Versions Compared

Old Version 14

changes.mady.by.user mmoayyed@unicon.net

Saved on

compared with

New Version 15

changes.mady.by.user Chad Redman (unc.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
spaceKeyGrouper
pageTitleNavigation
Table of Contents

Potential new way to integrate CAS with Grouper


There are two different ways of enabling CAS authentication to protect Grouper resources. These have been tested with Grouper 2.4.0 primarily as a proof of concept, although there is some reports of success from similar configurations based on these.

Method 1: Tomcat Container Authentication

See also: https://github.com/apereo/java-cas-client

...

Code Block
<Context docBase="/ucd/opt/grouper-ui/dist/grouper" path="/grouper"
    reloadable="false" mapperContextRootRedirectEnabled="true" mapperDirectoryRedirectEnabled="true">


  <Realm className="org.jasig.cas.client.tomcat.v7v85.PropertiesCasRealm"
     propertiesFilePath="/etc/tomcat/grouper-users.properties"
   />

	<!-- 
       If you do not need to map users to roles via a grouper-users.properties file use this.
       <Realm className="org.jasig.cas.client.tomcat.v7v85.AssertionCasRealm" />
	-->

  <Valve className="org.jasig.cas.client.tomcat.v7v85.Cas20CasAuthenticator"
     encoding="UTF-8" 
     casServerLoginUrl="https://CAS_SERVER/cas/login"
     casServerUrlPrefix="https://CAS_SERVER/cas/" 
     serverName="GROUPER_SERVER" 
   />


  <!-- Single sign-out support -->
  <Valve className="org.jasig.cas.client.tomcat.v7v85.SingleSignOutValve"
    artifactParameterName="SAMLart"
  />
</Context>

 

  • You dont need to alter anything in the Grouper UI itself, just need to make sure that the logged in user is searchable by a source.
  • For Tomcat 8.0.x, change the package names to "v8" instead. (Note: Tomcat 8.5.x at this point is not supported and requires mod to the CAS client given API incompatibilities between 8.0.x and 8.5.x) 


The following jar files will need to go into the Tomcat lib directory (with current versions as of May 2019):

  • org.jasig.cas.client : cas-client-core (v3.5.1) [Download]
  • org.jasig.cas.client : cas-client-integration-tomcat-common (v3.5.1) [Download]
  • org.jasig.cas.client : cas-client-integration-tomcat-v85 (v3.5.1) [Download]
  • org.slf4j : slf4j-api (v1.7.26) [Download]

In Grouper's WEB-INF/web.xml, comment out the login-config and security-role sections. The security-constraint sections should remain so that authentication is triggered. The role-name can be changed to "*" (or "**" if that doesn't work) to allow all validated users to log in.

For other versions of Tomcat, change v85 to v8, v7, or v6 as appropriate.


Method 2: Client Configuration Using web.xml

This method makes changes solely within the Grouper web application, without affecting the Tomcat configuration.

1. Download the cas-client-core jar file (current version is cas-client-core-3.5.1.jar as of May 2019)

2. Copy the web applications top-level index.jsp to a new subdirectory cas/

3. Edit cas/index.jsp to reference parent directory instead of the current one

No Format
<%@ include file="../WEB-INF/grouperUi2/assetsJsp/commonTaglib.jsp"%>
String location="../grouperUi/app/UiV2Main.index?operation=UiV2Main.indexMain";


4. Add to WEB-INF/classes/Owasp.CsrfGuard.overlay.properties

No Format
org.owasp.csrfguard.unprotected.CASLogin=%servletContext%/cas/*


5. Add to WEB-INF/web.xml, changing parameters as needed. Based on https://apereo.atlassian.net/wiki/spaces/CASC/pages/103252594/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml

Code Block
languagexml
<filter>
  <filter-name>CAS Authentication Filter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>http://localhost:8080/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://localhost:8080</param-value>
  </init-param>
</filter>
<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/cas/*</url-pattern>
</filter-mapping>
<filter>
  <filter-name>CAS Validation Filter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
  <init-param>
    <param-name>casServerUrlPrefix</param-name>
    <param-value>http://localhost:8080/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>http://localhost:8080</param-value>
  </init-param>
</filter>
<filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/cas/*</url-pattern>
</filter-mapping>
<filter>
  <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
  <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>/cas/*</url-pattern>
</filter-mapping>


6. Start Tomcat, check catalina and localhost logs if any startup errors

7. Go to URI /grouper/cas/index.jsp to trigger the start of a CAS session. 


Previous way to integrate CAS with Grouper (< 2.4.0)

The yale-cas-auth java jar file is included with the installation of the Grouper UI.  There are a few steps we needed to implement it:

...