SlideShare ist ein Scribd-Unternehmen logo

Jasigsakai12 columbia-customizes-cas

E
ellentuck
Technologie
1 von 39
Downloaden Sie, um offline zu lesen
Dan Ellentuck, Columbia University Bill Thompson, Unicon Inc. June 10-15, 2012 Growing Community; Growing Possibilities
 Reasons to Choose CAS: Google Apps SSO SAML Support Vendor Support Community Support Tie-in with other open source tools and products, e.g., Sakai  Complicating Factors: Pre-existing local web auth system Active, diverse client base  Question: How can legacy system be migrated to CAS?
 CAS support for Google Apps SSO  Migrating a pre-existing web auth system to CAS  CAS customizations and enhancements: • Adding support for a new protocol • Plugging in a custom service registry • Enabling per-service UI tweaks • Changing some basic login behavior
 Google Apps SSO is based on SAML 2. See: https://developers.google.com/google- apps/sso/saml_reference_implementation  Step-by-step instructions on configuring CAS for Google Apps sso: https://wiki.jasig.org/pages/viewpage.action?pageId=60634 84  Works OOTB.
 Sibling of CAS, called “WIND”.  Cookie-based SSO.  No generic login.  Per-service UI customization and opt-in SSO.  Similar APIs with different request param names: CAS: /login?service=https://MY-APPLICATION-PATH /logout /serviceValidate?service=https://APPLICATION-PATH&ticket=SERVICE-TICKET WIND: /login?destination=https://MY-APPLICATION-PATH /logout /validate?ticketid=SERVICE-TICKET
 2 private validation response formats (text and xml): yes de3 <wind:serviceResponse xmlns:wind='http://www.columbia.edu/acis/rad/authmethods/wind'> <wind:authenticationSuccess> <wind:user>de3</wind:user> <wind:passwordtyped>true</wind:passwordtyped> <wind:logintime>1338696023</wind:logintime> <wind:passwordtime>1331231507</wind:passwordtime> <wind:passwordchangeURI>https://idmapp.cc.columbia.edu/acctmanage/changepasswd </wind:passwordchangeURI> </wind:authenticationSuccess> </wind:serviceResponse>
 Service registry with maintenance UI  Service attributes for UI customization, multiple destinations, attribute release, application contacts, etc. SERVICE DESTINATION SERVICE_LABEL SERVICE_LABEL DESTINATION SINGLE_SIGN_ON (T/F) PROXY_GRANTING (T/F) RETURN_XML (T/F) SERVICE_CONTACT ID_FORMAT DESCRIPTION SERVICE_LABEL HELP_URI (for customizing UI) EMAIL_ADDRESS IMAGE_PATH(for customizing UI ) CONTACT_TYPE HELP_LABEL(for customizing UI) AFFILIATION SERVICE_LABEL AFFILIATION (like ATTRIBUTE)
 Collaboration between Columbia and Unicon.  Tasks: ◦ Plug legacy service registry into CAS. ◦ Add legacy authentication protocol to CAS. ◦ Port login UI customizations to CAS. ◦ Change some login behavior (eliminate generic login.)  New service registrations must use CAS protocol.  Existing clients can use either legacy or CAS protocols during transition.
• Java • View technologies (JSP, CSS, etc.) • Maven (dependencies; overlays) • Spring configuration (CAS set up) • Spring Web Flow (SWF) • App server/web server (tomcat/apache)
 Service Registry is obvious extension point.  Advantages to plugging in local service registry: ◦ Retain extended service attributes and functions ◦ Remove migration headache ◦ Can continue to use legacy maintenance UI
 Step 1: Write a CAS RegisteredService adaptor, part 1. Write an interface that extends CAS RegisteredService with any extra attributes in the custom service registry. public interface WindRegisteredService extends RegisteredService { /** * Returns a display label for the help link. Can be null. * Ignored if getHelpUri() is null. * @return String */ String getHelpLabel(); /** * Returns a help URI. Can be null. * @return String */ String getHelpUri(); ...etc. }
 Step 2: Write a CAS RegisteredService adaptor, part 2. Write a RegisteredService implementation that adapts an instance of the custom service to the extended RegisteredService interface. public class WindRegisteredServiceImpl implements WindRegisteredService, Comparable<RegisteredService> { public boolean matches(Service targetService) { if (!isEnabled() || targetService == null || targetService.getId() == null || targetService.getId().isEmpty()) return false; for (String registeredDestination : List<String>) getWindService().getAllowed_destinations()) { String target = targetService.getId().substring(0, registeredDestination.length()); if (registeredDestination.equalsIgnoreCase(target)) return true; } return false; } ... }
 Step 3: Implement a CAS ServicesManager (maps incoming Service URL of a request with the matching CAS RegisteredService.) public class ReadOnlyWindServicesManagerImpl implements ReloadableServicesManager { ... public RegisteredService findServiceBy(Service targetService) { edu.columbia.acis.rad.wind.model.Service windService = findWindService(targetService); return ( windService != null ) ? getRegisteredServicesByName().get(windService.getLabel()) : null; } public RegisteredService findServiceBy(long id) { return getRegisteredServicesById().get(id); } ... }
