What’s new in cas 4.2

What’s new in CAS 4.2?
Jérôme Leleu
leleuj@gmail.com
@leleuj
Misagh Moayyed
mmoayyed@unicon.net
@misagh84
ESUP-Days #21/ Apereo Europe 2016

General
● 1100+ stargazers @ Github
● A new chairman, 2 new committers, many contributions
○ 1 PR a day
Dmitriy Kopylenko Daniel Frett

CAS 4.2 Main Objectives
● Easy to use (Plug-N-Play)
○ You want SAML/OAuth/OpenID? Drop the module dependency into your overlay…
○ ...and done!
● Reduce configuration noise
○ Say NO to XML (well, almost!)
● Universal support (protocols, backends)

Auto-configuration
To customize your CAS server (Maven overlay), you needed to (add
dependencies and) override XML files: web.xml, login-webflow.xml,
ticketGrantingTicketCookieGenerator.xml, ticketRegistry.xml…
Now:
● Express Feature Intent (Add dependency, if needed)
● Add Settings (Change cas.properties)

Auto-configuration: CASTGC cookie
v4.1: src/main/webapp/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml:
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
c:casCookieValueManager-ref="cookieValueManager"
p:cookieSecure="true"
p:cookieMaxAge="-1"
p:cookieName="TGC"
p:cookiePath="/cas"/>
v4.2: ticketGrantingTicketCookieGenerator.xml
@Component("ticketGrantingTicketCookieGenerator")
public class TGCCookieRetrievingCookieGenerator extends CookieRetrievingCookieGenerator {
@Override
@Autowired
public void setCookieName(@Value("${tgc.name:TGC}") final String cookieName) {
super.setCookieName(cookieName);
}
cas.properties:
# Decides whether SSO cookie should be created only
under secure connections.
# tgc.secure=true
# The name of the SSO cookie
# tgc.name=TGC
# The path to which the SSO cookie will be scoped
# tgc.path=/cas

Auto-configuration: OAuth server support
v4.1: cas-server-support-oauth module + servlet mapping on /oauth2.0/* +
oauth20WrapperController in cas-servlet.xml + OAuthCallbackAuthorizeService +
OAuthRegisteredService
v4.2: add the dependency + OAuthRegisteredService
@WebListener
@Component
public class OAuthServletContextListener extends AbstractServletContextInitializer {
…
@Override
protected void initializeServletContext(final ServletContextEvent event) {
if (WebUtils.isCasServletInitializing(event)) {
addEndpointMappingToCasServlet(event, “/oauth2.0/*”);
}
}
}

pac4j contributions
pac4j is a Java security engine which supports
most authentication mechanisms (like CAS,
OAuth, SAML) and is available for most
frameworks: J2E, Spring MVC, Play, Vertx,
Ratpack…

pac4j contributions: CASify any webapp
Using any pac4j library: j2e-pac4j, spring-webmvc-pac4j, play-pac4j, vertx-pac4j,
spring-security-pac4j, buji-pac4j, etc., you can CASsify any J2E, Spring MVC,
Play, Vertx, Spring Security, Shiro… webapp
@Configuration
public class Pac4jConfig {
@Bean
public Config config() {
final CasClient casClient = new CasClient("https://casserverpac4j.herokuapp.com/login");
return new Config("http://localhost:8080/callback", casClient);
}
}
@Configuration
@ComponentScan(basePackages = "org.pac4j.springframework.web")
public class SecurityConfig extends WebMvcConfigurerAdapter {
@Autowired
private Config config;
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new RequiresAuthenticationInterceptor(config, "CasClient")).addPathPatterns("/cas/*");
}
}

pac4j contributions: pac4j replaced Spring Security in CAS
The security of the CAS server and CAS management web applications is now
ensured by pac4j
<context:component-scan base-package="org.pac4j.springframework.web" />
<bean id="config" class="org.pac4j.core.config.Config" c:callbackUrl="${cas-management.securityContext.serviceProperties.service}"
c:client-ref="casClient" p:authorizer-ref="requireAdminRoleAuthorizer" />
<bean id="casClient" class="org.pac4j.cas.client.CasClient" p:casLoginUrl="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}"
p:authorizationGenerator-ref="authorizationGenerator" />
<bean id="requireAdminRoleAuthorizer" class="org.pac4j.core.authorization.RequireAnyRoleAuthorizer"
c:roles="${cas-management.securityContext.serviceProperties.adminRoles}" />
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/callback*" />
<mvc:exclude-mapping path="/logout*" />
<mvc:exclude-mapping path="/authorizationFailure.html" />
<bean class="org.pac4j.springframework.web.RequiresAuthenticationInterceptor" c:config-ref="config" c:clientName="CasClient"
c:authorizerName="securityHeaders,csrfToken,RequireAnyRoleAuthorizer" />
</mvc:interceptor>
</mvc:interceptors>

