01 CAS Authentication for the Impatient

This manual page is intended to be a quick guide for CASifying uPortal. It is current as of uPortal 3.x and tailored to 3.x. There are a number of ways to CASify a uPortal. You don't have to do it this way. This is, however, the standard way.

Binary dependencies

CASifying uPortal requires the Java CAS Client. The necessary dependencies are included with uPortal. You should not need to change the Java CAS Client version, however, if you do,edit the main pom.xml as follows

Editing the Java CAS Client Version if needed
<!-- Project Dependency Version Properties -->
<casclient.version>2.2.0-M2</casclient.version>

CAS Server dependencies

Of course, to CAS authenticate to your uPortal, you'll need a CAS server to use to do the authentication. uPortal 3.x comes with an embedded CAS 3.x server, these instructions are for using your own CAS server. If you'd like to use the embedded CAS server, please see 05 Exercise - Configuring CAS to use another authentication handler

The Java CAS Client library shipping with uPortal 3.x will work with any CAS server implementing CAS 3.X or below.

uportal-war/src/main/webapp/WEB-INF/web.xml configuration

CASifying uPortal is like CASifying other web applications. You need to declare the CasValidateFilter to detect and validate CAS tickets. Additionally, you need to declare the CAS Receipt Cacher filter as a bridge between the filter tier and the security provider API layer. These will already be declared for you. You'll just need to adjust them to your specific environment.

The filter is mapped over the /Login path because the CAS ticket is treated like other uPortal security credentials. You'd send your password to /Login if you were authenticating via password. You send your ticket to /Login to authenticate via CAS.

Declaring and mapping the necessary filters
<filter>
   <filter-name>CAS Validate Filter</filter-name>
   <filter-class>edu.yale.its.tp.cas.client.filter.CASValidateFilter</filter-class>
   <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
      <param-value>http://your.cas.server.com/cas/serviceValidate</param-value>
   </init-param>
   <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
      <param-value>yourportal.server.com</param-value>
   </init-param>
   <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.proxyCallbackUrl</param-name>
      <param-value>http://yourportal.server.com/uPortal/CasProxyServlet</param-value>
   </init-param>
</filter>

Warning!

It is VERY important that you remove the following init-param for production

Remove This!
<init-param>
  <param-name>BROKEN_SECURITY_ALLOW_NON_SSL</param-name>
  <param-value>NOT_SECURE_DO_NOT_USE_THIS_SETTING_IN_PRODUCTION</param-value>
</init-param>

uportal-impl/src/main/resources/properties/security.properties configuration

uPortal's /Login behavior is configurable via a pluggable security context API and a security.properties configuration file. Here's what you include to get it to use CAS. What we're saying here is that we'd like to use both (the "union" of) the CAS filter approach and the simple username,password approach, and impersonation approach to authenticating users. You shouldn't need to change these settings unless you'd not like to have the other authentication approaches.

root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root.cas=org.jasig.portal.security.provider.cas.CasFilteredSecurityContextFactory
root.simple=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root.impersonation=org.jasig.portal.security.provider.ImpersonationSecurityContext$Factory

Also in security.properties, you need to tell uPortal what tokens (request parameters) to recognize and use. You also shouldn't need to change these unless your request tokens differ from the standard CAS.

## Answers what tokens are examined in the request for each context during authentication.
## A subcontext only needs to set its tokens if it differs from those of the root context.
principalToken.root=userName
principalToken.root.impersonation=ticket
credentialToken.root=password
credentialToken.root.cas=ticket

Set the login URL for the portal (it's important that you use HTTP encoding)

## Login URL, if specified the CLogin channel will display a Login link with
## this URL instead of the standard userName/password form.
org.jasig.portal.channels.CLogin.CasLoginUrl=http://your.cas.server.com/cas/login?service=https%3A%2F%2Fyourportal.server.com%2FLogin

Set the logout URL for the portal (it's important that you use HTTP encoding if your URL contains spaces, etc)

## Answers where the user will be redirected when log out occurs. Each security context can have one.
## (See comments in the LogoutServlet class)
## It would be better to escape the value of the url parameter, but since there are no parameters on the
## unescaped URL and since there are no further parameters on the logout URL, this does work.
logoutRedirect.root=http://your.cas.server.com/cas/logout?url=https://yourportal.server.com/Login

Cleaning up

Remove the dependency for the embedded CAS server by deleting the uportal-portlets-overlay/cas directory.

Deploying your changes

ant clean deploy-war

Testing it

JA-SIG hosts a CAS server backed by Jira for user accounts. So you can create an account in JA-SIG Jira (you should be doing this anyway so you can comment on uPortal issues and post bugs and patches), create a user with the same name as your JA-SIG Jira account in your portal (or allow uPortal to auto-create accounts), and then you can try out using JA-SIG's CAS server to authenticate to your uPortal.