Configuring

Owned by ScottS
Last updated: Jun 07, 2016 by Misagh Moayyed
5 min read

New CAS documentation site

CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

CAS URLs

Open CAS_HOME/cas-server-webapp/src/main/webapp/WEB-INF/cas.properties. It should look something like this:

cas.securityContext.serviceProperties.service=https://localhost:8443/cas/services/j_acegi_cas_security_check
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://localhost:8443/cas/login
cas.securityContext.casProxyTicketValidator.casValidate=https://localhost:8443/cas/proxyValidate

You will need to change those URLs (most likely only by changing the hostname and port) to your CAS application's URLs.

ServicesRegistry and Database Connection

In the default deployment, you'll see (volatile data, cleared upon application restart):

<bean
		id="serviceRegistryDao"
		class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />

This needs to be replaced, if you want the data to be persistent, with something such as the following procedures:

To have Hibernate automatically generate the proper Database configuration upon initial connection.  This key parameter needs to be included: <prop key="hibernate.hbm2ddl.auto">update</prop> as it is the below config.

  1. Change the bean serviceRegistryDao in deployerConfigContext.xmlto something like this. This is to persist the services data to the database of your favour using Hibernate.

    <bean id="serviceRegistryDao" class="org.jasig.cas.services.JpaServiceRegistryDaoImpl"
   p:entityManagerFactory-ref="entityManagerFactory" />

<!-- This is the EntityManagerFactory configuration for Hibernate -->
	<bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
		<property name="dataSource" ref="dataSource"/>
		<property name="jpaVendorAdapter">
			<bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
				<property name="generateDdl" value="true"/>
				<property name="showSql" value="true" />
			</bean>
		</property>
		<property name="jpaProperties">
			<props>
				<prop key="hibernate.dialect">org.hibernate.dialect.HSQLDialect</prop>
				<prop key="hibernate.hbm2ddl.auto">update</prop>
			</props>
		</property>
	</bean>

	<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
		<property name="entityManagerFactory" ref="entityManagerFactory"/>
	</bean>

	<tx:annotation-driven transaction-manager="transactionManager"/>

	<bean
		id="dataSource"
		class="com.mchange.v2.c3p0.ComboPooledDataSource"
		p:driverClassName="org.hsqldb.jdbcDriver"
		p:jdbcUrl-ref="database"
		p:password=""
		p:username="sa" />

    • The data source will need to be modified for your particular database (i.e. Oracle, MySQL, etc.), but the name "dataSource" should be preserved.
      MySQL example:

      <bean
		id="dataSource"
		class="org.apache.commons.dbcp.BasicDataSource"
		p:driverClassName="com.mysql.jdbc.Driver"
		p:url="jdbc:mysql://localhost:3306/test?autoReconnect=true"
		p:password=""
		p:username="sa" />

  2. Change the property hibernate.dialect in adequacy with your data base in cas.properties and deployerConfigContext.xml.
    MySQL example:
        In cas.properties

    database.hibernate.dialect=org.hibernate.dialect.MySQLDialect

        In deployerConfigContext.xml

    <prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>

  3. Add the xml namespace "tx" to deployerConfigContext.xml

    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:p="http://www.springframework.org/schema/p"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
       						http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd" >

  4. Whatever dataSource you use, add the required dependencies to the pom.xml file for your CAS webapp (the default is cas-server-webapp/pom.xml), to include the relevant jars.
    Continuing the MySQL example

    <!--
    Apache Commons DBCP
      for Java 6 (use version 1.3 for Java 5 or lower)
-->
<dependency>
    <groupId>commons-dbcp</groupId>
    <artifactId>commons-dbcp</artifactId>
    <version>1.4</version>
    <scope>runtime</scope>
</dependency>

<!--
	Hibernate Core and Entity Manager
	  for CAS 3.5.0 and higher
-->
<dependency>
    <groupId>org.hibernate</groupId>
    <artifactId>hibernate-core</artifactId>
    <scope>compile</scope>
</dependency>

<dependency>
    <groupId>org.hibernate</groupId>
    <artifactId>hibernate-entitymanager</artifactId>
</dependency>

<!--
    Hibernate Entity Manager
      for CAS 3.4.2.1
-->
<dependency>
    <groupId>org.hibernate</groupId>
    <artifactId>hibernate-entitymanager</artifactId>
    <version>3.5.0-CR-2</version>
</dependency>

