JAAS Integration
The Java CAS Client >=3.1.12 supports the Java Authentication and Authorization Service (JAAS) framework, which provides authnz facilities to CAS-enabled JEE applications.
Supported Software
The Jasig Java CAS client added support for JAAS in version 3.1.11 with specific support for JBoss Application Server version 4.2.3 and higher. After release we discovered a problem on JBoss that required additional features that appear in version 3.1.12. It is strongly recommended that version 3.1.12 be used in production applications. The JAAS integration should be generalizable to any JEE container such as WebSphere, but additional development would be required. If you are interested in collaborating to adapt the JAAS support for other JEE containers, please post a note to the cas-dev mailing list.
Overview
A general JAAS authentication module, CasLoginModule, was added in version 3.1.11 with the specific purpose of providing authentication and authorization services to CAS-enabled JEE applications. The design of the module is simple: given a service URL and a service ticket in a NameCallback and PasswordCallback, respectively, the module contacts the CAS server and attempts to validate the ticket. In keeping with CAS integration for Java applications, a JEE container-specific servlet filter is needed to protect JEE Web applications. The JBoss WebAuthentication component provided a convenient integration piece between a servlet filter and the JAAS framework, so a complete integration solution is available only for JBoss AS versions that provide the WebAuthentication class (4.2.3 and 5.x). The JAAS support should be extensible to any JEE container with additional development.
Configuration
The following configuration instructions make the following assumptions:
- Jasig Java CAS client 3.1.12 or later
- JBoss AS container supporting the WebAuthentication class
- Ability to configure JAAS authentication modules for entire container or deployment descriptor of JEE application
Dependencies
The following Jasig Java CAS Client modules are needed for JAAS support in JBoss:
- cas-client-core
- cas-client-integration-jboss
Note that the above modules have their own dependencies as seen from the output of the mvn dependency:tree command:
[INFO] ------------------------------------------------------------------------
[INFO] Building JA-SIG CAS Client for Java - Core
[INFO] task-segment: [dependency:tree]
[INFO] ------------------------------------------------------------------------
[INFO] [dependency:tree {execution: default-cli}]
[INFO] org.jasig.cas.client:cas-client-core:jar:3.1.12-SNAPSHOT
[INFO] +- xml-security:xmlsec:jar:1.3.0:runtime
[INFO] +- org.opensaml:opensaml:jar:1.1:provided
[INFO] +- org.springframework:spring-beans:jar:2.5.6.SEC01:provided
[INFO] +- org.springframework:spring-test:jar:2.5.6.SEC01:test
[INFO] +- org.springframework:spring-core:jar:2.5.6.SEC01:test
[INFO] +- org.springframework:spring-context:jar:2.5.6.SEC01:test
[INFO] | \- aopalliance:aopalliance:jar:1.0:test
[INFO] +- log4j:log4j:jar:1.2.15:test
[INFO] | \- javax.mail:mail:jar:1.4:test
[INFO] | \- javax.activation:activation:jar:1.1:test
[INFO] +- junit:junit:jar:3.8.1:test
[INFO] +- commons-logging:commons-logging:jar:1.1:compile
[INFO] \- javax.servlet:servlet-api:jar:2.4:provided (scope not updated to compile)
[INFO] ------------------------------------------------------------------------
[INFO] Building JA-SIG CAS Client for Java - JBoss Integration
[INFO] task-segment: [dependency:tree]
[INFO] ------------------------------------------------------------------------
