JDBC

Owned by ScottS
Last updated: Jun 07, 2016 by Misagh Moayyed
2 min read

New CAS documentation site

CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

JDBC Authentication Handler

Including the Handler

In the pom.xml file for your CAS Maven2 WAR Overlay, add the following dependency:

<dependency>
     <groupId>org.jasig.cas</groupId>
     <artifactId>cas-server-support-jdbc</artifactId>
     <version>${cas.version}</version>
</dependency>

Core Classes

Note that all JDBC AuthenticationHandlers have the requirement for a DataSource. Each handler's section will only list additional properties beyond the DataSource.

BindModeSearchDatabaseAuthenticationHandler

This authentication handler attempts to take the provided credentials and open a connection with them.

QueryDatabaseAuthenticationHandler

This authentication handler takes a database query (who's value is a password and one parameter is a username). It will then compare the password from the database with the password provided by the user (after encoding via the PasswordEncoder).

Properties:

  • sql - The SQL statement, in the following format: "Select password from table where username = ?"
  • passwordEncoder - The PasswordEncoder to use. The default is the PlainTextPasswordEncoder.

The DefaultPasswordEncoder class supports use cases where a message digest function (hash) needs to be applied to the password for comparison with the stored value in the database. This behavior is best security practice and the default on most modern database platforms. The following example demonstrates how to configure DefaultPasswordEncoder for the MD5 hash function.

DefaultPasswordEncoder with MD5
<bean class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder"
  p:encodingAlgorithm="HmacMD5"
  p:characterEncoding="UTF-8"
/>

See the MAC section of http://download.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#AppA for a list of supported message digest functions in the default Sun cryptography provider (JCE).

(note : on cas-3.4.8, I had to change the previous sample with the following :

DefaultPasswordEncoder with MD5 on cas 3.4.8
<bean class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" p:characterEncoding="UTF-8" >
    <constructor-arg index="0" value="MD5" />
</bean>

)

SearchModeSearchDatabaseAuthenticationHandler

Given a table, username field and password field, this will query a database table with the provided encryption technique to see if the user exists.

Properties:

  • fieldUser - the name of the field containing the username
  • fieldPassword - the name of the field containing the password
  • tableUsers - the name of the table containing the users

Examples