Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
What’s new in cas 4.2
1. What’s new in CAS 4.2?
Jérôme Leleu
leleuj@gmail.com
@leleuj
Misagh Moayyed
mmoayyed@unicon.net
@misagh84
ESUP-Days #21/ Apereo Europe 2016
2. General
● 1100+ stargazers @ Github
● A new chairman, 2 new committers, many contributions
○ 1 PR a day
Dmitriy Kopylenko Daniel Frett
3. CAS 4.2 Main Objectives
● Easy to use (Plug-N-Play)
○ You want SAML/OAuth/OpenID? Drop the module dependency into your overlay…
○ ...and done!
● Reduce configuration noise
○ Say NO to XML (well, almost!)
● Universal support (protocols, backends)
4. Auto-configuration
To customize your CAS server (Maven overlay), you needed to (add
dependencies and) override XML files: web.xml, login-webflow.xml,
ticketGrantingTicketCookieGenerator.xml, ticketRegistry.xml…
Now:
● Express Feature Intent (Add dependency, if needed)
● Add Settings (Change cas.properties)
5. Auto-configuration: CASTGC cookie
v4.1: src/main/webapp/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml:
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
c:casCookieValueManager-ref="cookieValueManager"
p:cookieSecure="true"
p:cookieMaxAge="-1"
p:cookieName="TGC"
p:cookiePath="/cas"/>
v4.2: ticketGrantingTicketCookieGenerator.xml
@Component("ticketGrantingTicketCookieGenerator")
public class TGCCookieRetrievingCookieGenerator extends CookieRetrievingCookieGenerator {
@Override
@Autowired
public void setCookieName(@Value("${tgc.name:TGC}") final String cookieName) {
super.setCookieName(cookieName);
}
cas.properties:
# Decides whether SSO cookie should be created only
under secure connections.
# tgc.secure=true
# The name of the SSO cookie
# tgc.name=TGC
# The path to which the SSO cookie will be scoped
# tgc.path=/cas
6. Auto-configuration: OAuth server support
v4.1: cas-server-support-oauth module + servlet mapping on /oauth2.0/* +
oauth20WrapperController in cas-servlet.xml + OAuthCallbackAuthorizeService +
OAuthRegisteredService
v4.2: add the dependency + OAuthRegisteredService
@WebListener
@Component
public class OAuthServletContextListener extends AbstractServletContextInitializer {
…
@Override
protected void initializeServletContext(final ServletContextEvent event) {
if (WebUtils.isCasServletInitializing(event)) {
addEndpointMappingToCasServlet(event, “/oauth2.0/*”);
}
}
}
7. pac4j contributions
pac4j is a Java security engine which supports
most authentication mechanisms (like CAS,
OAuth, SAML) and is available for most
frameworks: J2E, Spring MVC, Play, Vertx,
Ratpack…
8. pac4j contributions: CASify any webapp
Using any pac4j library: j2e-pac4j, spring-webmvc-pac4j, play-pac4j, vertx-pac4j,
spring-security-pac4j, buji-pac4j, etc., you can CASsify any J2E, Spring MVC,
Play, Vertx, Spring Security, Shiro… webapp
@Configuration
public class Pac4jConfig {
@Bean
public Config config() {
final CasClient casClient = new CasClient("https://casserverpac4j.herokuapp.com/login");
return new Config("http://localhost:8080/callback", casClient);
}
}
@Configuration
@ComponentScan(basePackages = "org.pac4j.springframework.web")
public class SecurityConfig extends WebMvcConfigurerAdapter {
@Autowired
private Config config;
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new RequiresAuthenticationInterceptor(config, "CasClient")).addPathPatterns("/cas/*");
}
}
9. pac4j contributions: pac4j replaced Spring Security in CAS
The security of the CAS server and CAS management web applications is now
ensured by pac4j
<context:component-scan base-package="org.pac4j.springframework.web" />
<bean id="config" class="org.pac4j.core.config.Config" c:callbackUrl="${cas-management.securityContext.serviceProperties.service}"
c:client-ref="casClient" p:authorizer-ref="requireAdminRoleAuthorizer" />
<bean id="casClient" class="org.pac4j.cas.client.CasClient" p:casLoginUrl="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}"
p:authorizationGenerator-ref="authorizationGenerator" />
<bean id="requireAdminRoleAuthorizer" class="org.pac4j.core.authorization.RequireAnyRoleAuthorizer"
c:roles="${cas-management.securityContext.serviceProperties.adminRoles}" />
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/callback*" />
<mvc:exclude-mapping path="/logout*" />
<mvc:exclude-mapping path="/authorizationFailure.html" />
<bean class="org.pac4j.springframework.web.RequiresAuthenticationInterceptor" c:config-ref="config" c:clientName="CasClient"
c:authorizerName="securityHeaders,csrfToken,RequireAnyRoleAuthorizer" />
</mvc:interceptor>
</mvc:interceptors>
11. pac4j contributions: use pac4j authenticators
The cas-server-integration-pac4j module wraps the pac4j authenticators as
CAS authentication handlers:
1. MongoAuthenticationHandler (cas-server-support-mongo)
2. StormpathAuthenticationHandler (cas-server-support-stormpath)
3. TokenAuthenticationHandler (cas-server-support-token)
12. Build/Packaging: Gradle
● CAS 4.2 uses Gradle as its internal build mechanism
○ Codebase broken down to 86 modules
○ You still use Maven for your CAS overlays.
● Patch releases every month
● Minor releases every 3 months
● SNAPSHOT releases on every change
13. Build/Packaging: Docker
● CAS Docker images:
https://hub.docker.com/r/apereo/cas/
● Images work with a Maven overlay from a git repo
○ Jetty 9.3.x bundled
○ Java 8 bundled
14. Authentication
● Delegate AuthN to ADFS/WS-Fed
● Support for
○ Basic AuthN
○ JWT AuthN
○ MongoDb
○ Stormpath
○ Apache Shiro
● JSON as the validation response type
● YubiKey/DuoSecurity (MFA WIP)
19. Authorizations: ABAC
● Support for service-based authorizations based on:
○ User Attributes: “only users with attribute X can access application”
○ Date/Time: “application is only accessible on Fridays between 8-10am”
○ Internet2 Grouper: “only members of this Grouper group are allowed”