[INFO] [dependency:tree {execution: default-cli}]
[INFO] org.jasig.cas.client:cas-client-integration-jboss:jar:3.1.12-SNAPSHOT
[INFO] +- org.jasig.cas.client:cas-client-core:jar:3.1.12-SNAPSHOT:compile
[INFO] +- org.jboss.jbossas:jboss-as-tomcat:jar:5.1.0.GA:provided
[INFO] | +- apache-xerces:xml-apis:jar:2.9.1:provided
[INFO] | +- javax.faces:jsf-impl:jar:1.2_12:provided
[INFO] | +- jacorb:jacorb:jar:2.3.0jboss.patch6-brew:provided
[INFO] | +- javax.security:jaas:jar:1.0.01:provided
[INFO] | +- javax.transaction:jta:jar:1.1:provided
[INFO] | +- org.jboss.logging:jboss-logging-spi:jar:2.1.0.GA:provided
[INFO] | +- org.jboss.security:jboss-security-spi:jar:2.0.3.SP1:provided
[INFO] | +- jboss:jboss-serialization:jar:1.0.3.GA:provided
[INFO] | +- org.jboss.integration:jboss-deployment-spi:jar:5.1.0.GA:provided
[INFO] | +- org.jboss.security:jbosssx-client:jar:2.0.3.SP1:provided
[INFO] | +- jboss.web:jbossweb:jar:2.1.3.GA:provided
[INFO] | +- org.jboss.ws.native:jbossws-native-jaxws:jar:3.1.2.GA:provided
[INFO] | | \- org.jboss.ws.native:jbossws-native-saaj:jar:3.1.2.GA:provided
[INFO] | +- jgroups:jgroups:jar:2.6.10.GA:provided
[INFO] | +- log4j:log4j:jar:1.2.14:provided
[INFO] | +- org.jboss:jboss-common-core:jar:2.2.14.GA:provided
[INFO] | +- org.jboss.metadata:jboss-metadata:jar:1.0.1.GA:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-ext-api:jar:1.0.0:provided
[INFO] | | +- org.jboss.javaee:jboss-jms-api:jar:1.1.0.GA:provided
[INFO] | | +- org.jboss.javaee:jboss-transaction-api:jar:1.0.1.GA:provided
[INFO] | | +- jboss.jbossws:jboss-jaxws:jar:3.0.1-native-2.0.4.GA:provided
[INFO] | | +- org.jboss:jboss-mdr:jar:2.0.0.GA:provided
[INFO] | | \- sun-jaxb:jaxb-api:jar:2.1.4:provided
[INFO] | +- org.jboss:jboss-vfs:jar:2.1.2.GA:provided
[INFO] | +- org.jboss.ws:jbossws-spi:jar:1.1.2.GA:provided
[INFO] | | +- org.apache.ant:ant:jar:1.7.0:provided
[INFO] | | | \- org.apache.ant:ant-launcher:jar:1.7.0:provided
[INFO] | | +- dom4j:dom4j:jar:1.6.1:provided
[INFO] | | | \- xml-apis:xml-apis:jar:1.0.b2:provided
[INFO] | | \- gnu-getopt:getopt:jar:1.0.13:provided
[INFO] | +- org.jboss:jbossxb:jar:2.0.1.GA:provided
[INFO] | | +- org.jboss:jboss-reflect:jar:2.0.2.GA:provided
[INFO] | | +- apache-xerces:xercesImpl:jar:2.9.1:provided
[INFO] | | +- wutka-dtdparser:dtdparser121:jar:1.2.1:provided
[INFO] | | \- javax.activation:activation:jar:1.1.1:provided
[INFO] | +- org.jboss.aop:jboss-aop:jar:2.1.1.GA:provided
[INFO] | | +- javassist:javassist:jar:3.10.0.GA:provided
[INFO] | | +- qdox:qdox:jar:1.6.1:provided
[INFO] | | +- trove:trove:jar:2.1.1:provided
[INFO] | | \- org.jboss.logging:jboss-logging-log4j:jar:2.0.5.GA:provided
[INFO] | +- org.jboss.javaee:jboss-jaspi-api:jar:1.0.0.GA:provided
[INFO] | +- org.jboss.jbossas:jboss-as-connector:jar:5.1.0.GA:provided
[INFO] | | +- org.jboss.jbossas:jboss-as-profileservice:jar:5.1.0.GA:provided
[INFO] | | | +- org.jboss.jbossas:jboss-as-aspects:jar:5.1.0.GA:provided
[INFO] | | | | +- org.jboss.aop:jboss-aop-aspects:jar:2.1.1.GA:provided
[INFO] | | | | | \- org.beanshell:bsh:jar:1.3.0:provided
[INFO] | | | | +- org.jboss.aop:jboss-aop-asintegration-core:jar:2.1.1.GA:provided
[INFO] | | | | | \- org.jboss.aop:pluggable-instrumentor:jar:2.1.1.GA:provided
[INFO] | | | | +- org.jboss.aop:jboss-aop-asintegration-jmx:jar:2.1.1.GA:provided
[INFO] | | | | +- org.jboss.aop:jboss-aop-asintegration-mc:jar:2.1.1.GA:provided
[INFO] | | | | \- org.jboss.test:jboss-test:jar:1.1.4.GA:provided
[INFO] | | | | +- org.apache.ant:ant-junit:jar:1.7.0:provided
[INFO] | | | | +- jboss.profiler.jvmti:jboss-profiler-jvmti:jar:1.0.0.CR5:provided
