Seraph as CAS Client
Seraph is an open source web application security framework. It is developed and maintained primarily by Atlassian, who use it in their products, JIRA and Confluence.
As Confluence and JIRA users, we liked them to be CASified as well.
Thanks to the well structured nature of the underlying Serpah, this is not a big deal:
- Deploy the application using the CASFilter from the CAS Client package. Configure the filter in
web.xml. This is documented in the CAS client docs. - 'Create' and deploy a CAS-enabled CasSeraphAuthenticator in the application in question
- Replace the default with the CASified authenticator in seraph-config.xml:
e.g.<!-- <authenticator class="com.atlassian.seraph.auth.DefaultAuthenticator"/> --> <authenticator class="de.valtech.etc.jira.JiraCasAuthenticator"/>
- Add the CAS logout url to seraph-conf.xml:
(Remember, the login URL and all others are defined in web.xml in the filter config: Using CAS with Java
<init-param> <param-name>logout.url</param-name> <param-value>https://x.y.valtech.de/cas/logout</param-value> </init-param> - One more thing: In order to validate the CAS ticket wihtout fiddeling with SSLlibs and that like, you presumable will have to make the public key of the CAS server available to the client. Because I am a lazy person, I just added it to the JVM's keystore:
keytool -import -storetype jks -keystore $JDK/jre/lib/security/cacert -file $CAS_HOME/tmp/cert.pkcs7
The default password for most JVMs's keystores is 'changeit'. The default password (which your security aware admin will have changed by now
) for the CAS certificates and keystore is 'security'
That should be it.
(Disclaimer: I am writing this down from the top of my head. Please drop me a line if you run into trouble so I can try to remember a little harder. Ingomar Otter
)