LPPE Module Integration Notes (CAS 3.4.x)

Owned by William G. Thompson, Jr.
Last updated: Nov 20, 2012 by Misagh MoayyedVersion comment
4 min read

As of CAS 3.5, LPPE support is built into CAS distribution. See this link for more info.

This work has migrated to github feature branch feature-lppe

LPPE Module Integration Notes

Notes on what it took to get LPPE Module integrated in CAS 3.4.10. This work has been done in investigative feature branch cas-server-3.4.10-lppe. Motivation for the feature branch is to better understand the integration points and if it is reasonable to consider this for a minor CAS release.

The feature branch was started off of cas-server-3.4.10

Java class files

  • created new module directory for cas-server-support-ldap-ppolicy
  • updated module and project pom files. jars building appropriately.

Most of the java code is new files with the exception of the following:

  • LdapAuthenticationViaFormAction
  • BindLdapAuthenticationHandler
  • LdapCASImpl

These are forks of existing code with updates needed to plug in the LDAP error messaging capture/translation. Looks like the changes they require might be OK for a minor release.

Webapp content

These files all have non-intrusive additions

  • default_views.properties
  • protocol_views.properties
  • message_en.properties

spring-configuration

applicationContext has a single change to use LdapCASImpl instead of CASImpl. This would go away if CASImpl provide the necessary support.

passwordWarningcheck.xml had bean definitions specific to this feature. Could be stubbed out in deployConfigContext.xml instead.

webapp/WEB-INF/view/jsp/default/ui has a set of new views require for this feature:

  • casAccountDisabledView.jsp
  • casAccountLockedView.jsp
  • casBadWorkstationView.jsp
  • casExpiredPassView.jsp
  • casMustChangePassword.jsp
  • casWarnPassView.jsp

(however, not all of these are wired up in swf...not sure if these are all functional)

webapp/WEB-INF/view/jsp/protocol
added new casWarnPassPostResponseView.jsp (should this be merged with casPostResponseView.jsp?)

WEB-INF/login-webflow.xml
additions for lppe UX plus change to introduce lppe into the flow. (how to introduce this as a noop if not configured?)

<decision-state id="warn">
<if test="flowScope.warnCookieValue" then="showWarningView" else="PasswordWarningCheck" />
</decision-state>

cas-servlet.xml changes for LdapAuthenticationViaFormAction (this could go away if merged with AuthenticationViaFormAction)

deployerConfigContext.xml for lppe authentication handler and bean deps (could stub out configuration for lppe here)

  • merge LdapPwdAuthenticationViaFormAction with AuthenticationViaFormAction?
  • merge BindLdapAuthenticationHandler?

To build using mvn overlay:

check out feature branch, mvn clean package install, to place cas-server-3.4.10-LPPE-SNAPSHOT in your local mvn repo.
update cas version in your mvn overlay cas-server-3.4.10-LPPE-SNAPSHOT
add lppe module to mvn overlay pom.xml

<!-- CAS LDAP Password Policy support  -->
        <dependency>
             <groupId>org.jasig.cas</groupId>
             <artifactId>cas-server-support-ldap-ppolicy</artifactId>
             <version>${cas.version}</version>
             <scope>runtime</scope>
        </dependency>

Add applicationContext.xml with ref to LdapCASImpl

<!-- CentralAuthenticationService with principal -->
    <bean id="centralAuthenticationService" class="org.jasig.cas.LdapPwdCentralAuthenticationServiceImpl"

config authentication handler in deployConfigContext.xml

<bean class="org.jasig.cas.adaptors.ldappwd.BindLdapAuthenticationHandler" >
                    <property name="contextSource" ref="contextSource" />
                    <property name="searchContextSource" ref="pooledContextSource" />
                    <property name="searchBase" value="${ldap.searchBase}" />
                    <property name="filter" value="sAMAccountName=%u" />
                    <property name="ignorePartialResultException" value="true" />
                    <property name="errorProcessor"  ref="firstErrorProcessor" />
                </bean>

            </list>
        </property>
    </bean>

    <bean id="firstErrorProcessor" class="org.jasig.cas.adaptors.ldappwd.util.ExpiredPasswordErrorProcessor">
        <property name="nextItem">
        <bean class="org.jasig.cas.adaptors.ldappwd.util.AccountLockedErrorProcessor">
            <property name="nextItem">
            <bean class="org.jasig.cas.adaptors.ldappwd.util.MustChangePasswordErrorProcessor">
                <property name="nextItem">
                <bean class="org.jasig.cas.adaptors.ldappwd.util.BadHoursErrorProcessor">
                    <property name="nextItem">
                    <bean class="org.jasig.cas.adaptors.ldappwd.util.BadWorkstationErrorProcessor">
                        <property name="nextItem">
                            <bean class="org.jasig.cas.adaptors.ldappwd.util.AccountDisabledErrorProcessor" />
                        </property>
                    </bean>
                    </property>
                </bean>
                </property>
            </bean>
            </property>
        </bean>
        </property>
    </bean>

comment out switch in login-webflow.xml

<decision-state id="warn">
  <if test="flowScope.warnCookieValue" then="showWarningView" else="PasswordWarningCheck" />
</decision-state>

Possible approach for near term adoption of this feature on 3.4.x
get out a patch for cas-server
1. apply patch, local build install
2. config overlay
3. good to go.

Â