[INFO] | | | | \- org.jboss.jbossas:jboss-server-manager:jar:1.0.2.GA:provided
[INFO] | | | \- org.jboss.integration:jboss-profileservice-spi:jar:5.1.0.GA:provided
[INFO] | | +- quartz:quartz:jar:1.5.2:provided
[INFO] | | +- javax.mail:mail:jar:1.4:provided
[INFO] | | +- org.jboss.microcontainer:jboss-aop-mc-int:jar:2.0.6.GA:provided
[INFO] | | +- org.jboss.jbossas:jboss-as-system:jar:5.1.0.GA:provided
[INFO] | | +- org.jboss.integration:jboss-transaction-spi:jar:5.1.0.GA:provided
[INFO] | | +- org.jboss.integration:jboss-integration:jar:5.1.0.GA:provided
[INFO] | | +- org.jboss.jbossas:jboss-as-main:jar:5.1.0.GA:provided
[INFO] | | | \- org.jboss.logbridge:jboss-logbridge:jar:1.0.0.GA:provided
[INFO] | | | \- org.jboss.logmanager:jboss-logmanager:jar:1.0.0.GA:provided
[INFO] | | +- org.jboss.man:jboss-metatype:jar:2.1.0.SP1:provided
[INFO] | | \- org.jboss.man:jboss-managed:jar:2.1.0.SP1:provided
[INFO] | +- org.jboss.jbossas:jboss-as-ejb3:jar:5.1.0.GA:provided
[INFO] | | +- cglib:cglib:jar:2.1.3:provided
[INFO] | | +- org.hibernate:hibernate-core:jar:3.3.1.GA:provided
[INFO] | | | +- antlr:antlr:jar:2.7.6:provided
[INFO] | | | \- commons-collections:commons-collections:jar:3.1:provided
[INFO] | | +- org.hibernate:hibernate-annotations:jar:3.4.0.GA:provided
[INFO] | | | +- org.hibernate:hibernate-commons-annotations:jar:3.1.0.GA:provided
[INFO] | | | \- org.slf4j:slf4j-api:jar:1.4.2:provided
[INFO] | | +- org.jboss.remoting:jboss-remoting:jar:2.5.1:provided
[INFO] | | +- org.hibernate:hibernate-entitymanager:jar:3.4.0.GA:provided
[INFO] | | +- org.jboss.cluster:jboss-ha-client:jar:1.1.1.GA:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-as-int:jar:1.1.5:provided
[INFO] | | | +- org.jboss.ejb3:jboss-ejb3:pom:1.1.5:provided
[INFO] | | | | +- org.jboss.ejb3:jboss-ejb3-core:jar:1.1.5:provided
[INFO] | | | | \- org.jboss.ejb3:jboss-ejb3-deployers:jar:1.0.0:provided
[INFO] | | | \- org.jboss.ejb3:jboss-ejb3-mc-int:jar:1.0.1:provided
[INFO] | | +- org.jboss.naming:jnp-client:jar:5.0.3.GA:provided
[INFO] | | +- org.jboss.microcontainer:jboss-kernel:jar:2.0.6.GA:provided
[INFO] | | \- org.jboss.integration:jboss-corba-ots-spi:jar:5.1.0.GA:provided
[INFO] | +- org.jboss.ejb3:jboss-ejb3-core:jar:client:1.1.5:provided
[INFO] | | +- org.jboss.integration:jboss-jca-spi:jar:5.0.3.GA:provided
[INFO] | | +- org.jboss.cache:jbosscache-core:jar:3.1.0.GA:provided
[INFO] | | +- org.jboss.aspects:jboss-remoting-aspects:jar:1.0.2:provided
[INFO] | | | +- org.jboss.aspects:jboss-transaction-aspects:jar:1.0.0.GA:provided
[INFO] | | | \- org.jboss.aspects:jboss-security-aspects:jar:1.0.0.GA:provided
[INFO] | | | \- javax.security:jacc:jar:1.0:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-cache:jar:1.0.0:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-common:jar:1.0.0:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-endpoint:jar:0.1.0:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-security:jar:1.0.0:provided
[INFO] | | | \- org.jboss.aspects:jboss-current-invocation-aspects:jar:1.0.0.CR1:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-timerservice-spi:jar:1.0.0:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-ext-api-impl:jar:1.0.0:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-interceptors:jar:1.0.2:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-metadata:jar:1.0.0:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-proxy-impl:jar:1.0.2:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-proxy-clustered:jar:1.0.1:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-proxy-spi:jar:1.0.0:provided
[INFO] | | +- org.jboss.ejb3:jboss-ejb3-transactions:jar:1.0.0:provided
