Jasig CAS - authentication server
If you are developing web applications, for sure you are faced with the task of implementing single sign on. In this short article I will briefly describe a turnkey solution from Jasig .
Jasig CAS (Central Authentication Service) is a web application written in java. To start using it, almost nothing needs to be done. Need to download, configure, build, deploy. And set up clients (sites on which we make single sign on).
How CAS works can be understood from this diagram:
')
A similar scheme uses Yandex and Google.
Consider it in steps:
First we need to define our logic for checking username and password. To do this, we need to override the class org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler:
After that, you need to change the configuration of the Spring context so that CAS knows that you need to use MyAuthenticationHandler.
If you know little about Spring, then you can search for something on it or read the documentation on www.springsource.org .
In CAS, the basic Spring configuration that we may need is in the deployerConfigContext.xml file. Add our class:
Everything that we may need for a login (for example, a dataSource) can also be injected in the Spring context:
To deploy, you need a server with jvm installed and some DBMS. Even if you do not use a DBMS for authorization, CAS uses it to store its service tables.
In these tables it stores lists of addresses where authorization through this server is possible.
For example, if we need to log in to example.com through our CAS, but it is not listed, then authorization will fail (remember: the address of the site where the login occurs is passed as a parameter). You can not use any lists at all, allowing you to log in with any addresses.
Jasic already has several ready-made libraries for working with CAS (for java, .net and php). In the case of Java, these are ready-made HTTP filters that only need to be configured (how to do this, you can read here: https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1 ) .
Or create your own, inheriting from org.jasig.cas.client.util.AbstractCasFilter.
Everything else is already refinement and customization to fit your needs. From my own experience I can say that the deployment and refinement of CAS is not a very complicated and lengthy process. You can bind and captcha, and statistics, design of course.
References:
You can take it on the download page.
The picture is taken from here:
Jasig: http://www.jasig.org/cas
A list of portals where CAS is already in use: http://www.jasig.org/cas/deployments
License: http://www.jasig.org/cas/license
Short description
Jasig CAS (Central Authentication Service) is a web application written in java. To start using it, almost nothing needs to be done. Need to download, configure, build, deploy. And set up clients (sites on which we make single sign on).
Scheme of work
How CAS works can be understood from this diagram:
')
A similar scheme uses Yandex and Google.
Consider it in steps:
- 1. The user opens the web application.
- 2. The request is not yet received by CAS, but by the application.
- 3. Our web application understands that the user does not have a session and redirects the user to the CAS. Everything is simple for the user - he opened the application and immediately saw the login page.
- 4. User enters login / password
- 5. CAS validates them.
- 6. And generates a random character set - "ticket". In the future, he identifies the user.
- 7. The request is redirected to our web application, the ticket is passed as a parameter.
- 8. Our web application asks CAS if there is a user with such a ticket.
- 9. If there is, in response, the CAS sends the user login and other data (which depends on how you configure).
How to setup
Own authorization method
First we need to define our logic for checking username and password. To do this, we need to override the class org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler:
package mypack; /** * * @author http://habrahabr.ru/users/nucleotide/ */ public class MyAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler { protected final boolean authenticateUsernamePasswordInternal( // true, final UsernamePasswordCredentials credentials) throws AuthenticationException { return credentials.getUsername().equals(credentials.getPassword()); } } After that, you need to change the configuration of the Spring context so that CAS knows that you need to use MyAuthenticationHandler.
If you know little about Spring, then you can search for something on it or read the documentation on www.springsource.org .
In CAS, the basic Spring configuration that we may need is in the deployerConfigContext.xml file. Add our class:
. . . . . <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <bean class="mypack.MyAuthenticationHandler"> </bean> </list> </property> . . . . . Everything that we may need for a login (for example, a dataSource) can also be injected in the Spring context:
. . . . . <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <bean class="mypack.MyAuthenticationHandler"> <property name="dataSource" ref="dataSource"/> </bean> </list> </property> . . . . . Unfolding
To deploy, you need a server with jvm installed and some DBMS. Even if you do not use a DBMS for authorization, CAS uses it to store its service tables.
In these tables it stores lists of addresses where authorization through this server is possible.
For example, if we need to log in to example.com through our CAS, but it is not listed, then authorization will fail (remember: the address of the site where the login occurs is passed as a parameter). You can not use any lists at all, allowing you to log in with any addresses.
How to configure the client
Jasic already has several ready-made libraries for working with CAS (for java, .net and php). In the case of Java, these are ready-made HTTP filters that only need to be configured (how to do this, you can read here: https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1 ) .
Or create your own, inheriting from org.jasig.cas.client.util.AbstractCasFilter.
Everything else is already refinement and customization to fit your needs. From my own experience I can say that the deployment and refinement of CAS is not a very complicated and lengthy process. You can bind and captcha, and statistics, design of course.
References:
You can take it on the download page.
The picture is taken from here:
Jasig: http://www.jasig.org/cas
A list of portals where CAS is already in use: http://www.jasig.org/cas/deployments
License: http://www.jasig.org/cas/license
Source: https://habr.com/ru/post/130289/
All Articles