Successfully reported this slideshow.

What’s new in cas 4.2

2

Share

Upcoming SlideShare
FOSSASIA 2021 - CAS
FOSSASIA 2021 - CAS
Loading in …3
×
1 of 23
1 of 23

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

What’s new in cas 4.2

  1. 1. What’s new in CAS 4.2? Jérôme Leleu leleuj@gmail.com @leleuj Misagh Moayyed mmoayyed@unicon.net @misagh84 ESUP-Days #21/ Apereo Europe 2016
  2. 2. General ● 1100+ stargazers @ Github ● A new chairman, 2 new committers, many contributions ○ 1 PR a day Dmitriy Kopylenko Daniel Frett
  3. 3. CAS 4.2 Main Objectives ● Easy to use (Plug-N-Play) ○ You want SAML/OAuth/OpenID? Drop the module dependency into your overlay… ○ ...and done! ● Reduce configuration noise ○ Say NO to XML (well, almost!) ● Universal support (protocols, backends)
  4. 4. Auto-configuration To customize your CAS server (Maven overlay), you needed to (add dependencies and) override XML files: web.xml, login-webflow.xml, ticketGrantingTicketCookieGenerator.xml, ticketRegistry.xml… Now: ● Express Feature Intent (Add dependency, if needed) ● Add Settings (Change cas.properties)
  5. 5. Auto-configuration: CASTGC cookie v4.1: src/main/webapp/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml: <bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" c:casCookieValueManager-ref="cookieValueManager" p:cookieSecure="true" p:cookieMaxAge="-1" p:cookieName="TGC" p:cookiePath="/cas"/> v4.2: ticketGrantingTicketCookieGenerator.xml @Component("ticketGrantingTicketCookieGenerator") public class TGCCookieRetrievingCookieGenerator extends CookieRetrievingCookieGenerator { @Override @Autowired public void setCookieName(@Value("${tgc.name:TGC}") final String cookieName) { super.setCookieName(cookieName); } cas.properties: # Decides whether SSO cookie should be created only under secure connections. # tgc.secure=true # The name of the SSO cookie # tgc.name=TGC # The path to which the SSO cookie will be scoped # tgc.path=/cas
  6. 6. Auto-configuration: OAuth server support v4.1: cas-server-support-oauth module + servlet mapping on /oauth2.0/* + oauth20WrapperController in cas-servlet.xml + OAuthCallbackAuthorizeService + OAuthRegisteredService v4.2: add the dependency + OAuthRegisteredService @WebListener @Component public class OAuthServletContextListener extends AbstractServletContextInitializer { … @Override protected void initializeServletContext(final ServletContextEvent event) { if (WebUtils.isCasServletInitializing(event)) { addEndpointMappingToCasServlet(event, “/oauth2.0/*”); } } }
  7. 7. pac4j contributions pac4j is a Java security engine which supports most authentication mechanisms (like CAS, OAuth, SAML) and is available for most frameworks: J2E, Spring MVC, Play, Vertx, Ratpack…
  8. 8. pac4j contributions: CASify any webapp Using any pac4j library: j2e-pac4j, spring-webmvc-pac4j, play-pac4j, vertx-pac4j, spring-security-pac4j, buji-pac4j, etc., you can CASsify any J2E, Spring MVC, Play, Vertx, Spring Security, Shiro… webapp @Configuration public class Pac4jConfig { @Bean public Config config() { final CasClient casClient = new CasClient("https://casserverpac4j.herokuapp.com/login"); return new Config("http://localhost:8080/callback", casClient); } } @Configuration @ComponentScan(basePackages = "org.pac4j.springframework.web") public class SecurityConfig extends WebMvcConfigurerAdapter { @Autowired private Config config; @Override public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(new RequiresAuthenticationInterceptor(config, "CasClient")).addPathPatterns("/cas/*"); } }