 Step 4: Write Spring bean definitions for the new ServicesManager. applicationContext.xml <!– Default servicesManager bean definition replaced by custom servicesManager <bean id="servicesManager" class="org.jasig.cas.services.DefaultServicesManagerImpl"> <constructor-arg index="0" ref="serviceRegistryDao"/> </bean> --> <bean id="servicesManager" class="edu.columbia.acis.rad.wind.cas.ReadOnlyWindServicesManagerImpl"> <constructor-arg index=“0” ref =“wind-ServicesCollection"/> </bean> ...etc.
 Result…  Additional service attributes and functions are available to CAS  Custom maintenance UI can be used  Service registry uses custom logic to match Service URL of incoming request with appropriate registered service.  Easy migration
 CAS is multi-protocol  Wind and CAS protocols are similar but not identical  Different servlet API and validation response formats  Advantages to adding legacy protocol to CAS: ◦ Single authentication service ◦ Single SSO domain ◦ Easy migration from legacy system
 Step 1: Implement the CAS Service interface for the new protocol by subclassing abstractWebApplicationService: public class WindService extends AbstractWebApplicationService { private static final String DESTINATION_PARAM = "destination"; private static final String SERVICE_PARAM = "service"; private static final String TICKET_PARAM = "ticketid"; ... // Create a Service instance from the request: public static WindService from(HttpServletRequest request, HttpClient httpClient) { String origUrl = request.getParameter(DESTINATION_PARAM); ... new WindService(origUrl, origUrl, /*artifactId not used*/ null, httpClient); }
 Step 2: Write an ArgumentExtractor class to retrieve values of protocol-specific request parameters and return instances of the Service class created in Step 1: public class WindArgumentExtractor extends AbstractSingleSignOutEnabledArgumentExtractor { private static final String TICKET_PARAM = "ticketid"; ... protected WebApplicationService extractServiceInternal ( HttpServletRequest request) //Coming in from validation request if ("/validate".equals(request.getServletPath())) { String ticketId = request.getParameter(TICKET_PARAM); ServiceTicket st = (ServiceTicket) this.ticketRegistry.getTicket(ticketId, ServiceTicket.class); WindService ws = st != null ? (WindService) st.getService() : null; ... return WindService.from(ticketId, ws., getHttpClientIfSingleSignOutEnabled());
 Step 3: In web.xml, map the servlet path for the protocol’s version of the service ticket validation request to the cas servlet: <servlet> <servlet-name>cas</servlet-name> <servlet-class> org.jasig.cas.web.init.SafeDispatcherServlet </servlet-class> <init-param> <param-name>publishContext</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> ... <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/validate</url-pattern> </servlet-mapping> ...
 Step 4: Write a view class to format the service ticket validation response: class WindResponseView extends AbstractCasView { .... private buildSuccessXmlResponse(Assertion assertion) { def auth = assertion.chainedAuthentications[0] def principalId = auth.principal.id def xmlOutput = new StreamingMarkupBuilder() xmlOutput.bind { mkp.declareNamespace('wind': WIND_XML_NAMESPACE) wind.serviceResponse { wind.authenticationSuccess { wind.user(principalId) wind.passwordtyped(assertion.fromNewLogin) wind.logintime(auth.authenticatedDate.time) ...etc. } } }.toString() }
 Step 5: Define and wire up beans for the various protocol operations: argumentExtractorsConfiguration.xml defines ArgumentExtractor classes for the various supported protocols: <bean id="windArgumentExtractor" class="edu.columbia.cas.wind.WindArgumentExtractor" p:httpClient-ref="httpClient" p:disableSingleSignOut="true"> <constructor-arg index="0" ref="ticketRegistry"/> </bean> uniqueIdGenerators.xml protocol is mapped to uniqueID generator for service tickets via Service class: <util:map id=“uniqueIdGeneratorsMap”> <entry key=“edu.columbia.cas.wind.WindService” value-ref=“serviceTicketUniqueIdGenerator” /> ...etc. </util:map>
 Step 5: Define and wire up beans for the various protocol operations (cont’d): cas-servlet.xml bean definitions made available to the web flow: <prop key=“/validate”> windValidateController </prop ... <bean id=“windValidateController” class=“org.jasig.cas.web.ServiceValidateController” p:proxyHandler-ref=“proxy20Handler” p:successView=“windServiceSuccessView” p:failureView=“windServiceFailureView” p:validationSpecificationClass= “org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification” p:centralAuthenticationService-ref=“centralAuthenticationService” p:argumentExtractor-ref=“windArgumentExtractor”/> ...etc.
2012 Jasig Sakai Conference 23
 Result…  CAS will detect a request in the new protocol;  Extract appropriate request parameters;  Respond in the appropriate format.  Legacy clients continue to use usual auth protocol until ready to migrate.  Single server/SSO realm.
 Adding local images and content to the CAS login UI is a common implementation step.  CAS lets each RegisteredService have its own style sheet (high effort.)  Legacy auth service allows per-service tweaks to the login UI (low effort): • Custom logo • Help link and help label • Choice of displaying institutional links • Popular with clients
