Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

"Esup CAS Packaging" : Deploy and customize easily a CAS4 server

1,754 views

Published on

Github repository: https://github.com/EsupPortail/cas-toolbox-new

Since 2003, the Esup-portail consortium has developed and has provided tools to facilitate CAS server implementation at french universities and establishments.

This presentation will focus on the newest Esup CAS-toolbox v4 based on the Apereo CAS4 server distribution.
CAS-toolbox is a tool for
- Deploying a CAS server into an existing Tomcat installation,
- Simplifying and centralizing CAS configuration,
- Customizing the CAS server.

The "new Esup cas-toolbox" is designed to handle different configuration and/or customization levels with Maven WAR overlays :
- the 'cas-toolbox-core' folder contains the first level of Esup addons and preconfigurations to the original Apereo CAS server distribution.
- the 'cas-toolbox-custom' folder only contains the specific configurations and customizations files of the institution.
- the 'config.properties' file allows to centralize all properties.

Published in: Engineering
  • Login to see the comments

  • Be the first to like this

"Esup CAS Packaging" : Deploy and customize easily a CAS4 server

  1. 1. Open Apereo 2015 Higher Education ... Open Source in a New Age "Esup CAS Packaging": Deploy and customize easily a CAS4 server Ludovic Auxepaules UPMC, Paris, France https://github.com/EsupPortail/cas-toolbox-new 1
  2. 2. Few words about UPMC Pierre et Marie Curie University • UPMC Facts and Figures – French excellence in Medicine and Science – 18 sites across 4 regions in France • 15 in Paris region • 3 stations (Banyuls, Roscoff, Villefranche) – 34 000 students, of whom • 20% foreign students • 3300 doctoral candidates – 10 500 staffs, of whom • 8200 in research units (120 research laboratories) • Ludovic Auxepaules – At IT Department of UPMC since 2011 – Integration / Software Engineer – “Portal, Authentication and Authorizations” Projects – Github : https://github.com/auxepaul – Member of Esup-Portail Consortium 2Open Apereo 2015
  3. 3. The Esup-Portail Consortium Overview • Objectives – Facilitate learning and campus life for students... but also the daily work of the staff members – Pool development of digital services to divide costs between french universities – Share technological developments and new services – Conceive and plan for the evolution of portals, collaborative tools and mobile services • Nine knowledge areas (with “working groups”) – Portal solution (National “Digital Work Space” - “Espace Numérique de Travail” – ENT) – Mobile – Mail / Calendar solutions – Groups – OAE (Open Academic Environment) – Authentication – Document Management (DMS) – Analytics – Programming / Development • Collaborations with Apereo Foundation 3Open Apereo 2015
  4. 4. The Esup-Portail Consortium In Practice • 70 member institutions • Contributions from french universities and engineering schools • Esup-Days: 2 conferences a year in Paris – Esup-Days 19 & Apereo Europe in February 2015 • WebSite & Wiki: https://www.esup-portail.org/ • Github: https://github.com/EsupPortail • For more information – ESUP-Portail & OAE: Keys to success, Tomorrow from 2:30pm to 3:15pm • http://lanyrd.com/2015/apereo/sdmmpt/ – Apereo & ESUP-Portail: Brothers in Arms (Open Apereo 2014) • http://lanyrd.com/2014/apereo/sdbbgk/ – Alain Mayeur / Mathilde Guerin 4Open Apereo 2015
  5. 5. Plan of the presentation • Some information about CAS • Esup-Portail Works and Toolbox related to CAS (2003-2011) • New Esup CAS Toolbox v3 and v4 (2011-…) 5Open Apereo 2015
  6. 6. What is CAS? • Central Authentication Service  SSO : a Single Sign-On / Single Sign-Off for the web • A secure way for users to access multiple services/applications – Passwords crypted and transmitted between the navigator and CAS – Opaque tickets without personal informations • An open-source project – Created by Yale University in 2001 – Hosted by Jasig (now Apereo Foundation) since December 2004 • Wide adoption within higher education institutions and corporations around the world Open Apereo 2015 6
