Versions Compared

Old Version 7

changes.mady.by.user Massimiliano Turri

Saved on

compared with

New Version 8

changes.mady.by.user Massimiliano Turri

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The tomcat integration library does not work with the current version of CAS used at SLAC due to a bug in the CAS server. It does work with the latest version of CAS server. The instructions for deploying the tomcat integration library are here: https://wiki.jasig.org/x/bgFXAg
  • The tomcat integration library allows authentication to be done via CAS, but authorization is still done by a file called manager-user-roles.properties. It should be fairly easy to extend this to use the group manager.
  • The version of CAS server used by Fermi has some SLAC specific mods. In particular it depends on and makes calls to the LoginFilter . We need to remember what this is for and if it is really needed. 
  • The current version of CAS in Fermi CVS appears to have some minor issues. It is not clear that the maven2 build has ever been deployed. We should probably create a SRS version if it does not already exist, since we are using it for more than just Fermi. We have to keep running it on glast-ground however, since we do not have a certificate for srs. We could run a new version in parallel with the old version for a while.
  • We should probably upgrade to the latest version of CAS (from ja-sig) while we are making other changes. Perhaps we should start fresh from the instructions at: https://wiki.jasig.org/x/sgKkAQ
  • Developing an interface for crowd should be straightforward. We need to develop our own password handler, similar to the SLACPasswordHandler we have now, but talking to crowd instead of kerberos. The instructions for building a crowd client are here: http://confluence.atlassian.com/x/A-AC. We would start by using crowd-test (https://crowd-test.slac.stanford.edu:8443/).

Status

Maven2 Project org-srs-cas

We have developed a new SRS maven project called org-srs-cas. It contains the following CAS related modules:

Module name

Description

org-srs-cas-server

The CAS server. It is an overlay of the standard ja-sig cas server distribution. It contains an authentication handler to talk to the SLAC Crowd server.

org-srs-cas-tomcat-integration

This module allows Tomcat to use CAS for authentication, for example to access probe.

Project org-srs-cas-server 

A Maven2 project for the new SRS CAS server has been created and added to the SRS subversion repository. It is built as an overlay of cas-server-webapp as suggested in the instructions at https://wiki.jasig.org/x/sgKkAQ.

It is currently configured to delegate the authentication to the SLAC crowd-test server.

...

Code Block
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Entire Application</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

CAS Tomcat Integration

I downloaded:

I succeeded in installing the tomcat connector on tomcat6 installed on my local machine. I just had to install

...

Project org-srs-cas-tomcat-integration

This project create an assembly with all the dependencies required to integrate the CAS authentication in Tomcat v6. It currently depends on version 3.2.0 of cas-client-integration-tomcat-v6

...

.

The following steps are required to activate the CAS authentication in Tomcat:

  • Create the assembly running mvn assembly:single. This produces a zip file in the target directory of the project
  • Copy and unpack the zip file in your Tomcat installation. We put it in tomcat/BASE60/common/common/lib.
  • Make sure that the jar files unpacked in the previous steps are symlinked from the lib directory of the particular Tomcat instance. For example tomcat/BASE60/glastlnx/common/lib
  • Modified

...

  • ${CATALINA_BASE}/conf/context.xml to include:
No Format
 <Realm
    className="org.jasig.cas.client.tomcat.v6.PropertiesCasRealm"
    propertiesFilePath="conf/manager-user-roles.properties"
    />
  <!--
  <Valve
    className="org.jasig.cas.client.tomcat.v6.Cas20ProxyCasAuthenticator"
    encoding="UTF-8"
    casServerLoginUrl="https://glast-ground.slac.stanford.edu/cas-srs/login"
    casServerUrlPrefix="https://glast-ground.slac.stanford.edu/cas-srs/"
    serverName="localhost:8080"
    />
  -->
  <Valve
    className="org.jasig.cas.client.tomcat.v6.Cas20ProxyCasAuthenticator"
    encoding="UTF-8"
    casServerLoginUrl="http://localhost:8080/cas/login"
    casServerUrlPrefix="http://localhost:8080/cas/"
    serverName="localhost:8080serverPort"
    />

...

where serverName and serverPort are the name and port on which Tomcat is running.

  • Add ${CATALINA_BASE}/conf/manager-user-roles.properties to read:
No Format
 tonyj: manager

...

  • Make sure the above file is symlinked from conf directory of the Tomcat instance.