 Prerequisite: ◦ Must have service-specific attributes that control the customization. ◦ Extend service registry with custom UI elements; or ◦ Plug in custom service registry (see above.)
 Step 1: Write a Spring Web Flow Action class to map the incoming Service to a RegisteredService and make the RegisteredService available in the web flow context. Public class ServiceUiElementsResolverAction extends AbstractAction { ... protected Event doExecute(RequestContext requestContext) throws Exception { // get the Service from requestContext. Service service = (Service) requestContext.getFlowScope().get("service", Service.class); ... // get the RegisteredService for this request from the ServicesManager. WindRegisteredService registeredService = (WindRegisteredService) this.servicesManager.findServiceBy(service); ... // make RegisteredService available to the view. requestContext.getRequestScope().put("registeredService", registeredService); ... } ... }
 Step 2: Define a bean for the Action class in cas- servlet.xml, to make the class available to the login web flow: cas-servlet.xml ... <bean id="uiElementsResolverAction“ class="edu.columbia.cas.wind.ServiceUiElementsResolverAction"> <constructor-arg index="0" ref=“servicesManager"/> </bean>
 Step 3: Make the RegisteredService available to the web flow by doing our Action in the login web flow just before the login UI is rendered: Login-webflow.xml ... <view-state id="viewLoginForm" view="casLoginView" model="credentials"> <binder> <binding property="username" /> <binding property="password" /> </binder> <on-entry> <set name="viewScope.commandName" value="'credentials'" /> <!– Make RegisteredService available in web flow context --> <evaluate expression="uiElementsResolverAction"/> </on-entry> <transition on="submit" bind="true" validate="true" to="realSubmit"> <evaluate expression="authenticationViaFormAction.doBind (flowRequestContext, flowScope.credentials)" /> </transition> </view-state>
 Step 4: In the login view, refer to RegisteredService attributes when customizing the UI markup: casLoginView.jsp ... <!-- Derive the path to the logo image from the registered service. --> <c:set var="imagePath" value = "${!empty registeredService.imagePath ? registeredService.imagePath : defaultImagePath}"/> ... <!-- display the custom logo --> <img src="<c:url value="${imagePath}" />" alt="${registeredService.name}" /> ...
 Result… ◦ Vanilla login page ◦ Login page with default logo, institutional links ◦ Login page with custom logo ◦ Login page with another custom logo and help link
 CAS allows a login without a service, a generic login, which creates a ticket granting ticket but no service ticket.  Generic login permitted  Legacy auth service assumes client is always trying to log into something. Treats a generic login as an error. We want to preserve this behavior.
 Step 1: Write a Spring Web Flow Action that checks if the login request has a known service destination and returns success/error. public class CheckForRegisteredServiceAction extends AbstractAction { ServicesManager servicesManager; protected Event doExecute(RequestContext requestContext) throws Exception { Service service = (Service) requestContext.getFlowScope().get("service", Service.class); RegisteredService registeredService = null; if(service != null) { registeredService = this.servicesManager.findServiceBy(service); } return ( registeredService==null ) ? error() : success(); } }
 Step 2: Make the class available to the login web flow by defining a bean in cas-servlet.xml: cas-servlet.xml ... <bean id="checkForRegisteredServiceAction“ class="edu.columbia.cas.wind.CheckForRegisteredServiceAction" > <constructor-arg index="0" ref="servicesManager"/> </bean> ...
Step 3: In the login web flow add an action-state to check that the request has a service parameter, and it corresponds to a RegisteredService. login-webflow.xml ... <!-- validate the request: non-null service with corresponding RegisteredService --> <decision-state id="hasServiceCheck"> <if test="flowScope.service != null" then="hasRegisteredServiceCheck“ else="viewServiceErrorView" /> </decision-state> <!-- Is there a corresponding RegisteredService? --> <action-state id="hasRegisteredServiceCheck"> <evaluate expression="checkForRegisteredServiceAction"/> <transition on="success" to="ticketGrantingTicketExistsCheck" /> <transition on="error" to="viewServiceErrorView" /> </action-state>
 Result… ◦ CAS will now assume client is always trying to log into something and treat a request without a known service destination as an error. ◦ Users will not see login UI less they arrive with a registered service. ◦ Generic login not permitted
 Tasks accomplished: ◦ Support Google Apps SSO ◦ Plug legacy service registry into CAS ◦ Add legacy authentication protocol to CAS ◦ Port login UI customizations to CAS ◦ Eliminate generic login
Dan Ellentuck, Columbia University de3@columbia.edu Bill Thompson, Unicon Inc. wgthom@unicon.net

