CASifying IBM WebSphere ( WAS ), Websphere Portal Server ( WPS ) or WebSphere Content Management ( WCM ) using the Trust Association Interceptor API ( TAI )
Introduction
This document explains how to integrate CAS and WebSphere to enable transparent Single Sign On using the Trust Association Interceptor interface.
Compatible with WebSphere version 5.0.2 and above, JDK 1.3 and above
As mentioned above, this implementation of a CAS Client is based on the Trust Association Interceptor (TAI) interface.
This interface has been especially designed to handle third parties security mechanisms.
It handles unauthenticated requests to protected resources, and try to validate the request against a third party.
If it succeed, it allows the WebSphere application server to create a Subject using information retrieved from third party.
Figure : Authentication Customization points
See : IBM WebSphere Developer Technical Journal: Advanced authentication in WebSphere Application Server
Installing the package
In the following <WPSInstallDirectory> is assumed to be your Websphere install path.
Installing components
Copy CasClientWebsphere-x.x.x.jar\ and casclient-2.1.1.jar into
<WPSInstallDirectory>/AppServer/lib/ext
Deploying and configuring TAI
Open the
WebSphere admin consolenavigate to
Security > Authentication Mechanisms > LTPA > Trust Associations > InterceptorsDelete unused ones
Clic on
newInterceptor Classname :For WAS version 5.1.1 and above usecom.octo.cas.client.websphere.CasTAI511For WAS version above 5.0.2 and under 5.1.1 usecom.octo.cas.client.websphere.CasTAI502Add
Custom Propertiesrequired properties :CAS_VALIDATION_URL= your cas server url, ex : 'https://myCasServer/cas/serviceValidate'PRINCIPAL_PREFIX= prefix to add to principal, in order to allow mapping for groups, ex : 'uid='; default is ""PRINCIPAL_SUFFIX= suffix to add to principal, in order to allow mapping for groups, ex : ',OU=myOu, O=myCompany' default is ""CAS_CALLBACK_PROXY_URL= the address that your CAS server will call to send a Proxy Granting Ticket, ex : 'https://myWebsphereServer:port', required only if STORE_PROXY_TICKET='true'; default is ""CAS_CALLBACK_PROXY_SERVLET= the servlet that your CAS server will call to send a Proxy Granting Ticket, ex: '/CasProxyServlet', required only if STORE_PROXY_TICKET='true'; default is "/CasProxyServlet"
optional properties
DEBUG= enable debug to stdout 'true' or 'false', default is falseSTORE_PROXY_TICKET= 'true' to enable WAS to act as a proxy for CAS credentials; default is falseCAS_REALM_NAME= The realm of this TAI. Default is "CAS_REALM"
navigate to _Security > Authentication Mechanisms > LTPA > Trust Associations
Enable "Trust Associations" in console
Navigate to _Security > Authentication Mechanisms > LTPA > SSO
Enable SSO, with your domain name
Save configuration and reboot the WebSphere server
Validate the installation
You should see something like this in
<WPSInstallDirectory>/AppServer/logs/server1/SystemOut.log
\************\* End Display Current Environment \************\*
[9/26/05 11:28:50:969 CEST] 70a6da14 ManagerAdmin I TRAS0017I: The startup trace state is SystemOut=all=enabled.
[9/26/05 11:28:53:906 CEST] 70a6da14 AdminInitiali A ADMN0015I: AdminService initialized
[9/26/05 11:28:56:969 CEST] 70a6da14 Configuration A SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.security.auth.login.Configuration.
[9/26/05 11:28:57:156 CEST] 70a6da14 Parser E SECJ4046E: Duplicate login config name system.WEB_INBOUND. Will over write.
[9/26/05 11:28:57:188 CEST] 70a6da14 Parser E SECJ4046E: Duplicate login config name system.RMI_OUTBOUND. Will over write.
[9/26/05 11:28:57:188 CEST] 70a6da14 Parser E SECJ4046E: Duplicate login config name system.RMI_INBOUND. Will over write.
[9/26/05 11:28:57:188 CEST] 70a6da14 Parser E SECJ4046E: Duplicate login config name system.DEFAULT. Will over write.
[9/26/05 11:28:57:203 CEST] 70a6da14 SecurityDM I SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.SecurityDM registered successfully: true.
[9/26/05 11:28:57:656 CEST] 70a6da14 SecurityCompo I SECJ0309I: Java 2 Security is disabled.