pac4j contributions: delegate authentication
The cas-server-support-pac4j module handles the authentication delegation
##
# Authentication delegation using pac4j
#
# cas.pac4j.client.authn.typedidused=true
# cas.pac4j.facebook.id=
# cas.pac4j.facebook.secret=
# cas.pac4j.facebook.scope=
# cas.pac4j.facebook.fields=
# cas.pac4j.twitter.id=
# cas.pac4j.twitter.secret=
# cas.pac4j.saml.keystorePassword=
# cas.pac4j.saml.privateKeyPassword=
# cas.pac4j.saml.keystorePath=
# cas.pac4j.saml.identityProviderMetadataPath=
# cas.pac4j.saml.maximumAuthenticationLifetime=
# cas.pac4j.saml.serviceProviderEntityId=
# cas.pac4j.saml.serviceProviderMetadataPath=
# cas.pac4j.cas.loginUrl=
# cas.pac4j.cas.protocol=
# cas.pac4j.oidc.id=
# cas.pac4j.oidc.secret=
# cas.pac4j.oidc.discoveryUri=
# cas.pac4j.oidc.useNonce=
<bean id="caswrapper1" class="org.pac4j.oauth.client.CasOAuthWrapperClient">
<property name="key" value="this_is_the_key" />
<property name="secret" value="this_is_the_secret" />
<property name="casOAuthUrl" value="http://localhost:8080/cas2/oauth2.0" />
</bean>
<bean id="cas1" class="org.pac4j.cas.client.CasClient">
<property name="casLoginUrl" value="http://localhost:8080/cas2/login" />
</bean>

pac4j contributions: use pac4j authenticators
The cas-server-integration-pac4j module wraps the pac4j authenticators as
CAS authentication handlers:
1. MongoAuthenticationHandler (cas-server-support-mongo)
2. StormpathAuthenticationHandler (cas-server-support-stormpath)
3. TokenAuthenticationHandler (cas-server-support-token)

Build/Packaging: Gradle
● CAS 4.2 uses Gradle as its internal build mechanism
○ Codebase broken down to 86 modules
○ You still use Maven for your CAS overlays.
● Patch releases every month
● Minor releases every 3 months
● SNAPSHOT releases on every change

Build/Packaging: Docker
● CAS Docker images:
https://hub.docker.com/r/apereo/cas/
● Images work with a Maven overlay from a git repo
○ Jetty 9.3.x bundled
○ Java 8 bundled

Authentication
● Delegate AuthN to ADFS/WS-Fed
● Support for
○ Basic AuthN
○ JWT AuthN
○ MongoDb
○ Stormpath
○ Apache Shiro
● JSON as the validation response type
● YubiKey/DuoSecurity (MFA WIP)

Ticket Registry
● Apache Ignite
● Couchbase
● Infinispan Cache
○ Redis
○ Cassandra
○ MongoDb
○ Amazon S3
○ Rackspace
○ LevelDB

Service Registry
● Couchbase
● MongoDB
● JSON
Many core enhancements to the CAS service model, such as authorizations,
custom properties, etc.

Services Management Web Application

Authorizations: ABAC
● Support for service-based authorizations based on:
○ User Attributes: “only users with attribute X can access application”
○ Date/Time: “application is only accessible on Fridays between 8-10am”
○ Internet2 Grouper: “only members of this Grouper group are allowed”

Roadmap: CAS 4.3 @ Open Apereo 2016
● Java 8
● MFA support
○ Based on DuoSecurity, YubiKey, RSA/Radius
○ Include authN risk-assessment engine
● Better OAuth/OpenID Connect Support
● SAML2 Web.SSO support
● Groovy Management Console
● Cloudy-friendly/Better administrative UIs

Questions/Comments?
Jérôme Leleu
leleuj@gmail.com
@leleuj
Misagh Moayyed
mmoayyed@unicon.net
@misagh84
Docs: https://jasig.github.io/cas

What’s new in cas 4.2

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to What’s new in cas 4.2

Similar to What’s new in cas 4.2 (20)

More from Misagh Moayyed

More from Misagh Moayyed (16)

Recently uploaded

Recently uploaded (20)

What’s new in cas 4.2