If you are looking at this page for advice, you are in trouble. The CAS integration with JBoss does not work on any modern version of JBoss or any modern version of Java, and besides Yale is migrating its applications to Tomcat. If you are having a problem with this component, there is nobody who can help you and no way to fix it. Rip out any code that depends on the old JBoss container based authentication and replace it with a vanilla CAS Client (Servlet Filter) from Apereo.
Summary
This page will explain how to make a jboss container provide CAS authentication at a container level. This client uses a Catalina Valve which makes some intelligent decisions based on the cas context config. The CAS Context is the configuration of the CAS client for the container. This context is used for both the Valve on the front end, as well as the JAAS login modules on the authentication actions made by the container.
1. Download jars...
| Note |
|---|
Please check for the current version... |
| Code Block |
|---|
cd ${jboss.home}/server/${server}/lib
curl http://repo2.maven.org/maven2/org/jasig/cas/cas-client-core/3.1.10/cas-client-core-3.1.10.jar > cas-client-core-3.1.10.jar
curl http://repository.its.yale.edu/maven2/repo/org/jasig/cas/cas-client-jboss/1.0.3/cas-client-jboss-1.0.3.jar > cas-client-jboss-1.0.3.jar
|
...
| Code Block |
|---|
| title | JBoss 5 - ${jboss.home}/server/${server}/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml |
|---|
|
diff -cBr war-deployers-jboss-beans.xml.orig war-deployers-jboss-beans.xml
*** war-deployers-jboss-beans.xml.orig 2011-04-14 13:25:59.178715004 -0400
--- war-deployers-jboss-beans.xml 2011-04-14 13:25:59.178715004 -0400
***************
*** 172,177 ****
--- 172,181 ----
<value>org.apache.catalina.authenticator.FormAuthenticator</value>
</entry>
<entry>
+ <key>CAS</key>
+ <value>org.jasig.cas.client.jboss.CasAuthenticator</value>
+ </entry>
+ <entry>
<key>NONE</key>
<value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
</entry>
|
...
| Code Block |
|---|
| title | JBoss 4.2.3 - ${jboss.home}/server/${server}/deploy/jboss-web.deployer/META-INF/jboss-service.xml |
|---|
|
diff -cBr jboss-service.xml.orig jboss-service.xml
*** jboss-service.xml.orig 2011-05-16 14:55:41.000000000 -0400
--- jboss-service.xml 2011-05-16 14:56:21.000000000 -0400
***************
*** 33,38 ****
--- 33,42 ----
<java:value>org.apache.catalina.authenticator.FormAuthenticator</java:value>
</java:property>
<java:property>
+ <java:key>CAS</java:key>
+ <java:value>org.jasig.cas.client.jboss.CasAuthenticator</java:value>
+ </java:property>
+ <java:property>
<java:key>NONE</java:key>
<java:value>org.apache.catalina.authenticator.NonLoginAuthenticator</java:value>
</java:property>
|
| Code Block |
|---|
| title | ${jboss.home}/node00/deploy/jboss-web.deployer/META-INF/jboss-service.xml |
|---|
|
diff jboss-service.xml{.20110429,}
35a36,39
> <java:key>CAS</java:key>
> <java:value>org.jasig.cas.client.jboss.CasAuthenticator</java:value>
> </java:property>
> <java:property>
|
3.
...
Modify web.xml
| Code Block |
|---|
| title | ${hudson.war}/Example: WEB-INF/web.xml |
|---|
|
diff -cBr web.xml.orig web.xml
***
web.xml.orig 2011-04-14 13:34:30.008715022 -0400 --- web.xml 2011-04-28 10:46:58.236393003 -0400
***************
*** 145,151 ****
<security-constraint><security-role>
<web<role-resource-collection>
<web-resource-name>Hudson</web-resource-name>
! <url-pattern>/loginEntry</url-pattern>
<!--http-method>GET</http-method-->
</web-resource-collection>
<auth-constraint>
--- 145,151 ----
<security-constraint>
name>app-user</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Hudson<name>My App</web-resource-name>
!