  7. 7. What is CAS? • Public protocol specifications: CAS 1.0, 2.0 and 3.0 • One CAS server (written in JAVA) – Authenticate users and grant accesses to applications • N CAS client embedded in cassified applications – Protect and retrieve the identity of the granted users from the server • Key concepts – The TGT (Ticket Granting Ticket) stored in the CASTGC cookie, represents a SSO session – The ST (Service Ticket), transmitted as a GET parameter in urls, stands for the access granted by the CAS server to the cassified application for a specific user Open Apereo 2014 7
  8. 8. A “recipe” to adopt CAS Apereo 2014 (M. Moayyed) • Use a latest stable version of the CAS server • Add the “skin” of your institution • Add the configuration of your institution – How do users authenticate? – Where do user attributes come from? – Which application are allowed to use CAS? • Build, test and deploy • Update and secure cassified applications with CAS clients Open Apereo 2015 8
  9. 9. Requirements to deploy a server • Java Development Kit 6  7 (8?) • A Servlet container (Apache Tomcat 6  7) • Apache Maven >= 3 (3.0.x) • HTTP Apache Server 2.x with mod_proxy_ajp (Optional) • SSL Certificates (CAS must use https in production) • « Basic Knowledge » about the Spring Framework CAS installation is a fundamentally source-oriented process Open Apereo 2015 9
  10. 10. Jasig / Apereo CAS Server Distributions since 2010 • CAS Server 4.0.1 January 2015 recommended in June 2015? • CAS Server 4.0 May 2014 recommended in June 2014 • Security patches for SAML2 (e.g. Google Apps), HTTP attacks,… – CAS Server 3.5.3 January 2015 – CAS-server-security-filter 1.0 August 2014 2.0.x May 2015 – CAS Server 3.5.2.1 April 2014 – CAS Server 3.4.12.1 April 2014 • CAS Server 3.5.2 February 2013 recommended in June 2013 ... • CAS Server 3.5.0 July 2012 • CAS Server 3.4.12 May 2012 recommended in June 2012 … • CAS Server 3.4.7 March 2011 … • CAS Server 3.4.0 May 2010 https://www.apereo.org/tags/cas-product-release https://github.com/Jasig/cas/releases/ 10Open Apereo 2015
  11. 11. How to install / deploy a CAS server ? • Install a quickstart produced by Apereo/Jasig or Esup-Portail – Discover quickly CAS functionalities, perform trainings, demos… • Do direct modifications in the source of a CAS stable version? • Deploy a WAR and perform changes in the Tomcat webapps directory – More difficult to update the CAS server • Maven WAR Overlays – The Apereo recommended method to deploy a CAS server – Beware of files and directories movements during version upgrades • Esup CAS-toolbox or Esup CAS-toolbox-new – Facilitate deployment by centralizing configuration items and by presetting some CAS modules Open Apereo 2015 11
  12. 12. Open Apereo 2015 Higher Education ... Open Source in a New Age HISTORY OF ESUP WORKS / TOOLBOX AND CAS SERVER 2003-2007 Esup CAS Generic Handler Yale/Jasig CAS 2.x 2008-2011 Esup CAS-toolbox Jasig CAS 3.x 2011-2014 Esup CAS-toolbox-new v3 Jasig CAS 3.4.1x 2014-… Esup CAS-toolbox-new v4 Apereo CAS 4.x 12Open Apereo 2015
  13. 13. 2003-2007: Esup cas-generic Ant-based project and Yale/Jasig CAS v2 Server • Esup-Portail Generic Handler – A plugin giving CAS the ability to authenticate users with different methods • 3 packages – esup-casgeneric • The CAS Generic Handler, to be deployed into the cas-server sources hierarchy – esup-cas-server • The CAS Generic Handler, already shipped into CAS server – esup-cas-quick-start • An Apache Jakarta Tomcat-based package for CAS server, shipped with the Handler • Latest release in SourceForge – http://sourceforge.net/projects/esup-casgeneric/files/ • Documentations – http://www.esup-portail.org/consortium/espace/SSO_1B/tech/cas/cas_install.html Open Apereo 2015 13
  14. 14. 2003-2007: Esup cas-generic User Interface at UPMC with esup-cas-server Open Apereo 2015 14
