseSearch : LDAP branch where users are stored

  • ldap.group.base : LDAP branch where groups are stored

  • ldap.group.attributeName : LDAP attribute containing group name

  • security.adminRole : adminRole must correspond to a LDAP group. 

    • Let's take a group with the name admin. Users that belongs to this group will be given the security role : ROLE_ADMIN (case sensitive)

Build

Simply run

$
mvn clean package install

Deploy

Copy/paste target/cas-ticket-management.war in your Tomcat's webapp folder.

Integration as a portlet in uPortal

This servlet can be easily integrate in uPortal into an iframe.
User interface are built on top of Twitter Bootstrap 3.1 and therefore are responsive.
This servlet integrates a JavaScript snippet made by @Pascal Rigaux to resize an iframe depending on its content. If you want this feature to work you will need to include a JavaScript snippet in the portal too (view Github repo : https://github.com/EsupPortail/iframe-autoheight-using-postMessage).