Empfohlen

11-DWR-and-JQuery
11-DWR-and-JQuery11-DWR-and-JQuery
11-DWR-and-JQuery
tutorialsruby
 
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
BizTalk360
 
Android ax app wcf
Android ax app wcfAndroid ax app wcf
Android ax app wcf
Aravindharamanan S
 
Android+ax+app+wcf
Android+ax+app+wcfAndroid+ax+app+wcf
Android+ax+app+wcf
Aravindharamanan S
 
Spring 3: What's New
Spring 3: What's NewSpring 3: What's New
Spring 3: What's New
Ted Pennings
 
Integration of Backbone.js with Spring 3.1
Integration of Backbone.js with Spring 3.1Integration of Backbone.js with Spring 3.1
Integration of Backbone.js with Spring 3.1
Michał Orman
 
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsRest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Carol McDonald
 
Medium TechTalk — iOS
Medium TechTalk — iOSMedium TechTalk — iOS
Medium TechTalk — iOS
jimmyatmedium
 

Empfohlen

11-DWR-and-JQuery
11-DWR-and-JQuery11-DWR-and-JQuery
11-DWR-and-JQuery
tutorialsruby
 
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...
BizTalk360
 
Android ax app wcf
Android ax app wcfAndroid ax app wcf
Android ax app wcf
Aravindharamanan S
 
