Yale CAS Under the simplest installation, the user and password are only authenticated to the user and password. Of course, in the CAS Server source code, the developer can use other authentication methods by implementing the PasswordHandler interface. For the username and password matching authentication, digital signature verification, operating system user authentication, and LDAP user authentication. The following article describes a simple instance of user information using user information in Windows Active Directory.
Active Directory Server Authentication
In my educational portal project, the applications can be easily modified because the source code is available. I have used the servlet filter for each of these applications. In this case, CAS will perform the authentication when the user first visits the portal and requests a restricted application or data source. Once authentication is successful, the CAS servlet filter can validate the ticket and pass the username as a parameter to the requested application. I have modified the existing application login screens to accept the username parameter from CAS after a successful authentication .............................. ...CRIPLILE, TECHNOLOGY.
Unfortunately, CAS does not come with any truly useful authenticators. The default authenticator simply verifies that the username and password are identical. In the educational portal project I use Microsoft's Active Directory Server to store the user profiles. So I needed to extend the CAS server To Authenticate The UserName and Password Against The Active Directory Server.
The creators of CAS at Yale University have developed a pluggable authenticator architecture. By extending the PasswordHandler interface, a developer can create a class to implement the password-checking logic.
Listing 2. Cas's Pluggable Authenticator Architecture
/ ** Interface for password-based authentication handlers. * / Public interface PasswordHandler extends AuthHandler {/ ** * Authenticates the given username / password pair, returning true * on success and false on failure. * / Boolean authenticate (javax.servlet. ServletRequest request, String username, String password);} All I had to do was find out how to check the username and password using Active Directory Server, create a class to extend this interface, and add the code to perform the authentication.
ADS is an LDAP3-compliant directory server It supports a number of different authentication methods, the principal ones being anonymous, simple, and SASL (Simple Authentication and Security Layer) Anonymous authentication is of no use in this instance;.. Simple authentication sends the Password As Cleartext, Again Not Suitable for There Needs. so Sasl is The Option I will.
. SASL supports pluggable authentication This means that you can configure the LDAP client and server to negotiate and use any of a range of mechanisms The following are some of the currently defined SASL mechanisms.:
Anonymous CRAM-MD5 Digest-MD5 External Kerberos V4 Kerberos V5 Securid Secure Remote Password S / KEY X.509
Of these Mechanisms, Popular LDAP Servers (Such AS Those from Sun, OpenLDAP, AND Microsoft) Support External, Digest-MD5, And Kerberos V5.
CAS itself is Kerberos-like, sharing many of the same concepts such as tickets, ticket-granting tickets (actually called ticket-granting cookies in CAS), and a similar protocol. So choosing this mechanism felt like a natural fit. Also adding support for Kerberos authentication will enable CAS, in a future development, to act as a Web-based Kerberos agent on behalf of the user, allowing CAS to manage all aspects of Kerberos tickets for its users. This would mean that the same Kerberos authentication mechanisms used to access local and network resources could also be used by remote users.The Kerberos protocol is already built into ADS and Windows 2000 / XP. The Java Authentication and Authorization Service (JAAS) provides an implementation of a Kerberos Login Module (see Resources for the Tutorial That Provides Detail on How To Get A Sample Application Running). To Be Precise, IT IS GSS-API SASL Mechanism That You Will Use, But this Only Supports Kerberos V5 Authentication To LDAP3 Servers .
Kerberos Authentication IS A StraightForward Process (Assuming You Follow The Instructions Carefully):
1. Configure the login module for your application class in your jaaas configuration file.
Edu.yale.its.tp.cas.Auth.Provider.kerberosauthhandler {com.sun.security.auth.module.krb5loginmodule required client = true;
2. Create a logincontext, passing the name of the class doing the authentication, and a callbackhandler object.
LoginContext lc = new logincontext (casp.class.getname (), new cascallbackhandler ());
3. Call the login () method to perform the authentication. If this executes without exceptions, then authentication is successful. If an exception is thrown, then the exception indicates the cause of the failure.For a more in-depth look at Kerberos authentication I suggest you use the resources at the end of the article. (I've also provided a downloadfiguration files, kerberosauthhandler and cascallbackhandler.)
You NEED TO CREATE A New PasswordHandler Implementation, The Kerberosauthhandler, Which Uses The Above Methods to Authenticate Against The Active Directory Server Using Kerberos V5.
Listing 3. Creating The New PasswordHandler Implementation
public class KerberosAuthHandler implements PasswordHandler {public boolean authenticate (javax.servlet.ServletRequest request, String username, String password) {LoginContext lc = null; try {/ * Set up the Callback handler, and initialise * / / * the userid and password fields * / CASCallbackHandler ch = new CASCallbackHandler (); ch.setUserId (username); ch.setPassword (password); / * Initialise the login context - LoginModule configured * / / * in cas_jaas.conf and * / / * set to use Krb5LoginModule . * / lc = new LoginContext (KerberosAuthHandler.class.getName (), ch); / * Perform the authentication * / lc.login ();} catch (LoginException le) {System.err.println ( "authentication attempt failed" le); Return False;}}}}}
When the LoginContext is created, I pass the classname and the CASCallbackHandler object. The JAAS configuration file specifies the login module to use for this class.When the login () method is called, the login module knows what information it needs from the user / application in order to authenticate them. in the case of Kerberos, it needs a username and password, so it constructs an array of two callback objects (NameCallback and PasswordCallback) and then calls the CallbackHandler object, which decides how it should perform these callbacks and Retrieve the username and password.
I have taken the simplest and most expedient route and explicitly set the user ID and password using setter methods on the CallbackHandler. Then the CallbackHandler simply passes these on to the NameCallback and PasswordCallback objects.
Listing 4. Setting ID and password with setname (casparsword) and setpassword (caspassword)
public class CASCallbackHandler implements CallbackHandler {private String CASUserId; private char [] CASPassword; public void handle (Callback [] callbacks) throws java.io.IOException, UnsupportedCallbackException {for (int i = 0; i Listing 5. Telling Cas To Use the New Authentication Handler An Example Web.xml Is Included in The Zip File (Kerberosauthsrc.zip in Resources). You'll have to restart Tomcat, but this time you'll also need to set some Java runtime properties. Expand the ZIP file (KerberosAuthSrc.zip) and copy the files cas_jaas.conf, krb5.conf, and setkerberosjvmoptions.bat to the TOMCAT_HOME directory. Run the setkerberosjvmoptions.bat and then start Tomcat.Now you are ready to repeat the HelloWorld experiment. This time you can use a valid Kerberos username and password pair as defined in your Active Directory Server. SINGLE SIGN-OFF Without a unified strategy, developers re-implement custom security for each network application. This can result in a variety of scalability and maintenance problems. Single sign-on solutions can be that unified framework for security and authentication, alleviating much of the burden on users , Administrators, And Developers. The concept of single sign-on, the technologies, and the implications for users and administrators are complex, so I have only scratched the surface in this article. But I have provided you with some practical ways to implement a single sign-on scheme using the proven CAS application from Yale University, and have also detailed a method to extend this technology so you can use it to authenticate users to a LDAP server (specifically, to an Active Directory Server using the Kerberos protocol).
