YaleCasFilteredContext

Owned by Andrew Petro
Last updated: Feb 01, 2007 by ScottSVersion comment
3 min read

What is it

The YaleCasFilteredContext is an IYaleCasContext implementation which consumes the results of the CASValidateFilter having performed the actual authentication.

How does it work?

Maybe you would like to view the source code.

How do I configure it?

You'll need to configure the security context in your security.properties file and configure the CASValidateFilter in your web.xml.

Setting the security.properties

Note: this example is for using CAS authentication exclusively. A very common configuration is to use CAS alongside another authentication provider, such as local Simple authentication (MD5 passwords). If you're just getting things set up, you may wish to start with this simpler configuration and then add the complexity of the UnionSecurityContext.

You need to set the root security context factory to be the YaleCasFilteredContextFactory:

root=edu.yale.its.tp.portal.security.YaleCasFilteredContextFactory

You need to set the credential token "ticket":

# Answers what tokens are examined in the request for each context during authentication.
# A subcontext only needs to set it's tokens if it differs from those of the root context.
#principalToken.root=userName
#credentialToken.root=password
credentialToken.root=ticket

Mapping the filters

In your web.xml, you need to map and configure the CASValidateFilter and a helper filter which provides a static cache so that the YaleCasFilteredContext can obtain the CASReceipt bearing the results of the authentication.

hint

Hint: filter declarations come before servlet declarations in the web.xml. Personally, I find XMLBuddy's support for validating XML against its declared DTD / schema quite helpful in catching element ordering and XML validity problems...

<filter>
  <filter-name>CAS Validate Filter</filter-name>
  <filter-class>edu.yale.its.tp.cas.client.filter.CASValidateFilter</filter-class>
  <init-param>
    <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
    <param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value>
  </init-param>
  <init-param>
    <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
    <param-value>hkg2.cis.yale.edu:8080</param-value>
  </init-param>
  <init-param>
    <param-name>edu.yale.its.tp.cas.client.filter.proxyCallbackUrl</param-name>
    <param-value>https://hkg2.cis.yale.edu/uPortal/CasProxyServlet</param-value>
  </init-param>
</filter>

<filter>
  <filter-name>CAS Receipt Cacher</filter-name>
  <filter-class>edu.yale.its.tp.cas.client.filter.StaticCasReceiptCacherFilter</filter-class>
</filter>

<filter-mapping>
  <filter-name>CAS Validate Filter</filter-name>
  <url-pattern>/Login</url-pattern>
</filter-mapping>

<filter-mapping>
  <filter-name>CAS Receipt Cacher</filter-name>
  <url-pattern>/Login</url-pattern>
</filter-mapping>

Where can I get it?

The YaleCasFilteredContext is part of the Yale uPortal CAS security provider package, available here.

Proxying authentication

The above instructions should get you to the point where users can authenticate to your uPortal itself using CAS. A killer feature for portals that CAS offers beyond this initial authentication is proxy authentication. In this section we describe the additional configuration you need to make to turn on proxy authentication. We highly recommend that you first verify that you are able to CAS authenticate to your uPortal istself before tackling the additional complexities of proxy authentication.

Receiving proxy tickets

You'll need to map the ProxyTicketReceptor servlet in your web.xml. This servlet must be available via https:

Mapping the ProxyTicketReceptor in web.xml
  <servlet>
    <servlet-name>CasProxyServlet</servlet-name>
    <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class>
    <load-on-startup>4</load-on-startup>
  </servlet>

  ...

  <servlet-mapping>
    <servlet-name>CasProxyServlet</servlet-name>
    <url-pattern>/CasProxyServlet</url-pattern>
  </servlet-mapping>

Asking for proxy tickets

Having mapped ProxyTicketReceptor, you're prepared to receive proxy tickets if the CAS server would send them to you. But you also need to configure the CASValidateFilter to ask for them.

You need to add the filter init-param "edu.yale.its.tp.cas.client.filter.proxyCallbackUrl" to your CASValidateFilter configuration.

Configuring CASValidateFilter to request proxy granting tickets
 
	<filter>
		<filter-name>CAS Validate Filter</filter-name>
		<filter-class>edu.yale.its.tp.cas.client.filter.CASValidateFilter</filter-class>
		<init-param>
			<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
			<param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value>
		</init-param>
		<init-param>
			<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
			<param-value>hkg2.cis.yale.edu:8080</param-value>
		</init-param>
		<init-param>
			<param-name>edu.yale.its.tp.cas.client.filter.proxyCallbackUrl</param-name>
			<param-value>https://hkg2.cis.yale.edu/uPortal/CasProxyServlet</param-value>
		</init-param>
	</filter>

The Proxy Callback MUST be over SSL

The proxy callback URL MUST be an https: URL.

Obtaining and using ProxyTickets in your IChannel implementations

Your IChannels obtain and use proxy tickets through the LocalConnectionContext abstraction, as implemented by a CasConnectionContext instance.