CASifying IBM WebSphere ( WAS ), Websphere Portal Server ( WPS ) or WebSphere Content Management ( WCM ) using the Trust Association Interceptor API ( TAI )

Introduction

This document explains how to integrate CAS and WebSphere to enable transparent Single Sign On using the Trust Association Interceptor interface.
Compatible with WebSphere version 5.0.2 and above, JDK 1.3 and above

As mentioned above, this implementation of a CAS Client is based on the Trust Association Interceptor (TAI) interface.

This interface has been especially designed to handle third parties security mechanisms.

It handles unauthenticated requests to protected resources, and try to validate the request against a third party.

If it succeed, it allows the WebSphere application server to create a Subject using information retrieved from third party.

Figure : Authentication Customization points

See : IBM WebSphere Developer Technical Journal: Advanced authentication in WebSphere Application Server

Installing the package

In the following <WPSInstallDirectory> is assumed to be your Websphere install path.

Installing components

Deploying and configuring TAI

  • Open the WebSphere admin console
  • navigate to Security > Authentication Mechanisms > LTPA > Trust Associations > Interceptors
  • Delete unused ones
  • Clic on new
  • Interceptor Classname : For WAS version 5.1.1 and above use com.octo.cas.client.websphere.CasTAI511 For WAS version above 5.0.2 and under 5.1.1 use com.octo.cas.client.websphere.CasTAI502
  • Add Custom Properties required properties :
      • CAS_VALIDATION_URL = your cas server url, ex : 'https://myCasServer/cas/serviceValidate'
      • PRINCIPAL_PREFIX= prefix to add to principal, in order to allow mapping for groups, ex : 'uid='; default is ""
      • PRINCIPAL_SUFFIX = suffix to add to principal, in order to allow mapping for groups, ex : ',OU=myOu, O=myCompany' default is ""
      • CAS_CALLBACK_PROXY_URL = the address that your CAS server will call to send a Proxy Granting Ticket, ex : 'https://myWebsphereServer:port', required only if STORE_PROXY_TICKET='true'; default is ""
      • CAS_CALLBACK_PROXY_SERVLET = the servlet that your CAS server will call to send a Proxy Granting Ticket, ex: '/CasProxyServlet', required only if STORE_PROXY_TICKET='true'; default is "/CasProxyServlet"
    • optional properties
      • DEBUG = enable debug to stdout 'true' or 'false', default is false
      • STORE_PROXY_TICKET= 'true' to enable WAS to act as a proxy for CAS credentials; default is false
      • CAS_REALM_NAME = The realm of this TAI. Default is "CAS_REALM"
  • navigate to _Security > Authentication Mechanisms > LTPA > Trust Associations
  • Enable "Trust Associations" in console
  • Navigate to _Security > Authentication Mechanisms > LTPA > SSO
  • Enable SSO, with your domain name
  • Save configuration and reboot the WebSphere server

Validate the installation

  • You should see something like this in <WPSInstallDirectory>/AppServer/logs/server1/SystemOut.log
\************\* End Display Current Environment \************\*
[9/26/05 11:28:50:969 CEST] 70a6da14 ManagerAdmin  I TRAS0017I: The startup trace state is SystemOut=all=enabled.
[9/26/05 11:28:53:906 CEST] 70a6da14 AdminInitiali A ADMN0015I: AdminService initialized
[9/26/05 11:28:56:969 CEST] 70a6da14 Configuration A SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.security.auth.login.Configuration.
[9/26/05 11:28:57:156 CEST] 70a6da14 Parser        E SECJ4046E: Duplicate login config name system.WEB_INBOUND. Will over write.
[9/26/05 11:28:57:188 CEST] 70a6da14 Parser        E SECJ4046E: Duplicate login config name system.RMI_OUTBOUND. Will over write.
[9/26/05 11:28:57:188 CEST] 70a6da14 Parser        E SECJ4046E: Duplicate login config name system.RMI_INBOUND. Will over write.
[9/26/05 11:28:57:188 CEST] 70a6da14 Parser        E SECJ4046E: Duplicate login config name system.DEFAULT. Will over write.
[9/26/05 11:28:57:203 CEST] 70a6da14 SecurityDM    I SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.SecurityDM registered successfully: true.
[9/26/05 11:28:57:656 CEST] 70a6da14 SecurityCompo I SECJ0309I: Java 2 Security is disabled.
[9/26/05 11:28:57:672 CEST] 70a6da14 SecurityCompo I SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class.
[9/26/05 11:28:57:688 CEST] 70a6da14 TrustAssociat A SECJ0121I: Trust Association Init class com.octo.cas.client.websphere.CasTAI511 loaded successfully
[9/26/05 11:28:57:703 CEST] 70a6da14 SystemOut     O

