Goals
There are a number of issues related to tomcat and CAS which would be good to fix.
- We would like to switch to using Crowd for authentication instead of kerberos, since this will allow users without SLAC id's to login. Fermi would like to use this.
- It would be useful to restrict access to arbitrary URL's, such as subversion, probe, manager. EXO (and others) would like to use this for protecting access to subversion.
Issues
- The tomcat integration library does not work with the current version of CAS used at SLAC due to a bug in the CAS server. It does work with the latest version of CAS server. The instructions for deploying the tomcat integration library are here: https://wiki.jasig.org/x/bgFXAg.
- The tomcat integration library allows authentication to be done via CAS, but authorization is still done by a file called manager-user-roles.properties. It should be fairly easy to extend this to use the group manager.
- The version of CAS server used by Fermi has some SLAC specific mods. In particular it depends on and makes calls to the LoginFilter . We need to remember what this is for and if it is really needed.
- The current version of CAS in Fermi CVS appears to have some minor issues. It is not clear that the maven2 build has ever been deployed. We should probably create a SRS version if it does not already exist, since we are using it for more than just Fermi. We have to keep running it on glast-ground however, since we do not have a certificate for srs. We could run a new version in parallel with the old version for a while.
- We should probably upgrade to the latest version of CAS (from ja-sig) while we are making other changes. Perhaps we should start fresh from the instructions at: https://wiki.jasig.org/x/sgKkAQ
- Developing an interface for crowd should be straightforward. We need to develop our own password handler, similar to the SLACPasswordHandler we have now, but talking to crowd instead of kerberos. The instructions for building a crowd client are here: http://confluence.atlassian.com/x/A-AC. We would start by using crowd-test (https://crowd-test.slac.stanford.edu:8443/).
Status
Maven2 Project org-srs-cas-server
A Maven2 project for the new SRS CAS server has been created and added to the SRS subversion repository. It is built as an overlay of cas-server-webapp as suggested in the instructions at https://wiki.jasig.org/x/sgKkAQ.
It is currently configured to delegate the authentication to the SLAC crowd-test server.
The following are the steps required to authenticate with crowd:
- Add the crowd-integration-client dependency
<dependency>
<groupId>com.atlassian.crowd</groupId>
<artifactId>crowd-integration-client</artifactId>
<version>2.0.0</version>
</dependency>
Please notice that we are currently using crowd version 2.0.0. This is somewhat behind the official crowd versions that are around2.2.x.
To import this dependency it is necessary to add the following repository
<repository>
<id>atlassian-proxy</id>
<name>Atlassian Proxy Repository</name>
<url>https://m2proxy.atlassian.com/repository/public</url>
</repository>
- Write a custom authentication handler to talk to crowd
Because of the dependency to version 2.0.0, the custom crowd authentication handler org.srs.cas.server.authentication.CrowdAuthenticationHandler is currently using the SOAP mechanism rather than the REST interfaces as suggested in the instructions above.
- Add the properties file crowd.properties
To authenticate users with crowd, the application delegating the authentication needs to authenticate itself with the crowd server first. We have added the application cas with the crowd-test server and a set of ip addresses for this purpose. When the SOAP SecurityServerClient does the authentication of the service, it looks for the crowd.properties file in the classpath. This file looks like:
application.name=cas application.password=***** crowd.server.url=https://crowd-test.slac.stanford.edu:8443/services/
- Tell the CAS server to use our custom crowd authentication handler
This is done in WEB-INF/deployerConfigContext.xml by replacing the default SimpleTestUsernamePasswordAuthenticationHandler with:
<bean class="org.srs.cas.server.authentication.CrowdAuthenticationHandler" />
- Enable SSL
Add the following code to WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
CAS Tomcat Integration
I downloaded:
- http://downloads.jasig.org/cas-clients/cas-client-3.1.12-release.zip
- http://downloads.jasig.org/cas/cas-server-3.4.7-release.zip
I succeeded in installing the tomcat connector on tomcat6 installed on my local machine. I just had to install
- cas-client-core-3.1.12.jar
- cas-client-integration-tomcat-common-3.1.12.jar
- cas-client-integration-tomcat-v6-3.1.12.jar
- common-loggin-1.1.jar (the documentation did not say I needed this, but otherwise it did not work)
in ${CATALINA_BASE}/common. I then modified ${CATALINA_BASE}/conf/context.xml to include:
<Realm
className="org.jasig.cas.client.tomcat.v6.PropertiesCasRealm"
propertiesFilePath="conf/manager-user-roles.properties"
/>
<!--
<Valve
className="org.jasig.cas.client.tomcat.v6.Cas20ProxyCasAuthenticator"
encoding="UTF-8"
casServerLoginUrl="https://glast-ground.slac.stanford.edu/cas/login"
casServerUrlPrefix="https://glast-ground.slac.stanford.edu/cas/"
serverName="localhost:8080"
/>
-->
<Valve
className="org.jasig.cas.client.tomcat.v6.Cas20ProxyCasAuthenticator"
encoding="UTF-8"
casServerLoginUrl="http://localhost:8080/cas/login"
casServerUrlPrefix="http://localhost:8080/cas/"
serverName="localhost:8080"
/>
and added ${CATALINA_BASE}/conf/manager-user-roles.properties to read:
tonyj: manager
Navigating to the tomcat manager then causes a CAS login request to be issued. With the standard fermi CAS this semi-worked. By installing the latest greatest "out-of-the-box" cas server (cas-server-webapp-3.4.7.war) in webapps on the same tomcat it worked fine.