Using CAS with Java

Document Sample
Using CAS with Java Powered By Docstoc
					                                             Using CAS with Java
Drew Mazurek & Andrew Petro                                                                   August 27, 2004

1. CAS Filter

The CAS filter is the simplest way of CAS-protecting your application. Just a few lines of XML need to be
added to your web application’s deployment descriptor (web.xml):

<web-app>
  ...
  <filter>
    <filter-name>CAS Filter</filter-name>
    <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
    <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
      <param-value>https://secure.its.yale.edu/cas/login</param-value>
    </init-param>
    <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
      <param-value>https://secure.its.yale.edu/cas/serviceValidate</param-value>
    </init-param>
    <init-param>
      <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
      <param-value>your server name and port (e.g., www.yale.edu:8080)</param-value>
    </init-param>
  </filter>

  <filter-mapping>
    <filter-name>CAS Filter</filter-name>
    <url-pattern>/cas-protected/*</url-pattern>
  </filter-mapping>
  ...
</web-app>

In this case, any URL beneath /webapp/cas-protected would require a CAS login. If you want to protect
your entire web application, you can simply put /* for the URL pattern:

  <filter-mapping>
    <filter-name>CAS Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

The serverName initialization parameter does not require a port number if you are using the standard HTTP
port (80).

Other initialization parameters that may be specified:

edu.yale.its.tp.cas.client.filter.serviceUrl:            this parameter replaces the serverName parameter
above. It becomes the URL that CAS redirects to after login. If you have one specific point of entry to your
web application and you want all logins to proceed through that page, you would specify the full URL of that
page here.




ITS Technology & Planning                                -1-       http://www.yale.edu/tp/cas/caswithjava.html
                                             Using CAS with Java
Drew Mazurek & Andrew Petro                                                                       August 27, 2004

1. CAS Filter (continued)

edu.yale.its.tp.cas.client.filter.authorizedProxy:              to allow the filter to accept proxy tickets, you
need to specify valid proxies through which the authorization must have proceeded. This initialization
parameter accepts a whitespace-delimited list of valid proxy URLs. Only one URL needs to match for the login
to be successful. Note that if you do want to accept proxy tickets, you will have to change the validateUrl
above to proxyValidate rather than serviceValidate.

edu.yale.its.tp.cas.client.filter.renew:           if set to the string, true, this is the equivalent of
authenticating a ticket with renew=true passed as  a parameter. This should be used for high-security
applications where the user must enter his/her credentials again before accessing the site.


edu.yale.its.tp.cas.client.filter.wrapRequest:             if set to the string, true, the CASFilter will wrap the
request such that calls to getRemoteUser() return the authenticated username.


Once the user has logged into your application through the filter, the application may access the user’s name
through the session attribute, edu.yale.its.tp.cas.client.filter.user, or if you import
edu.yale.its.tp.cas.client.filter.* in your JSP or servlet, simply CASFilter.CAS_FILTER_USER.

Additionally, the client application may access a CASReceipt JavaBean-style object which
exposes the username as well as additional information about the successful
authentication, in the session attribute edu.yale.its.tp.cas.client.filter.receipt .




ITS Technology & Planning                              -2-           http://www.yale.edu/tp/cas/caswithjava.html
                                                Using CAS with Java
Drew Mazurek & Andrew Petro                                                                        August 27, 2004

2. CAS Tag Library

The CAS Tag Library is a another way to authenticate users’ access to JSP pages. JSP Tags cannot be used in
servlets, so if you need CAS protection within a servlet environment, you can use either the CAS Filter or the
CAS Java objects (see below); the former is recommended.

To use the tag library, once casclient.jar is installed in your web application’s /WEB-INF/lib directory, you
need to add the following to the top of a JSP page you wish to protect:

<%@ taglib uri=”http://www.yale.edu/its/tp/cas/version2” prefix=”cas” %>
<cas:auth var=”netID” scope=”session”>
  <cas:loginUrl>https://secure.its.yale.edu/cas/login</cas:loginUrl>
  <cas:validateUrl>https://secure.its.yale.edu/cas/proxyValidate</cas:validateUrl>
  <cas:authorizedProxy>https://authorized-proxy1</cas:authorizedProxy>
  <cas:authorizedProxy>https://authorized-proxy2</cas:authorizedProxy>
  ...
  <cas:service>http://service-url</cas:service>*
</cas:auth>
...
<html>
<body>
<p>Welcome, <%= session.getAttribute(“netID”); %>!</p>
</body>
</html>

The user will not see any part of the page past the <cas:auth /> tags until he/she has logged in. If the user hasn’t
logged in yet, a redirect to the CAS login page will be performed.