Android+ax+app+wcf
Android+ax+app+wcfAndroid+ax+app+wcf
Android+ax+app+wcf
Aravindharamanan S
 
Spring 3: What's New
Spring 3: What's NewSpring 3: What's New
Spring 3: What's New
Ted Pennings
 
Integration of Backbone.js with Spring 3.1
Integration of Backbone.js with Spring 3.1Integration of Backbone.js with Spring 3.1
Integration of Backbone.js with Spring 3.1
Michał Orman
 
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.jsRest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Carol McDonald
 
Medium TechTalk — iOS
Medium TechTalk — iOSMedium TechTalk — iOS
Medium TechTalk — iOS
jimmyatmedium
 
AngularJs Workshop SDP December 28th 2014
AngularJs Workshop SDP December 28th 2014AngularJs Workshop SDP December 28th 2014
AngularJs Workshop SDP December 28th 2014
Ran Wahle
 
vCloud SDK for PHP - Introduction
vCloud SDK for PHP - IntroductionvCloud SDK for PHP - Introduction
vCloud SDK for PHP - Introduction
Pablo Roesch
 
Android Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmAndroid Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG Stockholm
Johan Nilsson
 
MVC on the server and on the client
MVC on the server and on the clientMVC on the server and on the client
MVC on the server and on the client
Sebastiano Armeli
 
The most basic inline tag
The most basic inline tagThe most basic inline tag
The most basic inline tag
April Anne Emmanuel
 
OpenWebBeans/Web Beans
OpenWebBeans/Web BeansOpenWebBeans/Web Beans
OpenWebBeans/Web Beans
Gurkan Erdogdu
 
Java Svet - Communication Between Android App Components
Java Svet - Communication Between Android App ComponentsJava Svet - Communication Between Android App Components
Java Svet - Communication Between Android App Components
Aleksandar Ilić
 
Ch3 server controls
Ch3 server controlsCh3 server controls
Ch3 server controls
Madhuri Kavade
 
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB
 
Lviv MDDay 2014. Сергій Комлач “Використання accessibility api для доступу до...
Lviv MDDay 2014. Сергій Комлач “Використання accessibility api для доступу до...Lviv MDDay 2014. Сергій Комлач “Використання accessibility api для доступу до...
Lviv MDDay 2014. Сергій Комлач “Використання accessibility api для доступу до...
Lviv Startup Club
 
Spring MVC
Spring MVCSpring MVC
Spring MVC
Emprovise
 
MBL302 Using the AWS Mobile SDKs - AWS re: Invent 2012
MBL302 Using the AWS Mobile SDKs - AWS re: Invent 2012MBL302 Using the AWS Mobile SDKs - AWS re: Invent 2012
MBL302 Using the AWS Mobile SDKs - AWS re: Invent 2012
Amazon Web Services
 
22 code snippet_web_services_2
22 code snippet_web_services_222 code snippet_web_services_2
22 code snippet_web_services_2
Traitet Thepbandansuk
 
Restful Web Service
Restful Web ServiceRestful Web Service
Restful Web Service
Bin Cai
 
Final microsoft cloud summit - windows azure building block services
Final microsoft cloud summit - windows azure building block servicesFinal microsoft cloud summit - windows azure building block services
Final microsoft cloud summit - windows azure building block services
stratospheres
 
Using the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsUsing the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service Clients
Daniel Ballinger
 
How To Manage API Request with AXIOS on a React Native App
How To Manage API Request with AXIOS on a React Native AppHow To Manage API Request with AXIOS on a React Native App
How To Manage API Request with AXIOS on a React Native App
Andolasoft Inc
 
Windows phone 7 series
Windows phone 7 seriesWindows phone 7 series
Windows phone 7 series
openbala
 
Lecture 11. Microsoft mobile services
Lecture 11. Microsoft mobile servicesLecture 11. Microsoft mobile services
Lecture 11. Microsoft mobile services
Maksym Davydov
 
14
1414
14
Marco Grondacci
 
Service Gagnant 9 Spring 2011
Service Gagnant 9 Spring 2011Service Gagnant 9 Spring 2011
Service Gagnant 9 Spring 2011
patrickarnaud
 
Certificate of Placement, Yasar
Certificate of Placement, YasarCertificate of Placement, Yasar
Certificate of Placement, Yasar
Miss. Antónia FICOVÁ, Engineer. (Not yet Dr.)
 