  15. 15. 2008-2011: Esup cas-toolbox Ant-based project and Jasig CAS v3 Server • Overview – Deploying a CAS server into an existing Tomcat installation – Simplifying CAS configuration – Customizing the CAS server – Building quickstart distributions • Handle different configuration customization levels – An 'update' folder: containing add-ons to the original CAS Server – A 'custom' folder : every customized aspects (skin, Java sources, configurations) – A 'config.properties' file: properties used by the Spring configuration files • Latest release in SourceSup and based on CAS v3.4.7 – https://sourcesup.renater.fr/frs/?group_id=401&release_id=1461 • Documentations – https://wiki.jasig.org/display/CAS/CAS-toolbox – https://subversion.renater.fr/cas-toolbox/tags/3.4.7-1/README Open Apereo 2015 15
  16. 16. 2008-2011: Esup cas-toolbox Deployment Example • Download cas-toolbox.X-Y.tar.gz from https://sourcesup.renater.fr/projects/cas-toolbox/ and expand • Rename build.sample.properties to build.properties • Set the deploy.path property in build.properties • Rename config.sample.properties to config.properties • Configure config.properties (and set customizations in the custom directory) • Initialize by running ant init • Deploy into an existing Tomcat by running ant deploy • Start Tomcat and browse http://localhost:8080/cas Open Apereo 2015 16
  17. 17. 2008-2011: Esup cas-toolbox v3 UI with Esup-portail Theme (v3.4.7) Open Apereo 2015 17
  18. 18. Open Apereo 2015 Higher Education ... Open Source in a New Age NEW ESUP CAS TOOLBOX V3 AND V4 2011-2014 Esup CAS-toolbox-new v3 (CAS server 3.4.1x) 2014-… Esup CAS-toolbox-new v4 (CAS server 4.0.x) Open Apereo 2015 18
  19. 19. Maven WAR Overlay General principles • Local sources control (with Git) that contains only specific dependencies, configurations and customizations of the institution – The pom.xml (Project Object Model) file describes the project, its dependencies and automated tasks… – Added or modified files or directories: .java, .properties, .xml,… • Rebuilding of the Web application ARchive (WAR to deploy within Tomcat) – From the original release version of the CAS server defined in the pom.xml file – With all configurations and customizations in superposition • Replacement of original files • Documentations – https://wiki.jasig.org/display/CASUM/Best+Practice+- +Setting+Up+CAS+Locally+using+the+Maven+WAR+Overlay+Method – http://jasig.github.io/cas/current/installation/Maven-Overlay-Installation.html Open Apereo 2015 19
  20. 20. Maven WAR Overlay Examples and demos for CAS server • CAS server 3.4.1x – https://subversion.renater.fr/cas-toolbox/branches/cas-toolbox-new/ – https://github.com/EsupPortail/cas-toolbox-new/tree/v3.4.x • CAS server 3.5.x – https://github.com/UniconLabs/simple-cas-overlay-template – https://github.com/Unicon/unicon-cas-overlay – https://github.com/leleuj/cas-overlay-3.5.x • CAS server 4.0.x – https://github.com/leleuj/cas-overlay-demo – https://github.com/UniconLabs/simple-cas4-overlay-template – https://github.com/EsupPortail/cas-toolbox-new/tree/v4.0.x Open Apereo 2015 20
  21. 21. Esup cas-toolbox-new v3 and v4 Maven-based project and CAS 3.4.1x / 4.0.x • Overview of the new toolbox capabilities – Deploying a CAS server into an existing Tomcat installation – Simplifying and centralizing CAS configuration • config.properties file and Authentication “HandlersDiscover” functionality – Esup pre-settings and add-ons • Esup Theme, LDAP, Logging, TraceMe, Stats, BlockAttack, SAML 1.1… • Configured modules that user can activate : Memcached, Rest… – Quickstart built with Ant • Initial works of simplification of the projet Esup cas-toolbox (J. Marchal) – https://subversion.renater.fr/cas-toolbox/branches/cas-toolbox-new/ • Svn2git, transfer and update of the project on Github (L. Auxepaules) – https://github.com/auxepaul/cas-toolbox-new Open Apereo 2015 21