[INFO] | | +- org.jboss.jpa:jboss-jpa-deployers:jar:1.0.0-CR1:provided
[INFO] | | +- org.jboss.security:jbosssx:jar:2.0.2.SP2:provided
[INFO] | | +- sun-jaxws:jaxws-api:jar:2.1.1:provided
[INFO] | | \- sun-jaxws:jsr181-api:jar:2.1.1:provided
[INFO] | +- org.jboss.javaee:jboss-jacc-api:jar:1.1.0.GA_SP1:provided
[INFO] | | \- jboss.web:servlet-api:jar:2.1.1.GA:provided
[INFO] | +- org.jboss.javaee:jboss-jca-api:jar:1.5.0.GA:provided
[INFO] | +- org.jboss.javaee:jboss-ejb-api:jar:3.0.0.GA:provided
[INFO] | | \- org.jboss.ws.native:jbossws-native-jaxrpc:jar:3.0.4.GA:provided
[INFO] | +- org.hibernate:ejb3-persistence:jar:1.0.2.GA:provided
[INFO] | +- org.jboss.cluster:jboss-ha-server-api:jar:1.1.1.GA:provided
[INFO] | +- org.jboss.cluster:jboss-ha-server-cache-spi:jar:2.0.0.GA:provided
[INFO] | +- org.jboss.cluster:jboss-ha-server-cache-jbc:jar:2.0.0.GA:provided
[INFO] | +- org.jboss.jbossas:jboss-as-iiop:jar:5.1.0.GA:provided
[INFO] | | +- apache-avalon:avalon-framework:jar:4.1.5:provided
[INFO] | | \- org.jboss.integration:jboss-classloading-spi:jar:5.1.0.GA:provided
[INFO] | +- org.jboss.jbossas:jboss-as-j2se:jar:5.1.0.GA:provided
[INFO] | +- org.jboss.jbossas:jboss-as-security:jar:5.1.0.GA:provided
[INFO] | | +- org.jboss.security:jbossxacml:jar:2.0.3:provided
[INFO] | | \- org.apache:xmlsec:jar:1.4.2:provided
[INFO] | +- org.jboss.jbossas:jboss-as-server:jar:5.1.0.GA:provided
[INFO] | | +- org.jboss.jbossas:jboss-as-deployment:jar:5.1.0.GA:provided
[INFO] | | | \- org.jboss.javaee:jboss-jad-api:jar:1.2.0.GA:provided
[INFO] | | +- org.jboss.bootstrap:jboss-bootstrap:jar:1.0.0-Beta-3:provided
[INFO] | | +- org.jboss.jbossas:jboss-as-jmx:jar:5.1.0.GA:provided
[INFO] | | | +- org.jboss.jbossas:jboss-as-j2se:test-jar:tests:5.1.0.GA:provided
[INFO] | | | \- org.jboss.jbossas:jboss-as-mbeans:jar:5.1.0.GA:provided
[INFO] | | +- bcel:bcel:jar:5.1:provided
[INFO] | | +- jpl-util:jpl-util:jar:1.0:provided
[INFO] | | +- jpl-pattern:jpl-pattern:jar:1.0:provided
[INFO] | | \- org.jboss.naming:jnpserver:jar:5.0.3.GA:provided
[INFO] | +- org.jboss.jbossas:jboss-as-system-jmx:jar:5.1.0.GA:provided
[INFO] | | \- org.jboss.microcontainer:jboss-dependency:jar:2.0.6.GA:provided
[INFO] | +- org.jboss.cl:jboss-classloader:jar:2.0.6.GA:provided
[INFO] | +- org.jboss.deployers:jboss-deployers-core-spi:jar:2.0.7.GA:provided
[INFO] | +- org.jboss.deployers:jboss-deployers-impl:jar:2.0.7.GA:provided
[INFO] | | \- org.jboss.cl:jboss-classloading:jar:2.0.6.GA:provided
[INFO] | +- org.jboss.deployers:jboss-deployers-spi:jar:2.0.7.GA:provided
[INFO] | +- org.jboss.deployers:jboss-deployers-structure-spi:jar:2.0.7.GA:provided
[INFO] | | \- org.jboss.deployers:jboss-deployers-client-spi:jar:2.0.7.GA:provided
[INFO] | +- org.jboss.deployers:jboss-deployers-vfs:jar:2.0.7.GA:provided
[INFO] | | +- org.jboss.cl:jboss-classloading-vfs:jar:2.0.6.GA:provided
[INFO] | | +- org.jboss.deployers:jboss-deployers-core:jar:2.0.7.GA:provided
[INFO] | | \- org.jboss.deployers:jboss-deployers-client:jar:2.0.7.GA:provided
[INFO] | +- org.jboss.deployers:jboss-deployers-vfs-spi:jar:2.0.7.GA:provided
[INFO] | | \- stax:stax-api:jar:1.0:provided
[INFO] | +- oswego-concurrent:concurrent:jar:1.3.4-jboss-update1:provided
[INFO] | +- net.jcip:jcip-annotations:jar:1.0:provided
[INFO] | \- javax.faces:jsf-api:jar:1.2_12:provided
[INFO] +- junit:junit:jar:3.8.1:test
[INFO] +- commons-logging:commons-logging:jar:1.1:compile
[INFO] \- javax.servlet:servlet-api:jar:2.4:provided (scope not updated to compile)
Most if not all of the JBoss dependencies above should be available to a JEE application deployed to JBoss AS.
