- Single Sign-On (SSO) allows a user to log in once and gain access to multiple applications without re-authenticating. - The Central Authentication Service (CAS) is an open source SSO protocol and server that provides single sign-on for web applications. - CAS uses tickets instead of transmitting passwords to applications, improving security. It supports many platforms and has a large user base mainly of universities.

1. Albert Guo [email_address]

2. Why SSO (Single-Sign On)? Central Authentication Service (CAS) CAS Installation As-Is and To-be Process Modification Process

5. web browser app. #1 app. #2 app. #3 without SSO service web browser app. #1 app. #2 app. #3 with SSO service

6. One authentication server From applications to the authentication server (when not authenticated) From the authentication server to applications (when authenticated) Cookies, CGI parameters

8. Security Password is never transmitted to applications Opaque tickets are used N-tier installations Without transmitting any password! Portability (client libraries) Java, Perl, JSP, ASP, PHP, PL/SQL, Apache and PAM modules Permanence Developed by Yale University World-wide used (mainly Universities) Adopted by all the French educational community

9. J2EE platform Very light code (about 1000 lines) Open source Integrated into uPortal

11. CAS 3 offers… CAS 2 compliance out of the box Unit/Integration Tests and Compliance Tests Proper domain model Revamped architecture Support for well-known modifications

12. Built on popular open-source frameworks Spring Framework Quartz xFire Jakarta Commons Log4j Maven Design Philosophy: don’t reinvent the wheel

13. Loose coupling of components Via Dependency Injection Declarative configuration via XML files Coding to interfaces Swap implementations to suite needs Implementations adhere to contract Example: TicketRegistry Uses Design Patterns Patterns allow for a common understanding Example: Template Design Pattern

14. Layered Architecture Separation of UI concerns from business concerns Allows for better re-use of code Example: Web Tier vs. Web Service Use of AOP to separate cross-cutting concerns for business logic Allows for major additions to functionality without modifying core code Example: auditing Use of Spring Workflow allows for declarative reconfiguration of Login process

15. SSO solution from Yale University http://www.ja-sig.org/products/cas/index.html Authentication once to access multiple applications An open and well-documented protocol A library of clients for Java, PHP, Perl, Apache and …

16. Service 2 Resource CAS Login Validate Service 1 Resource 1. Initial request 2. Authentication ( send serviceId ) 3. Ticket transfer ( send ticket) 4. Validate Ticket 5. Access resource encrypted cookie SSO make it possible for users to login once and access different service PW

17. Service 2 Resource CAS Login Validate Service 1 Resource 1. Initial request 2. Authentication ( send serviceId ) 3. Ticket transfer ( send ticket) 4. Validate Ticket 5. Access resource encrypted cookie 2a. User need NOT to provide id/password again ( with SSO cookie exist )

18. Service 1 Resource 1. Initial request login 2. Authentication 3. Access resource Service 2 login Resource 2. Authentication again 1. Initial request 3. Access resource Multiple user database Multiple login PW PW

19. Service 2 Resource CAS Login Validate Service 1 Resource 1. Initial request 2. Authentication ( send serviceId ) 3. Ticket transfer ( send ticket) 4. Validate Ticket 5. Access resource encrypted cookie SSO make it possible for users to login once and access different service PW

20. Service 2 Resource CAS Login Validate Service 1 Resource 1. Initial request 2. Authentication ( send serviceId ) 3. Ticket transfer ( send ticket) 4. Validate Ticket 5. Access resource encrypted cookie 2a. User does NOT need to provide id/password again ( with SSO cookie exist )

21. Service CAS Login state ? ID and Password Correct? Validation url Initial request Redirect to CAS (send serviceId ) Y N N Login again Id and password Ticket transfer (Send ticket and set SSO cookie ) Ticket Validation Use resource N Save login state Y Y Ticket validation

25. You will get this kind of error message as you access the CAS login page: org.apache.jasper.JasperException: /WEB-INF/view/jsp/default/ui/casLoginView.jsp(48,35) Attribute value request.getQueryString() == null ? "" : request.getQueryString().replaceAll("&locale=([A-Za-z][A-Za-z]_)?[A-Za-z][A-Za-z]|^locale=([A-Za-z][A-Za-z]_)?[A-Za-z][A-Za-z]", "") is quoted with " which must be escaped when used within the value Apparently Tomcat changed the way they handle quotation marks in JSP pages to use strict checking: https://issues.apache.org/bugzilla/show_bug.cgi?id=45015

26. Temp solution: go to Tomcat 5.5\webapps\cas-server-webapp-3.2\WEB-INF\view\jsp\default\ui, and modify casLoginView.jsp, delete line 48:

27. Just provide same user name and password, then you can pass the validation

34. Modify this return page

35. Find mapping servlet controller from applicationCotext.xml Create a new login successful page Modification principal Modified the server side API instead of client side. Therefore, client will not need to any modification. Just use new a URL pattern, ex. serviceValidateByMail, to let servlet controller to do validation and return to new successful login page.

40. Add one more view property casServiceSuccessViewByMail.(class)=org.springframework.web.servlet.view.JstlView casServiceSuccessViewByMail.url=/WEB-INF/view/jsp/protocol/2.0/casServiceValidationByMailSuccess.jsp

41. In org.jasig.cas.web package