  22. 22. Esup cas-toolbox-new v3 & v4 Files and Directories organization • cas-toolbox-core (Esup addons and preconfigurations) – src/main • java • webapp – pom.xml • cas-toolbox-custom (University customizations and addons) – src/main • webapp – pom.xml • etc (HowTo and « scripts » examples) • config.sample.properties (« localhost » configuration) • pom.xml • Better differentiation between the Esup and the Institution customizations and configurations • An integrator can easily copy the files from cas-toolbox-core (or the Apereo CAS project) to cas-toolbox-custom and then modify the files Open Apereo 2015 22
  23. 23. Esup cas-toolbox-new v3 and v4 UI with the Esup Theme Open Apereo 2015 23
  24. 24. Esup cas-toolbox-new v3 and v4 UI with the UPMC Theme (v3.4.12.1) Open Apereo 2015 24
  25. 25. Esup cas-toolbox-new v3 and v4 Statistics, Monitoring and Logs • Esup Stats Page: /cas/stats.jsp SERVICE_TICKET_CREATED : 1 TICKET_GRANTING_TICKET_CREATED : 1 AUTHENTICATION_SUCCESS : 1 AUTHENTICATION_FAILED : 1 SERVICE_TICKET_VALIDATED : 1 TICKET_GRANTING_TICKET_NOT_CREATED : 1 • Apereo Monitoring Page: /cas/status Health: OK 1.MemoryMonitor: OK - 418,07MB free, 623,54MB total. 2.SessionMonitor: OK - 1 sessions. 0 service tickets. • Esup User and Service Stats Logs: serviceStats.log [Sun May 31 16:01:15 CEST 2015] [IP:127.0.0.1] [ID:admin] [TICKET:ST-1-ZW74nIKOVEECbowbB0BT-localhost] [SERVICE:http://localhost:8080/cas-management/j_spring_cas_security_check] [USER-AGENT:Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0] • Apereo Performance Statistics Logs: perfStats.log Performance Statistics 2015-05-31 16:01:00 - 2015-05-31 16:02:00 Tag Avg(ms) Min Max Std Dev Count AUTHENTICATE 21,0 21 21 0,0 1 CREATE_TICKET_GRANTING_TICKET 25,0 25 25 0,0 1 GRANT_SERVICE_TICKET 3,0 3 3 0,0 1 VALIDATE_SERVICE_TICKET 1,0 1 1 0,0 1 25Open Apereo 2015
  26. 26. Esup cas-toolbox-new v3 and v4 Logging in Log4j.xml • Tickets: tickets.log 2015-05-31 16:01:15,606 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST- 1-ZW74nIKOVEECbowbB0BT-localhost] for service [http://localhost:8080/cas- management/j_spring_cas_security_check] for user [admin] • Success and failed authentications, blockAttack: auth.log (works with CAS 3) Thu Dec 18 15:47:00 CET 2014 - AUTHENTICATION_FAILED for '[username: admin]' from '127.0.0.1' AccountLockingService::incrementAttempts() : [admin] - number of attempts : 3 of 3AccountLockingService::isAccountLocked() : [admin] added to user list AccountLockingService::isAccountLocked() : [admin] locked Account "admin" is locked for : 3 s AccountLockingService::run() : [admin] removed from user list Thu Dec 18 15:48:00 CET 2014 - AUTHENTICATION_SUCCESS for '[username: admin]' from '127.0.0.1‘ • Rejected Services: rejectedServices.log 2015-05-31 16:02:31,091 WARN [org.jasig.cas.web.flow.ServiceAuthorizationCheck] - ServiceManagement: Unauthorized Service Access. Service [http://loc:8080/cas-management/j_spring_cas_security_check] is not found in service registry. • CAS management Services: cas-management.log 2015-05-31 16:01:15,606 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST- 1-ZW74nIKOVEECbowbB0BT-localhost] for service [http://localhost:8080/cas- management/j_spring_cas_security_check] for user [admin] • Trace (used by Esup AGIMUS-ng: Indicators and Usage): trace.log TRACE-1-70RFFjeWwSqCfoqwHxUoimyMBELrhdlqAjhtlhoIpChkFnuG5f-localhost:admin 26Open Apereo 2015
  27. 27. Esup cas-toolbox-new v3 and v4 Deployment Example • git clone https://github.com/EsupPortail/cas-toolbox-new.git • git checkout v4.0.x • Rename config.sample.properties to config.properties • Set the deploy.path property in config.properties • Configure config.properties • (Set customizations in the cas-toolbox-custom directory) • Initialize and deploy in an existing Tomcat by running mvn clean package • Start Tomcat and browse http://localhost:8080/cas http://localhost:8080/cas-management Open Apereo 2015 27