Configure CasLoginModule
It is expected that for JEE applications both authentication and authorization services will be required for CAS integration. The following JAAS module configuration file excerpt demonstrates how to leverage SAML 1.1 attribute release in CAS to provide authorization data in addition to authentication:
Sample JAAS Module Configuration
cas {
org.jasig.cas.client.jaas.CasLoginModule required
ticketValidatorClass="org.jasig.cas.client.validation.Saml11TicketValidator"
casServerUrlPrefix="https://cas.example.com/cas"
tolerance="20000"
service="https://webapp.example.com/webapp"
defaultRoles="admin,operator"
roleAttributeNames="memberOf,eduPersonAffiliation"
principalGroupName="CallerPrincipal"
roleGroupName="Roles"
cacheAssertions="true"
cacheTimeout="480";
}
For JBoss it is vitally important to use the above values for principalGroupName and roleGroupName. Additionally, the cacheAssertions and cacheTimeout are required since JBoss by default attempts to reauthenticate the JAAS principal with a fairly aggressive default timeout. Since CAS tickets are single-use authentication tokens by default, assertion caching is required to support periodic reauthentication. A full description of CasLoginModule configuration attributes follows.
- ticketValidatorClass - Fully-qualified class name of CAS ticket validator class.
- casServerUrlPrefix - URL to root of CAS Web application context.
- service (optional) - CAS service parameter that may be overridden by callback handler. NOTE: service must be specified by at least one component such that it is available at service ticket validation time.
- defaultRoles (optional) - Comma-delimited list of static roles applied to all authenticated principals.
- roleAttributeNames (optional) - Comma-delimited list of attribute names that describe role data delivered to CAS in the service-ticket validation response that should be applied to the current authenticated principal.
- principalGroupName (optional) - The name of a group principal containing the primary principal name of the current JAAS subject. The default value is "CallerPrincipal", which is suitable for JBoss.
- roleGroupName (optional) - The name of a group principal containing all role data. The default value is "Roles", which is suitable for JBoss.
- cacheAssertions (optional) - Flag to enable assertion caching. This may be required for JAAS providers that attempt to periodically reauthenticate to renew principal. Since CAS tickets are one-time-use, a cached assertion must be provided on reauthentication.
- cacheTimeout (optional) - Assertion cache timeout in minutes.
Ticket validator configuration attributes, such as tolerance in the example above, are also supported.
Configure Servlet Filters
Integration with the servlet pipeline is required for a number of purposes:
- Examine servlet request for an authenticated session
- Redirect to CAS server for unauthenticated sessions
- Provide service URL and CAS ticket to JAAS pipeline for validation
The WebAuthenticationFilter performs these operations for the JBoss AS container. It is important to note that this filter simply collects the service URL and CAS ticket from the request and passes it to the JAAS pipeline. It is assumed that the CasLoginModule will be present in the JAAS pipeline to consume the data and perform ticket validation. The following web.xml excerpts demonstrate how to integrate WebAuthenticationFilter into a JEE Web application.
Sample Web Deployment Descriptor
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<!-- Facilitates CAS single sign-out -->
<listener>
<listener-class>
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
</listener-class>
</listener>
<!-- Following is needed only if CAS single-sign out is desired -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>
org.jasig.cas.client.session.SingleSignOutFilter
</filter-class>
</filter>
<!-- Only 2 CAS filters are required for JAAS support -->
<filter>
<filter-name>CASWebAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class>
</filter>
<filter>
<filter-name>CASAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas.example.com/cas/login</param-value>
</init-param>
</filter>
<!-- Other filters as needed -->
<!-- CAS client filter mappings -->
<!-- The order of the following filters is vitally important -->
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CASWebAuthenticationFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CASAuthenticationFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<!-- Other configuration as needed -->
</web-app>