cas ng n.
Skip this Video
Loading SlideShow in 5 Seconds..
CAS-NG PowerPoint Presentation


137 Views Download Presentation
Download Presentation


- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CAS-NG A small enhancement to CAS 3to provide new services

  2. Objectives [of this talk] • TrustedOtherCas – single sign-on to more than one instance of the CAS codebase • ScriptedValidate – Extend CAS ServiceValidate with Access Control rules written in simple scripting languages • CAS Extensibility – How and where these extensions fit into the architecture

  3. Enable Additional CAS Function Now Existing CentralCAS 3 (or 2) EnhancedCAS 3 Trust Validate Validate ExistingSatisfiedServices New Servicesrequiringnew function

  4. Departmental Local Function DepartmentService Existing CentralCAS 3 (or 2) DepartmentalCAS 3 Validate Trust CentralService DepartmentalCAS 3 DepartmentService Trust Validate

  5. Simple Peer Federation Other Institution Campus trust CAS CAS Service client Service

  6. cas-server-support-trustedexisting CAS 3 optional subproject J2EE Container WebListener SERVLET api CAS ContainerBased Authentication request.getRemoteUser()

  7. trustedOtherCas – a WebFlow beanthat generates “trusted” credentials CAS login WebFlow /cas/login cookie x.509 cert other stuff CAS Filter logic turned intoa Web Flow Bean Form orOtherCAS

  8. TrustedOtherCas Step by StepGet it in the WAR • Get “cas-server-support-trusted-otherCAS” project, put it in CAS 3 source directory • Add name to top level POM module list [so it gets compiled by Maven into a JAR] • Add the “cas-server-support-trusted” and “trusted-otherCAS” artifact JARs to the webapp project POM dependency list [so JAR gets added to the WAR WEB-INF/lib]

  9. TrustedOtherCas Step by StepSpring Configuration • Add “trusted” project beans to the Handler and Resolver bean list [so credentials can be processed] in deployerConfigContext.xml • In cas-servlet.xml, configure an instance of the trustedOtherCas bean with the login and validation URL of the other CAS • Add OtherCas bean to login-webflow.xml and change flow logic to go to it

  10. There can be more than one • If you have more than one trustedOtherCas, each can have its own configured bean, but • Each needs its own /loginXXX URL and its own WebFlow because the ticket= doesn’t tell you which CAS it came from, so you have to know this based on the URL that CAS redirected back to

  11. Current CAS doesn’t do Access Control Service created by Humanities Professor CAS Q: Who is this guy? A: “Bin Laden” front end Bin Laden Should I let Bin Laden in? All the institutional data about people is over there somewhere, but ordinary users don’t have access to it.

  12. Allow access to licensed MP3 files to • Music department faculty • Music graduate students • Undergraduate Music majors • Students enrolled in “Music 202” Beyond the programming skills of a Music prof

  13. Access Control Problems • Don’t want to give out access to HR, student systems, and other institutional data to everyone who has a Web application • Access control is too complicated for non-programmers to get it right • XACML is irrational • Institutional logic: Just what is a …

  14. CASNG makes the decisions HR CAS studentsystem data getter data getter script FBI data getter Alumni data getter /cas/scriptedValidate,ticket=…, service=…,acscript={uri} CAS Client with script uri Dumb Service Bin Laden

  15. CAS 3 Ticket CRUDBusiness Logic Web (MVC) View (JSP or Redirect) handler Ticket Cache optional store handler Controller AuthMgr handler resolver Validate resolver resolver Login WebFlow scripts TrustedOtherCas

  16. Background: Spring MVC Servlet Side Spring Side CAS mod ofSpringServlet Bean /validate HTTP Bean MVCURLmappings Bean Login Web flow Bean Web.xmlservlet URL mappings /login Bean

  17. WEB-INF/web.xml URL mapping • <servlet><servlet-name>cas</servlet-name><servlet-class>org.jasig.cas.web.init.SafeDispatcherServlet • <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/scriptedValidate</url-pattern></servlet-mapping>

  18. cas-servlet.xml then maps eachURL to a Spring Bean <bean id="handlerMappingC" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping"> <property name="mappings"> <props> <prop key="/serviceValidate“>serviceValidateController</prop> <prop key="/scriptedValidate“>scriptedValidateController</prop> <prop key="/validate“>legacyValidateController</prop> … <bean id="serviceValidateController" class="org.jasig.cas.web.ServiceValidateController" p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxying…" p:centralAuthenticationService-ref="centralAuthenticationService" p:proxyHandler-ref="proxy20Handler" p:argumentExtractor-ref="casArgumentExtractor" />