Also provided with the CAS Tag Library is a logout tag:

<%@ taglib uri=”http://www.yale.edu/its/tp/cas/version2” prefix=”cas” %>

<%-- first destroy the web application’s session --%>
<%   session.invalidate(); %>

<%-- then logout of CAS --%>
<cas:logout var=”netID” scope=”session”
    logoutUrl=”https://secure.its.yale.edu/cas/logout” />




*
    As with the filter, this tag is optional.
ITS Technology & Planning                               -3-           http://www.yale.edu/tp/cas/caswithjava.html
                                             Using CAS with Java
Drew Mazurek & Andrew Petro                                                                       August 27, 2004

3. CAS Java Objects

You may also authenticate users “manually” using the CAS Java objects. In this case, you would instantiate a
new ServiceTicketValidator or ProxyTicketValidator. Notice that in the example below, the page
already expects to receive a ticket parameter – this is the servlet that CAS returned to after the user logged in.
If this servlet was accessed directly by a user, it would need to check that the request parameter, ticket, was
not null. If it was null, the servlet would need to redirect to the CAS login page manually.

ServiceTicketValidator:

import edu.yale.its.tp.cas.client.*;

...

String   user = null;
String   errorCode = null;
String   errorMessage = null;
String   xmlResponse = null;

/* instantiate a new ServiceTicketValidator */
ServiceTicketValidator sv = new ServiceTicketValidator();

/* set its parameters */
sv.setCasValidateUrl(“https://secure.its.yale.edu/cas/serviceValidate”);
sv.setService(urlOfThisService);
sv.setServiceTicket(request.getParameter(“ticket”));

/*
 * If we want to be able to acquire proxy tickets (requires callback servlet to be set up
 * in web.xml –- see below)
 */
sv.setProxyCallbackUrl(urlOfProxyCallbackServlet);

/* contact CAS and validate */
sv.validate();

/* if we want to look at the raw response, we can use getResponse() */
xmlResponse = sv.getResponse();

/* read the response */
if(sv.isAuthenticationSuccessful()) {
    user = sv.getUser();
} else {
    errorCode = sv.getErrorCode();
    errorMessage = sv.getErrorMessage();
    /* handle the error */
}

/* The user is now authenticated. */

/* If we did set the proxy callback url, we can get proxy tickets with: */
String proxyTicket =
    edu.yale.its.tp.cas.proxy.ProxyTicketReceptor.getProxyTicket(
        sv.getPgtIou(),urlOfTargetService);



ITS Technology & Planning                              -4-           http://www.yale.edu/tp/cas/caswithjava.html
                                              Using CAS with Java
Drew Mazurek & Andrew Petro                                                                         August 27, 2004

3. CAS Java Objects (continued)

The proxy ticket validator is almost identical, except it allows you to validate service tickets or proxy tickets.
This class contains one additional method, getProxyList(), which accesses the list of URLs through which
the authentication was proxied.

ProxyTicketValidator:

import edu.yale.its.tp.cas.client.*;

...

String user = null;
String errorCode = null;
String errorMessage = null;
String xmlResponse = null;
List proxyList = null;

/* instantiate a new ProxyTicketValidator */
ProxyTicketValidator pv = new ProxyTicketValidator();

/* set its parameters */
pv.setCasValidateUrl(“https://secure.its.yale.edu/cas/serviceValidate”);
pv.setService(urlOfThisService);
pv.setServiceTicket(request.getParameter(“ticket”));

/*
 * If we want to be able to acquire proxy tickets (requires callback servlet to be set up
 * in web.xml –- see below)
 */
pv.setProxyCallbackUrl(urlOfProxyCallbackServlet);

/* contact CAS and validate */
pv.validate();

/* if we want to look at the raw response, we can use getResponse() */
xmlResponse = pv.getResponse();

/* read the response */
if(pv.isAuthenticationSuccessful()) {
    user = pv.getUser();
    proxyList = pv.getProxyList();
} else {
    errorCode = pv.getErrorCode();
    errorMessage = pv.getErrorMessage();
    /* handle the error */
}

/* The user is now authenticated. */

/* If we did set the proxy callback url, we can get proxy tickets with: */
String proxyTicket =
    edu.yale.its.tp.cas.proxy.ProxyTicketReceptor.getProxyTicket(
        sv.getPgtIou(),urlOfTargetService);



ITS Technology & Planning                               -5-           http://www.yale.edu/tp/cas/caswithjava.html
                                              Using CAS with Java
Drew Mazurek & Andrew Petro                                                                         August 27, 2004

3. CAS Java Objects (continued)

In order to obtain proxy tickets, the proxy callback listener must be set up as a servlet in the application’s
web.xml:

<web-app>
  ...
  <servlet>
    <servlet-name>ProxyTicketReceptor</servlet-name>
    <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class>
  </servlet>

  <servlet-mapping>
    <servlet-name>ProxyTicketReceptor</servlet-name>
    <url-pattern>/CasProxyServlet</url-pattern>
  </servlet-mapping>
  ...
</webapp>




ITS Technology & Planning                               -6-           http://www.yale.edu/tp/cas/caswithjava.html