 CasTAIHelper configuration :
CAS_REALM_NAME='CAS_REALM'
CAS_VALIDATION_URL='https://myCasServer/cas/serviceValidate'
STORE_PROXY_TICKET='true'
CAS_CALLBACK_PROXY_URL='https://myWebsphereServer:9444'
CAS_CALLBACK_PROXY_SERVLET='/CasProxyServlet'
PRINCIPAL_PREFIX='uid='
PRINCIPAL_SUFFIX=',OU=myOu, O=myCompany'
DEBUG='true'

[9/26/05 11:28:57:703 CEST] 70a6da14 TrustAssociat A SECJ0122I: Trust Association Init Interceptor signature: 1.0.0
[9/26/05 11:28:57:719 CEST] 70a6da14 SecurityCompo I SECJ0240I: Security service initialization completed successfully
[9/26/05 11:28:59:375 CEST] 70a6da14 SchedulerServ I SCHD0036I: The Scheduler Service is initializing.
[9/26/05 11:28:59:406 CEST] 70a6da14 SchedulerServ I SCHD0037I: The Scheduler Service has been initialized.
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut     O has ticket? =true
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut     O request url=[https://myWebsphereServer:9444/myApp/secured.jsp]
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut     O  try to get ticket
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut     O ticket not null : ST-1060-EjPuGnlzP3oXax7TsdKg
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut     O new ticket validator
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut     O serviceUrl generated: https%3A//myWebsphereServer%3A9444/myApp/secured.jsp
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut     O set validation url : [https://myCasServer/cas/serviceValidate]
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut     O set service : https%3A//myWebsphereServer%3A9444/myApp/secured.jsp
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut     O set ticket : ST-1060-EjPuGnlzP3oXax7TsdKg
[20/10/06 11:56:34:690 CEST] 5dfe484b SystemOut     O validation done
[20/10/06 11:56:34:690 CEST] 5dfe484b SystemOut     O got xml response :
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
 <cas:authenticationSuccess>
 <cas:user>MyCasUserId</cas:user>
 </cas:authenticationSuccess>
</cas:serviceResponse>

Deploy the Proxy Ticket Receptor Servlet in the targeted web applications

(only required if you need ProxyTicket ie you specify STORE_PROXY_TICKET='true' )
Add the following code in your web.xml

<context-param>
<param-name>edu.yale.its.tp.cas.proxyUrl</param-name>
<param-value>[https://myWebsphereServer/cas/proxy]</param-value>
</context-param>

<!--Cas proxy ticket receptor Servlet-->

<servlet>
 <servlet-name>CasProxyServlet</servlet-name>
 <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class>
 <load-on-startup>0</load-on-startup>
</servlet>

<!--Cas proxy ticket receptor mapping-->
<servlet-mapping>
 <servlet-name>CasProxyServlet</servlet-name>
 <url-pattern>/CasProxyServlet</url-pattern>
</servlet-mapping>

Hints

  • Note that there is only one TAI configuration for WebSphere server.

This means that all applications running in this application server must declare the Proxy Ticket Receptor Servlet if you use it.

  • First configure TAI Without proxy ticket enabled, and with debug.
  • Enable proxy ticket if needed, if the cas validation process now fails :
    • Try to call your proxy receptor servlet using the CAS_CALLBACK_PROXY_URL + contextPathOfYourApplication + CAS_CALLBACK_PROXY_SERVLET
    • you should obtain a blank page with a 200 status
      • otherwise your servlet is not properly configured
      • else, this could come from a bad WebSphere certificate (the default one is self signed and thus not trusted by CAS)
  • Turn debug off
  • If you have an invalid service exception, this is certainly due to your login redirection : be sure to have url encoded target redirection url that you pass as the service parameter.

More hints