  19. Spring MVC request lifecycle JSP (or View Bean) ModelAndView EL ViewName Model varname value Propertiesfile varname value varname value Action Bean URL to bean map SpringServlet Request

  20. Plug it In JSP (or View Bean) ModelAndView EL ViewName Model varname value Propertiesfile varname value varname value ScriptedValidateController ServiceValidateController URL to bean map SpringServlet /scriptedValidate

  21. CAS Business Logic API Ticket CRUDBusiness Logic handler Ticket Cache optional store handler String createTicketGrantingTicket(Cred) String grantServiceTicket(st, Service) String grantServiceTicket(st, Service, Cred) Assertion validateServiceTicket(st, Service) void destroyTicketGrantingTicket(st) String delegateTicketGrantingTicket(st, Cred) AuthMgr handler resolver resolver resolver If this was a real J2EE application, this would be the EJB layer

  22. Credentials • Credentials is a marker interface (no methods) added to any class that may authenticate a user (X.509 Cert, Password, …) • A Handler validates the credentials (“The Cert was issued by a trusted CA”) • A Resolver maps the Credential to a netid (by extracting the Netid from, say, the first CN in the Cert DN)

  23. CAS API Ticket CRUDBusiness Logic handler handler Ticket Cache WebFlowAction Bean returns Credential handler“I do” Auth Mgr “who handles this type of Credential?” Principal resolver resolver resolver“I do”

  24. Spring WebFlow • URL mapped to WebFlow [new XML] • Set Initial state • ActionState runs a bean or makes a EL test. Success/Failure chooses new state • ViewStates display a Form, input goes to an Action Bean • An EndState releases Flow scoped objects • Use for a single page is unexpected

  25. Login Webflow Is a cookie/TGT provided /login No Yes Issue ST Gateway request No Yes Redirect back X.509 cert provided No Yes Create TGT Display the Form Submit Password Valid No Yes Create TGT

  26. Trusted Other Cas Is a cookie/TGT provided /login No Yes Issue ST Gateway request No Yes Redirect back X.509 cert provided No Yes Create TGT ticket= present (and validates to other CAS) No Yes Create TGT Redirect to Other CAS

  27. Add to WEB-INF/cas-servlet.xml <bean id="trustedOtherCas" class=“…trusted.web.flow.PrincipalFromOtherCasNonInteractiveCredentialsAction" p:centralAuthenticationService-ref="centralAuthenticationService" p:loginUrl = "" p:validateUrl = />

  28. WEB-INF/login-webflow.xml <action-state id="startAuthenticate"> <action bean="x509Check" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="tryOtherCas" /> </action-state> <action-state id="tryOtherCas"> <action bean="trustedOtherCas" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="otherCasRedirect" /> </action-state> <view-state id="viewLoginForm" view="casLoginView"> … </view-state> <end-state id="otherCasRedirect“ view="bean:trustedOtherCas" /> Note: now you never get here

  29. CAS WebFlow Bean public final class PrincipalFromOtherCasNonInteractiveCredentialsAction extends AbstractNonInteractiveCredentialsAction implements ViewSelector { … protected Credentials constructCredentialsFromRequest( … return new PrincipalBearingCredentials( new SimplePrincipal(remoteUser));

  30. CAS internal API mapped to WebFlow concepts • Return null follows “failure” state change(View method redirects to other CAS) • Return Credentials follows “success” state change (to Create TGT) • deployerConfigContext.xml must have cas-server-support-trusted Handler and Resolver that process this type of Credentials

  31. There can be more than one • If you have more than one trustedOtherCas, each can have its own configured bean, but • Each needs its own /loginXXX URL and its own WebFlow because the ticket= doesn’t tell you which CAS it came from, so you have to know this based on the URL that CAS redirected back to

  32. WEB-INF/deployerConfigContext.xml <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class=“…principal.UsernamePasswordCredentialsToPrincipalResolver" /> <bean class=“…trusted...PrincipalBearingCredentialsToPrincipalResolver" /> <bean class=“…x509...X509CertificateCredentialsToIdentifierPrincipalResolver" p:identifier="$CN" /> <property name="authenticationHandlers"> <list> <bean class=“…trusted...PrincipalBearingCredentialsAuthenticationHandler" /> <bean class=“…x509…X509CredentialsAuthenticationHandler“ <bean class=“…JaasAuthenticationHandler" />

