LPPE Module Integration Notes
Notes on what it took to get LPPE Module integrated in CAS 3.4.10. This work has been done in investigative feature branch cas-server-3.4.10-lppe. Motivation for the feature branch is to better understand the integration points and if it is reasonable to consider this for a minor CAS release.
The feature branch was started off of cas-server-3.4.10
Java class files
- created new module directory for cas-server-support-ldap-ppolicy
- updated module and project pom files. jars building appropriately.
Most of the java code is new files with the exception of the following:
- LdapAuthenticationViaFormAction
- BindLdapAuthenticationHandler
- LdapCASImpl
These are forks of existing code with updates needed to plug in the LDAP error messaging capture/translation. Looks like the changes they require might be OK for a minor release.
Webapp content
These files all have non-intrusive additions
- default_views.properties
- protocol_views.properties
- message_en.properties
spring-configuration
applicationContext has a single change to use LdapCASImpl instead of CASImpl. This would go away if CASImpl provide the necessary support.
passwordWarningcheck.xml had bean definitions specific to this feature. Could be stubbed out in deployConfigContext.xml instead.
webapp/WEB-INF/view/jsp/default/ui has a set of new views require for this feature:
- casAccountDisabledView.jsp
- casAccountLockedView.jsp
- casBadWorkstationView.jsp
- casExpiredPassView.jsp
- casMustChangePassword.jsp
- casWarnPassView.jsp
(however, not all of these are wired up in swf...not sure if these are all functional)
webapp/WEB-INF/view/jsp/protocol
added new casWarnPassPostResponseView.jsp (should this be merged with casPostResponseView.jsp?)
WEB-INF/login-webflow.xml
additions for lppe UX plus change to introduce lppe into the flow. (how to introduce this as a noop if not configured?)
<decision-state id="warn"> <if test="flowScope.warnCookieValue" then="showWarningView" else="PasswordWarningCheck" /> </decision-state>
cas-servlet.xml changes for LdapAuthenticationViaFormAction (this could go away if merged with AuthenticationViaFormAction)
deployerConfigContext.xml for lppe authentication handler and bean deps (could stub out configuration for lppe here)
- merge LdapPwdAuthenticationViaFormAction with AuthenticationViaFormAction?
- merge BindLdapAuthenticationHandler?
To build using mvn overlay:
check out feature branch, mvn clean package install, to place cas-server-3.4.10-LPPE-SNAPSHOT in your local mvn repo.
update cas version in your mvn overlay cas-server-3.4.10-LPPE-SNAPSHOT
add lppe module to mvn overlay pom.xml
<!-- CAS LDAP Password Policy support --> <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-ldap-ppolicy</artifactId> <version>${cas.version}</version> <scope>runtime</scope> </dependency>
Add applicationContext.xml with ref to LdapCASImpl
<!-- CentralAuthenticationService with principal --> <bean id="centralAuthenticationService" class="org.jasig.cas.LdapPwdCentralAuthenticationServiceImpl"
config authentication handler in deployConfigContext.xml
<bean class="org.jasig.cas.adaptors.ldappwd.BindLdapAuthenticationHandler" > <property name="contextSource" ref="contextSource" /> <property name="searchContextSource" ref="pooledContextSource" /> <property name="searchBase" value="${ldap.searchBase}" /> <property name="filter" value="sAMAccountName=%u" /> <property name="ignorePartialResultException" value="true" /> <property name="errorProcessor" ref="firstErrorProcessor" /> </bean> </list> </property> </bean> <bean id="firstErrorProcessor" class="org.jasig.cas.adaptors.ldappwd.util.ExpiredPasswordErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.AccountLockedErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.MustChangePasswordErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.BadHoursErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.BadWorkstationErrorProcessor"> <property name="nextItem"> <bean class="org.jasig.cas.adaptors.ldappwd.util.AccountDisabledErrorProcessor" /> </property> </bean> </property> </bean> </property> </bean> </property> </bean> </property> </bean>
comment out switch in login-webflow.xml
To turn on LDAP Password Policy use this block instead of the one below. <decision-state id="warn"> <if test="flowScope.warnCookieValue" then="showWarningView" else="PasswordWarningCheck" /> </decision-state> --> <decision-state id="warn"> <if test="flowScope.warnCookieValue" then="showWarningView" else="PasswordWarningCheck" /> </decision-state>
Possible approach for near term adoption of this feature on 3.4.x
get out a patch for cas-server
1. apply patch, local build install
2. config overlay
3. good to go.
Possible approach for medium term adoption of this feature in 3.5
1. refactor for integration in core
2. enable module with maven overlay. put sample config in module/etc or in the files themselves?