[9/26/05 11:28:57:672 CEST] 70a6da14 SecurityCompo I SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class.
[9/26/05 11:28:57:688 CEST] 70a6da14 TrustAssociat A SECJ0121I: Trust Association Init class com.octo.cas.client.websphere.CasTAI511 loaded successfully
[9/26/05 11:28:57:703 CEST] 70a6da14 SystemOut O
CasTAIHelper configuration :
CAS_REALM_NAME='CAS_REALM'
CAS_VALIDATION_URL='https://myCasServer/cas/serviceValidate'
STORE_PROXY_TICKET='true'
CAS_CALLBACK_PROXY_URL='https://myWebsphereServer:9444'
CAS_CALLBACK_PROXY_SERVLET='/CasProxyServlet'
PRINCIPAL_PREFIX='uid='
PRINCIPAL_SUFFIX=',OU=myOu, O=myCompany'
DEBUG='true'
[9/26/05 11:28:57:703 CEST] 70a6da14 TrustAssociat A SECJ0122I: Trust Association Init Interceptor signature: 1.0.0
[9/26/05 11:28:57:719 CEST] 70a6da14 SecurityCompo I SECJ0240I: Security service initialization completed successfully
[9/26/05 11:28:59:375 CEST] 70a6da14 SchedulerServ I SCHD0036I: The Scheduler Service is initializing.
[9/26/05 11:28:59:406 CEST] 70a6da14 SchedulerServ I SCHD0037I: The Scheduler Service has been initialized.
Try to automatically log in using TAI
assuming you have an application with a protected url (by web.xml security configuration), let say https://myWebsphereServer:9444/myApp/secured.jsp
try the following url : https://myCasServer/cas/login?service=https://myWebsphereServer:9444/myApp/secured.jsp
you should see the following in <WPSInstallDirectory>/AppServer/logs/server1/SystemOut.log
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O has ticket? =true
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O request url=[https://myWebsphereServer:9444/myApp/secured.jsp]
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O try to get ticket
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O ticket not null : ST-1060-EjPuGnlzP3oXax7TsdKg
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O new ticket validator
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O serviceUrl generated: https%3A//myWebsphereServer%3A9444/myApp/secured.jsp
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O set validation url : [https://myCasServer/cas/serviceValidate]
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O set service : https%3A//myWebsphereServer%3A9444/myApp/secured.jsp
[20/10/06 11:56:34:675 CEST] 5dfe484b SystemOut O set ticket : ST-1060-EjPuGnlzP3oXax7TsdKg
[20/10/06 11:56:34:690 CEST] 5dfe484b SystemOut O validation done
[20/10/06 11:56:34:690 CEST] 5dfe484b SystemOut O got xml response :
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>MyCasUserId</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
Deploy the Proxy Ticket Receptor Servlet in the targeted web applications
(only required if you need ProxyTicket ie you specify STORE_PROXY_TICKET='true' )
Add the following code in your web.xml
<context-param>
<param-name>edu.yale.its.tp.cas.proxyUrl</param-name>
<param-value>[https://myWebsphereServer/cas/proxy]</param-value>
</context-param>
<!--Cas proxy ticket receptor Servlet-->
<servlet>
<servlet-name>CasProxyServlet</servlet-name>
<servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
<!--Cas proxy ticket receptor mapping-->
<servlet-mapping>
<servlet-name>CasProxyServlet</servlet-name>
<url-pattern>/CasProxyServlet</url-pattern>
</servlet-mapping>
Hints
Note that there is only one TAI configuration for WebSphere server.
This means that all applications running in this application server must declare the Proxy Ticket Receptor Servlet if you use it.
First configure TAI Without proxy ticket enabled, and with debug.
Enable proxy ticket if needed, if the cas validation process now fails :
Try to call your proxy receptor servlet using the CAS_CALLBACK_PROXY_URL + contextPathOfYourApplication + CAS_CALLBACK_PROXY_SERVLET
you should obtain a blank page with a 200 status
otherwise your servlet is not properly configured
else, this could come from a bad WebSphere certificate (the default one is self signed and thus not trusted by CAS)
Turn debug off
If you have an
invalid serviceexception, this is certainly due to your login redirection : be sure to have url encoded target redirection url that you pass as theserviceparameter.
More hints
Have a look at the CAS FAQ
SSL and certificate issues : solving SSL issues