...
- We would like to switch to using Crowd for authentication instead of kerberos, since this will allow users without SLAC id's to login. Fermi would like to use this.
- It would be useful to restrict access to arbitrary URL's, such as subversion, probe , manager. EXO (and others) would like to use this for protecting access to subversion.
...
Module name | Description |
|---|---|
org-srs-cas-server | The CAS server. It is an overlay of the standard ja-sig cas server distribution. It contains an authentication handler to talk to the SLAC Crowd server. |
org-srs-cas-tomcat-integration | This module allows Tomcat to use CAS for authentication, for example to access probe. |
Project org-srs-cas-server
...
In the above example we used the class org.jasig.cas.client.tomcat.v6.Cas20ProxyCasAuthenticator as Valve. As part of the configuration we have to pass the serverName. For most applications that are to accessed using IIS this is fine as the serverName is shared by many servers (like glast-ground.slac.stanford.edu). For applications like probe that need to be accessed directly on the server, this configuration would require to have duplicate configurations like the one above each on the server on which probe is running.
To avoid duplication of configuration we ended up writing our own class: org.srs.cas.client.tomcat.v6.Cas20ProxyCasAuthenticator. This class is a copy of the jasig class org.jasig.cas.client.tomcat.v6.Cas20ProxyCasAuthenticator (it could not be extended as this class is final).
...