<url-pattern>/</url-pattern>
<!--http-method>GET</http-method-->
</web-resource-collection>
<auth-constraint>
***************
***
154,160 **** </security-constraint>
<login-config>
! <auth-method>FORM</auth-method><role-name>app-user</role-name>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/loginError</form-error-page>
--- 154,160 ----
</auth-constraint>
</security-constraint>
<login-config>
!
<auth-method>CAS</auth-method>
<form-login-config><realm-name>MyAppRealm</realm-name>
<form-login-page>/login</form-</login-page>
<form-error-page>/loginError</form-error-page>config>
...
|
4. Update login-config.xml
| Code Block |
|---|
| title | ${jboss.home}/server/${server}/conf/login-config.xml |
|---|
|
diff -cBr login-config.xml.orig login-config.xml
***
login-config.xml.orig 2011-04-28 10:59:03.466393001 <application-0400
--- login-config.xml 2011-04-28 10:54:50.326393001 -0400
***************
*** 123,132 ****
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
!policy name="MyAppRealm">
<authentication>
!
<login-module code="org.jbossjasig.security.auth.spi.UsersRolesLoginModule"
! flag="required"/>
! </authentication>
</application-policy>
</policy>
--- 124,152 ----
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
! <authentication>
!
! <login-module code="org.jboss.security.auth.spi.LdapExtLoginModulecas.client.jboss.jaas.CasAuthenticatorLoginModule" flag="sufficientrequired">
!
<module-option name="java.naming.provider.url">ldaps://ad.its.yale.edu:636/</module-option>
! <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
! <module-option name="java.naming.security.protocol">ssl</module-option>
! <module-option name="bindDN">${user.dn}</module-option>
! <module-option name="bindCredential">${user.pwd}</module-option>
! <module-option name="baseCtxDN">DC=yu,DC=yale,DC=edu</module-option>
! <module-option name="baseFilter">(cn={0})</module-option>
! <module-option name="defaultRole">hudson</module-option>
! <module-option name="roleFilter">(1=2)</module-option>
! <module-option name="rolesCtxDN">DC=yu,DC=yale,DC=edu</module-option>
! <module-option name="password-stacking">useFirstPass</module-option>
! </login-module>
!
! <login-module code="org.jasig.cas.client.jboss.jaas.CasAuthenticatorLoginModule" flag="sufficient">
! <module-option name="default-role">hudson</module-option>
! <module-option name="password-stacking">useFirstPass</module-option>
! </login-module>
!
! </authentication>
!
default-role">app-user</module-option>
</login-module>
</authentication>
</application-policy>
...
</policy>
|
4. Add cas-config-service.xml
| Code Block |
|---|
| title | ${jboss.home}/server/${server}/deploy/cas-config-service.xml |
|---|
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE server PUBLIC "-//JBoss//DTD MBean Service 4.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd">
<server>
<mbean code="org.jboss.naming.JNDIBindingServiceMgr"
name="org.jasig:service=CasConfig">
<attribute name="BindingsConfig" serialDataType="jbxb">
<jndi:bindings
xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jndi="urn:jboss:jndi-binding-service:1.0"
xs:schemaLocation="urn:jboss:jndi-binding-service:1.0 resource:jndi-binding-service_1_0.xsd">
<jndi:binding name="jasig/cas/config">
<java:properties xmlns:java="urn:jboss:java-properties"
xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
xs:schemaLocation="urn:jboss:java-properties resource:java-properties_1_0.xsd">
<!-- Properties -->
<java:property>
<java:key>loginUrl</java:key>
<java:value>https://secure.its.yale.edu/cas/login</java:value>
</java:property>
<java:property>
<java:key>casServerUrl</java:key>
<java:value>https://secure.its.yale.edu/cas</java:value>
</java:property>
<java:property>
<java:key>basicAuthPaths</java:key>
<java:value>.*/api/xml</java:value>
</java:property>
<java:property>
<java:key>basicAuthRealm</java:key>
<java:value>Hudson Xml Api</java:value>
</java:property>
</java:properties>
</jndi:binding>
</jndi:bindings>
</attribute>
<depends>jboss:service=Naming</depends>
</mbean>
<mbean code="org.jasig.cas.client.jboss.mbeans.CasContextConfig"
name="org.jasig:service=CasContextMBean">
<depends>jboss:service=Naming</depends>
<depends>org.jasig:service=CasConfig</depends>
</mbean>
</server>
|
...