  9. 9. pac4j contributions: pac4j replaced Spring Security in CAS The security of the CAS server and CAS management web applications is now ensured by pac4j <context:component-scan base-package="org.pac4j.springframework.web" /> <bean id="config" class="org.pac4j.core.config.Config" c:callbackUrl="${cas-management.securityContext.serviceProperties.service}" c:client-ref="casClient" p:authorizer-ref="requireAdminRoleAuthorizer" /> <bean id="casClient" class="org.pac4j.cas.client.CasClient" p:casLoginUrl="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}" p:authorizationGenerator-ref="authorizationGenerator" /> <bean id="requireAdminRoleAuthorizer" class="org.pac4j.core.authorization.RequireAnyRoleAuthorizer" c:roles="${cas-management.securityContext.serviceProperties.adminRoles}" /> <mvc:interceptors> <mvc:interceptor> <mvc:mapping path="/**" /> <mvc:exclude-mapping path="/callback*" /> <mvc:exclude-mapping path="/logout*" /> <mvc:exclude-mapping path="/authorizationFailure.html" /> <bean class="org.pac4j.springframework.web.RequiresAuthenticationInterceptor" c:config-ref="config" c:clientName="CasClient" c:authorizerName="securityHeaders,csrfToken,RequireAnyRoleAuthorizer" /> </mvc:interceptor> </mvc:interceptors>
  10. 10. pac4j contributions: delegate authentication The cas-server-support-pac4j module handles the authentication delegation ## # Authentication delegation using pac4j # # cas.pac4j.client.authn.typedidused=true # cas.pac4j.facebook.id= # cas.pac4j.facebook.secret= # cas.pac4j.facebook.scope= # cas.pac4j.facebook.fields= # cas.pac4j.twitter.id= # cas.pac4j.twitter.secret= # cas.pac4j.saml.keystorePassword= # cas.pac4j.saml.privateKeyPassword= # cas.pac4j.saml.keystorePath= # cas.pac4j.saml.identityProviderMetadataPath= # cas.pac4j.saml.maximumAuthenticationLifetime= # cas.pac4j.saml.serviceProviderEntityId= # cas.pac4j.saml.serviceProviderMetadataPath= # cas.pac4j.cas.loginUrl= # cas.pac4j.cas.protocol= # cas.pac4j.oidc.id= # cas.pac4j.oidc.secret= # cas.pac4j.oidc.discoveryUri= # cas.pac4j.oidc.useNonce= <bean id="caswrapper1" class="org.pac4j.oauth.client.CasOAuthWrapperClient"> <property name="key" value="this_is_the_key" /> <property name="secret" value="this_is_the_secret" /> <property name="casOAuthUrl" value="http://localhost:8080/cas2/oauth2.0" /> </bean> <bean id="cas1" class="org.pac4j.cas.client.CasClient"> <property name="casLoginUrl" value="http://localhost:8080/cas2/login" /> </bean>
  11. 11. pac4j contributions: use pac4j authenticators The cas-server-integration-pac4j module wraps the pac4j authenticators as CAS authentication handlers: 1. MongoAuthenticationHandler (cas-server-support-mongo) 2. StormpathAuthenticationHandler (cas-server-support-stormpath) 3. TokenAuthenticationHandler (cas-server-support-token)
  12. 12. Build/Packaging: Gradle ● CAS 4.2 uses Gradle as its internal build mechanism ○ Codebase broken down to 86 modules ○ You still use Maven for your CAS overlays. ● Patch releases every month ● Minor releases every 3 months ● SNAPSHOT releases on every change
  13. 13. Build/Packaging: Docker ● CAS Docker images: https://hub.docker.com/r/apereo/cas/ ● Images work with a Maven overlay from a git repo ○ Jetty 9.3.x bundled ○ Java 8 bundled
  14. 14. Authentication ● Delegate AuthN to ADFS/WS-Fed ● Support for ○ Basic AuthN ○ JWT AuthN ○ MongoDb ○ Stormpath ○ Apache Shiro ● JSON as the validation response type ● YubiKey/DuoSecurity (MFA WIP)
  15. 15. Ticket Registry ● Apache Ignite ● Couchbase ● Infinispan Cache ○ Redis ○ Cassandra ○ MongoDb ○ Amazon S3 ○ Rackspace ○ LevelDB
  16. 16. Service Registry ● Couchbase ● MongoDB ● JSON Many core enhancements to the CAS service model, such as authorizations, custom properties, etc.
  17. 17. Services Management Web Application
  18. 18. Services Management Web Application
  19. 19. Authorizations: ABAC ● Support for service-based authorizations based on: ○ User Attributes: “only users with attribute X can access application” ○ Date/Time: “application is only accessible on Fridays between 8-10am” ○ Internet2 Grouper: “only members of this Grouper group are allowed”
  20. 20. Statistics/Reports
  21. 21. Statistics/Reports
  22. 22. Roadmap: CAS 4.3 @ Open Apereo 2016 ● Java 8 ● MFA support ○ Based on DuoSecurity, YubiKey, RSA/Radius ○ Include authN risk-assessment engine ● Better OAuth/OpenID Connect Support ● SAML2 Web.SSO support ● Groovy Management Console ● Cloudy-friendly/Better administrative UIs
  23. 23. Questions/Comments? Jérôme Leleu leleuj@gmail.com @leleuj Misagh Moayyed mmoayyed@unicon.net @misagh84 Docs: https://jasig.github.io/cas

×