<!-- 
    MySQL Connector
-->
<dependency>
    <groupId>mysql</groupId>
    <artifactId>mysql-connector-java</artifactId>
    <version>5.1.20</version>
</dependency>
 

    NB. The given artifact version is to be used with CAS 3.4.2.1

  5. Package your webapp and go for a try.

 

 

Notes on the availability of Services Management Application Database

If the Services Management Application database happens to be unavailable you will still be able to perform service authorization.  CAS maintains an in-memory collection of services that is periodically refreshed from the database.  If the database is down, the periodic refresh process will fail.  But the in-memory data will continue to be available to support service authorization.

ServicesRegistry and MongoDb Integration

As an alternative to traditional RDBMS implementations of the service registry, a MongoDb implementation is available that is read-write, enabling fuller use of the CAS service registry management administrative UI web application and is transactional, while lower-ceremony and "lighter" than dealing with a traditional RDBMS.

See this link for additional instructions.


 

JSON ServicesRegistry

 

There exists a JSON-file based implementation of service registry, where service definitions may be defined in a flat JSON file and are loaded by CAS. The registry has the ability to auto-reload changes that are made to the file ad-hoc without requiring server restarts. Variations in the registry allow full use of the services management interface, to be able to write changes back out to the file.

 

See this link for additional instructions.

 

Securing the Services Management Application

In-Memory managed list of static users

The first step is to modify the cas.properties as above in order to actually authenticate via CAS (you can also replace the mechanism with another entry).
Once you've done that, you'll need to include the authorization information. The default securityContext.xml includes a hard-coded in-memory authorization DAO. For simple cases, this may be sufficient. You can add/remove entries by looking for the following in deployerConfigContext.xml:

<sec:user-service id="userDetailsService">
    <sec:user name="admin" password="notused" authorities="ROLE_ADMIN" />
</sec:user-service>

where 'username' is the user you want to grant access. You can also replace the in-memory implementation with any of the provided Acegi choices. More information can be found on them at the Acegi Security web site.

Ldap-server managed list of users

If you wish allow access to the services management application via an LDAP group/server, replace the above configuration with the following:

    <sec:ldap-server id="ldapServer" url="ldap://myserver:13060/" 
                     manager-dn="cn=adminusername,cn=Users,dc=london-scottish,dc=com" 
                     manager-password="mypassword" />
    <sec:ldap-user-service id="userDetailsService" server-ref="ldapServer" 
                group-search-base="cn=Groups,dc=mycompany,dc=com" group-role-attribute="cn" 
                group-search-filter="(uniquemember={0})" 
                user-search-base="cn=Users,dc=mycompany,dc=com" 
                user-search-filter="(uid={0})"/>

Replace the samle attribute values with those that match your environment.

You will also need to ensure that the "spring-security-ldap" dependency is available to your build at runtime. Replace "spring.security.ldap.version"  with the appropriate spring-security-ldap release version number.

 

<dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-ldap</artifactId>
   <version>${spring.security.ldap.version}</version>
   <exclusions>
     <exclusion>
             <groupId>org.springframework</groupId>
             <artifactId>spring-aop</artifactId>
     </exclusion>
     <exclusion>
             <groupId>org.springframework</groupId>
             <artifactId>spring-tx</artifactId>
     </exclusion>
     <exclusion>
             <groupId>org.springframework</groupId>
             <artifactId>spring-beans</artifactId>
     </exclusion>
     <exclusion>
             <groupId>org.springframework</groupId>
             <artifactId>spring-context</artifactId>
     </exclusion>
     <exclusion>
             <groupId>org.springframework</groupId>
             <artifactId>spring-core</artifactId>
     </exclusion>
   </exclusions>
</dependency>

 

Your First Entry

If you're using CAS to authenticate against the Services Management application (as opposed to using some form-based mechanism, etc.) then your first entry in the Services Management application needs to be the Services Management application itself!

References

  1. Hibernate Dialect for different database
    http://www.roseindia.net/hibernate/firstexample.shtml
  2. Spring Framework's declarative transaction implementation
    http://www.springframework.org/docs/reference/transaction.html#transaction-declarative-first-example