HOWTO CASifying ASP.NET WebApp - ExampleWebsite
The purpose of this tutorial is to outline the steps required to set up the ExampleWebsite ASP.NET web application
Intro
The purpose of this tutorial is to outline the steps required to set up the ExampleWebsite ASP.NET web application.
System Environment
- Microsoft Visual Studio 2010 Professional Edition
- Windows 7 Professional
- Internet Information Services 6 [Full Pack] (May be installed in "Windows Features")
- A git client such as GitExtensions.
Set up the CAS Server
Follow the instructions at this link to setup an instance of the CAS server. Additional software may be required.
Set up ExampleWebsite in Visual Studio
- Using the Git client, download the source from here.
- Launch Microsoft Visual Studio with admin privileges. You can do so by right clicking on Visual Studio and selecting Run as Administrator. This is required for you to publish application artifacts to the local instance of IIS. Navigate to where you have the ExampleWebsite project and open it.
- Right click on the ExampleWebsite app and selecting Select as Startup Project.
- Right click on the DotNetCasClient app and select Build.
- Add a Web.config file to the ExampleWebsite. Copy the contents of web.config.sample file into Web.config and modify the following sections:
<casClientConfig casServerLoginUrl="https://your-full-machine-name:8443/cas/login" casServerUrlPrefix="https://your-full-machine-name:8443/cas/" serverName="https://<your-full-machine-name>" notAuthorizedUrl="~/NotAuthorized.aspx" cookiesRequiredUrl="~/CookiesRequired.aspx" redirectAfterValidation="true" gateway="false" renew="false" singleSignOut="true" ticketTimeTolerance="5000" ticketValidatorName="Cas20" proxyTicketManager="CacheProxyTicketManager" serviceTicketManager="CacheServiceTicketManager" gatewayStatusCookieName="CasGatewayStatus" /> <authentication mode="Forms"> <forms loginUrl="https://your-full-machine-name:8443/cas/login" timeout="90" defaultUrl="~/Default.aspx" cookieless="UseCookies" slidingExpiration="true" /> </authentication>
- Replace the your-full-machine-name with your full computer name.
Full Computer Name
- Right click on ExampleWebsite and select Publish Website. From the dialog, click the browse button and navigate to Local IIS group. Then, select Default Website.
Create IIS .NET SSL Certificate
- Inside the IIS Manager, open the Server Certificates module.
- From the Actions list on the right, select Create Self-Signed Certificate. Enter dotnet for the friendly name and click OK.
- Right click on the dotnet certificate in the list and select Export. In the new dialog, specify the export path and for the password, enter “changeit” without the quotation marks.
- Open Internet Explorer and bring up the Options Dialog. Then, navigate to the Content tab. Click on the Certificates and select the Trusted Root Certification Authorities.
- Click on the Import button and walkthrough the wizard. Specify the file name to be the <path-export-file> above. Finally, make sure the certificate is placed inside the Trusted Root Certification Authorities.
Import IIS .NET SSL Certificate to JVM
- Select the imported certificate above and click on Export.
- Select DER (*.cer file) as the export format, provide a file name (i.e client.cer) and export the certificate.
- Type CMD into the Start Menu, right click on CMD in the list and select Run as Administrator.
- Navigate to the directory where you exported the certificate CER file.
- Issue the following command to import the certificate to the Java keystore:
keytool -import -file client.cer -keystore "%JAVA_HOME%"\jre\lib\security\cacerts -alias dotnet
When prompted, enter “yes” to trust and import the certificate to the JVM keystore.
Import JVM SSL Certificate to IIS
- Open Internet Explorer and bring up the Options Dialog. Then, navigate to the Content tab. Click on the Certificates and select the Trusted Root Certification Authorities.
- Click on the Import button and walkthrough the wizard. Locate the server certificate that you created for the tomcat instance (i.e tomcat.crt). Finally, make sure the certificate is placed inside the Trusted Root Certification Authorities.
Assign SSL Certificates to Trusted Root CA
- Open the start menu and type MMC into the Run dialog. (You should have/allow admin access to in order to launch the Windows Management Console)
- From the File menu, select Add/Remove Snap-in and select Certificates from the Available Snap-ins list.
- Click the Add button and select My User Account. Finally, add the Snap in to the list.
- Click the Add button again and select Computer Account. Choose the Local Computer option and add the Snap in to the list. Finally, click OK to close the dialog.
- Expand the node Certificates – Current User,Trusted Root Certification Authorities and then Certificates.
- Make sure both certificates exist in the list. Also, copy all certificates and put them in Certificates – Local Computer - Trusted Root Certification Authorities. This is required for IIS to validate and authenticate requests.
Configure CAS Server Credentials
You should configure the CAS server credentials so they match the ExampleWebsite accounts, which are defined in App_Data\UserRoles.xml.
Locate the bean entry: $
CATALINA_HOME/webapps/cas/WEB-INF/deployerConfigContext.xml
- Locate the bean entry:
<
bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler"
/>
- Replace it with the following:
<bean class="org.jasig.cas.adaptors.generic.AcceptUsersAuthenticationHandler"> <property name="users"> <map> <entry> <key><value>admin</value></key> <value>admin</value> </entry> <entry> <key><value>bob</value></key> <value>bob</value> </entry> </map> </property> </bean>
Maven Dependency
If you have not followed the WAR Overlay Method to deploy CAS, you need to make sure the following dependency is properly declared inside the cas pom.xml file.
<dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-generic</artifactId> <version>${cas.version}</version> <type>jar</type> <scope>runtime</scope> </dependency>
Run
First, make sure you have the CAS server up and running and you can log into CAS using the above credentials.
For the web application, (after you have published the artifacts) you can browse to "https://<full-machine-name>" and you should be presented with the default page of the Example Website.
HTTPS & IIS
You may have to configure IIS server bindings, so access to https://<full-machine-name> can be granted.
Use the links on the left-hand side (i.e “Administrators Role Only”) to test the authentication mechanism. You should be redirected to CAS and after authenticating successfully with (i.e. admin/admin), you should be returned to the website and section allowed for admins only.