  28. 28. Esup cas-toolbox-new v3 and v4 Authentication handlers « Discover » • Set Handlers to use in config.properties (reported in esup.properties file) # Handler to use (cf casWEB-INF*.auth.xml to find id) # - ldapFastBindHandler : make a fast bind in ldap (AD or direct bind configuration) # - ldapFullBindHandler : make a search after a bind with find dn (OpenLdap or anonymous) # - fileEncAuthHandler : use a flat encoded file # - filePlainAuthHandler : use a flat plaintext file authHandlers=fileEncAuthHandler # IF USE ldapFullBindHandler #authHandlers=fileEncAuthHandler,ldapFullBindHandler authResolvers=primaryPrincipalResolver # IF USE ldapFullBindHandler #authResolvers=primaryPrincipalResolver,ldapPrincipalResolver defaultResolver=primaryPrincipalResolver • HandlersDiscover JAVA class: org.esupportail.cas.HandlersDiscover.java – Browse the list of authentication Handlers, the list of authentication Resolvers – Put each couple <AuthHandler, AuthResolver> within the HandlerMap used by Authentication Manager bean • Handlers to discover within srcmainwebappWEB-INFauth-configuration*- auth.xml Open Apereo 2015 28
  29. 29. Esup cas-toolbox-new v3 and v4 Authentication handlers « Discover » • HandlerDiscover bean defined in srcmainwebappWEB- INFdeployerConfigContext.xml <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg ref="handlerMap"/> ... <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> </bean> <bean id="handlerMap" class="org.springframework.beans.factory.config.MapFactoryBean"> <property name="sourceMap"> <map> <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> </map> </property> </bean> <bean id="handlerDiscover" class="org.esupportail.cas.HandlersDiscover"> <property name="handlersId" value="${cas.authHandlers}"/> <property name="resolversId" value="${cas.authResolvers}"/> <property name="defaultResolverId" value="${cas.defaultResolver}"/> <property name="mapToAdd" ref="handlerMap"/> </bean> Open Apereo 2015 29
  30. 30. Apereo CAS v4.0.x Some new features, changes, updates • New CAS 3.0 protocol: User attributes in ticket validation response • Greater modularity and new submodules – Services management, SAML 1.1 • Redesign authentication API • Updated or replaced dependencies – Spring LDAP  Ldaptive – REST module – CredentialsToPrincipalResolver, ***Credentials*** class or attributes  ***Credential*** • User Interface improvements (“Responsive”)  Source code not backward-compatible with 3.x – Difficulties to export some configurations and customizations from 3.x to 4.x • For more information – The latest about the Central Authentication Service, Tomorrow from 10:15pm to 11:00pm • http://lanyrd.com/2015/apereo/sdmmpw/ – http://jasig.github.io/cas/current/ Open Apereo 2015 30
  31. 31. Esup cas-toolbox-new v4 Things to do and Perspectives • Fix bugs and test some functionalities and modules – Fix SAML 1.1 (search filter bug), echos in cas.log… – Set and Test Memcached – Test REST • Add and test new maven tasks to support development activities – mvn jetty:run or mvn jetty;run-war – mvn tomcat7:deploy or mvn tomcat7:redeploy • Rewrite HowTo guides, documentations and links to the Apereo CAS documentations and guides • Replace old Esup functionalities by “equivalent” Apereo functionalities – BlockAttacks  Throttling Authentication Attempts 31Open Apereo 2014
  32. 32. Esup cas-toolbox-new v4 Things to do and Perspectives • Set a new Esup theme (Responsive Web Design) • Add and preset new authentication configurations – Spnego (Kerberos Windows), Trusted (REMOTE_USER)… • Add and preset other modules and functionalities of the Apereo CAS server – LPPE, Clearpass • Study (and create?) more “specific” projects based on – RBAC (Role-Based Access Control) by service with CAS and Grouper – MFA (Multi-Factor Authentication) with the LOA implementation 32Open Apereo 2014
  33. 33. Open Apereo 2015 Higher Education ... Open Source in a New Age DEMONSTRATION 33Open Apereo 2015
  34. 34. Demonstration Windows demonstration environment • Quickstart uPortal 4.1 – C:/portal – Apache Maven 3.0.4 – Apache Tomcat 7.0.32 • Running scripts of tomcat in the apache-tomcat-7.0.32/bin directory – startup.bat et shutdown.bat • Oracle Java JDK 1.7 • Environment variables – JAVA_HOME, JAVA_OPTS, CATALINA_OPTS – Path : MAVEN_HOME%bin • Git : Github for Windows 34Open Apereo 2014

×