YaleCasContext

Owned by Andrew Petro
Last updated: Feb 01, 2007 by ScottSVersion comment
3 min read

YaleCasContext is a more traditional IYaleCasContext implementation.

Configuration

Setting the context factory

In your security.properties file, you'll need to assign the root context to the YaleCasContextFactory:

# This is the factory that supplies the concrete authentication class
#root=org.jasig.portal.security.provider.SimpleSecurityContextFactory
#root.cas=edu.columbia.ais.portal.security.provider.CasSecurityContextFactory
root=edu.yale.its.tp.portal.security.YaleCasContextFactory

Setting the credential token

Also in the security.properties file, you'll need to assign the "ticket" credential token to the root security context you just configured:

# Answers what tokens are examined in the request for each context during authentication.
# A subcontext only needs to set it's tokens if it differs from those of the root context.
#principalToken.root=userName
#credentialToken.root=password
credentialToken.root=ticket

Configuring the YaleCasContext properties

Also in the security.properties file, you'll need to configure the YaleCasSecurityContext with the properties it needs to successfully authenticate your users. It needs to know the uPortal service URL (the URL to which the tickets it will be validating are intended to authenticate users), the uPortal https: proxy callback URL if any, and the https: URL whereat CAS offers its ticket validation service.

The YaleCasContext must know the uPortal service URL. This is the URL to which the tickets that it is validating authenticate users. This may be an https: URL, but does not have to be. Do not URL-encode this URL here. The YaleCasContext will URL encode the value of this property to transport it to CAS as the request parameter "service" on the ticket validation.

org.jasig.portal.security.provider.YaleCasContext.PortalServiceUrl=https://yourschool.edu/uPortal/Login

The YaleCasContext must know the CAS server URL where CAS offers the service ticket validation service. This must be an HTTPS: address.

org.jasig.portal.security.provider.YaleCasContext.CasValidateUrl=https://yoursecureserver.edu/cas/serviceValidate

Proxying authentication

The above instructions should get you to the point where users can authenticate to your uPortal itself using CAS. A killer feature for portals that CAS offers beyond this initial authentication is proxy authentication. In this section we describe the additional configuration you need to make to turn on proxy authentication. We highly recommend that you first verify that you are able to CAS authenticate to your uPortal istself before tackling the additional complexities of proxy authentication.

Configuring CAS proxy authentication is required in order for your uPortal instance to use Proxy Tickets to proxy authentication to backend service providers (e.g., XML feeds or CWebProxy targets), but is by no means required to use CAS for authentication to your uPortal instance itself.

Receiving proxy tickets

You'll need to map the ProxyTicketReceptor servlet in your web.xml. This servlet must be available via https:

Mapping the ProxyTicketReceptor in web.xml
  <servlet>
    <servlet-name>CasProxyServlet</servlet-name>
    <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class>
    <load-on-startup>4</load-on-startup>
  </servlet>

  ...

  <servlet-mapping>
    <servlet-name>CasProxyServlet</servlet-name>
    <url-pattern>/CasProxyServlet</url-pattern>
  </servlet-mapping>

Asking for proxy tickets

Having mapped ProxyTicketReceptor, you're prepared to receive proxy tickets if the CAS server would send them to you. But you also need to configure the YaleCasContext to ask for them.

Configure the YaleCasContext with a CAS proxy callback URL whereat you have mapped the CASClient ProxyTicketReceptor servlet. The proxy callback URL must be https:. 

org.jasig.portal.security.provider.YaleCasContext.CasProxyCallbackUrl=https://yourschool.edu/uPortal/CasProxyServlet

The Proxy Callback MUST be over SSL

The proxy callback URL MUST be an https: URL.

Obtaining and using ProxyTickets in your IChannel implementations

Your IChannels obtain and use proxy tickets through the LocalConnectionContext abstraction, as implemented by a CasConnectionContext instance.