  33. cas-server-webapp/pom.xml <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-trusted</artifactId> <version>${project.version}</version> </dependency> <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-trusted-otherCAS</artifactId> <version>${project.version}</version> </dependency> <dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-scripting</artifactId> <version>${project.version}</version> </dependency>

  34. Browser Comes to CAS 3 Test Existing Cookie X509 Windows login Redirect to CAS 2

  35. Redirect to Other CAS (CAS 2) display Form Validate password Issue TGT cookie Issue ST for CAS3

  36. Redirect back to CAS 3 (as Other CAS Service) Validate ticket= in Validate CAS2 ST CAS2 Netid becomesCAS3 principal Issue CAS3 TGT cookie Issue CAS 3 ST cookie and ticket=back

  37. Validate ST (with scripting) TicketCache ServiceValidateController Is ST valid? ScriptedValidateController handleRequestInternal() Rhino JavaScript Engine Is access permitted? Script library

  38. Several ways to intercept the call to a single method • Subclassing [requires removing “final” from parent class] • Delegation: Create a separate ServiceValidateController bean instance • AOP: Intercept the handleRequestInternal call, add script “advice” to the return

  39. Success and Failure ViewNameproperties • Subclass: one object (inherit the field) • Delegate: ScriptedValidate is configured, then it sets the property value in the captive ServiceValidate object • AOP: ???

  40. cas-servlet.xml <prop key="/scriptedValidate“>scriptedValidateController</prop> <bean id="scriptedValidateController" class="org.jasig.cas.web.ScriptedValidateController“ [properties inherited from superclass ServiceValidateController] > <property name="builders"> … List of beans that add variables to the JS environment <property name="scripts"> .. . list of inline scripts keyed by URI <property name="scriptResources"> … resource url of script files (file:. classpath:, http:, …)

  41. There can be more than one • You can have multiple /scriptedValidate URLs, with more than one Bean, with more than one configuration • One for scripts with public data • One for more carefully controlled scripts with access to more sensitive data • …

  42. /scriptedValidate,acscript=“…uri…”,… • Service (through the configured Filter init-param) designates a script by URI • Spring XML configuration passes a Map to the bean. The keys are URIs. The values are • The inline text of the script • A file (local path, in WAR, http: URL) • A directory (if the URI key ends in “:*”)

  43. The Directory Rule • The CAS XML Map associates “cas:stuff:*” with /usr/local/casscripts/ • The Service sets acscript=cas:stuff:foo.js • CAS runs /usr/local/casscripts/foo.js

  44. Java 6 JS (Rhino) • Bindings contains a Map<String,Object> • Key becomes a JS variable name • Java object becomes a JS object (script can reference properties, call methods) • Rhino adds built in packages. and java. variables so script can use native Java objects, but we want to prevent access to local files and stuff.

  45. Built-In JS Variables • “java” and “packages” override • “netid” is Principal ID • “request” provided limited access to some HttpServletRequest info (parameters) • “log” is log4j as in

  46. ObjectBuilder public interface ObjectBuilder { public abstract Map<String, Object> buildObjects(String netid);

  47. LDAP Object Builder <!-- Apache LDAP Directory Server running on localhost --> <bean id="localLdapDao" class="" p:ldapUrl="ldap://localhost:10389/dc=example,dc=com" p:ldapPassword = "yalescout" p:ldapUserid = "uid=yalescout,ou=users,ou=system" p:testLookup = "ou=system" p:netidAttribute = "uid" /> <bean id="localLdap" class="" p:dao-ref="localLdapDao" p:variableName="mydir" />

  48. JDBC Object Builder <bean id="employeeTable" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName" value="org.apache.derby.jdbc.ClientDriver" /> <property name="url" value="jdbc:derby://localhost:1527/myeclipse" /> <property name="username" value="app" /> <property name="password" value="dummy" /> </bean> <bean id="jdbcUserBuilder" class="" p:datasource-ref="employeeTable" p:query="select * from app.employee where netid=?" p:variableName="dbuser" />

  49. ScriptedValidateController property <property name="builders"> <list> <ref bean="localLdap" /> <ref bean="jdbcUserBuilder" /> </list> </property>

  50. ScriptedValidateController[run the script] Object info = null; try { info = engine.eval(scriptReader, bindings); } catch (Exception e) { log.error("Error in the access control script: " + e); failClient("ScriptError","The access control script ended in error.", result); return result; } if (info instanceof String) {