Weitere ähnliche Inhalte

Was ist angesagt?

vCloud SDK for PHP - Introduction
vCloud SDK for PHP - IntroductionvCloud SDK for PHP - Introduction
vCloud SDK for PHP - Introduction
Pablo Roesch
 
Windows phone 7 series
Windows phone 7 seriesWindows phone 7 series
Windows phone 7 series
openbala
 

Was ist angesagt? (19)

AngularJs Workshop SDP December 28th 2014
AngularJs Workshop SDP December 28th 2014AngularJs Workshop SDP December 28th 2014
AngularJs Workshop SDP December 28th 2014
 
vCloud SDK for PHP - Introduction
vCloud SDK for PHP - IntroductionvCloud SDK for PHP - Introduction
vCloud SDK for PHP - Introduction
 
Android Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmAndroid Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG Stockholm
 
MVC on the server and on the client
MVC on the server and on the clientMVC on the server and on the client
MVC on the server and on the client
 
The most basic inline tag
The most basic inline tagThe most basic inline tag
The most basic inline tag
 
OpenWebBeans/Web Beans
OpenWebBeans/Web BeansOpenWebBeans/Web Beans
OpenWebBeans/Web Beans
 
Java Svet - Communication Between Android App Components
Java Svet - Communication Between Android App ComponentsJava Svet - Communication Between Android App Components
Java Svet - Communication Between Android App Components
 
Ch3 server controls
Ch3 server controlsCh3 server controls
Ch3 server controls
 
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
 
Lviv MDDay 2014. Сергій Комлач “Використання accessibility api для доступу до...
Lviv MDDay 2014. Сергій Комлач “Використання accessibility api для доступу до...Lviv MDDay 2014. Сергій Комлач “Використання accessibility api для доступу до...
Lviv MDDay 2014. Сергій Комлач “Використання accessibility api для доступу до...
 
Spring MVC
Spring MVCSpring MVC
Spring MVC
 
MBL302 Using the AWS Mobile SDKs - AWS re: Invent 2012
MBL302 Using the AWS Mobile SDKs - AWS re: Invent 2012MBL302 Using the AWS Mobile SDKs - AWS re: Invent 2012
MBL302 Using the AWS Mobile SDKs - AWS re: Invent 2012
 
22 code snippet_web_services_2
22 code snippet_web_services_222 code snippet_web_services_2
22 code snippet_web_services_2
 
Restful Web Service
Restful Web ServiceRestful Web Service
Restful Web Service
 
Final microsoft cloud summit - windows azure building block services
Final microsoft cloud summit - windows azure building block servicesFinal microsoft cloud summit - windows azure building block services
Final microsoft cloud summit - windows azure building block services
 
Using the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service ClientsUsing the Tooling API to Generate Apex SOAP Web Service Clients
Using the Tooling API to Generate Apex SOAP Web Service Clients
 
How To Manage API Request with AXIOS on a React Native App
How To Manage API Request with AXIOS on a React Native AppHow To Manage API Request with AXIOS on a React Native App
How To Manage API Request with AXIOS on a React Native App
 
Windows phone 7 series
Windows phone 7 seriesWindows phone 7 series
Windows phone 7 series
 
Lecture 11. Microsoft mobile services
Lecture 11. Microsoft mobile servicesLecture 11. Microsoft mobile services
Lecture 11. Microsoft mobile services
 

Andere mochten auch

Service Gagnant 9 Spring 2011
Service Gagnant 9 Spring 2011Service Gagnant 9 Spring 2011
Service Gagnant 9 Spring 2011
patrickarnaud
 
İnsan Kaynağı ve lojistik
İnsan Kaynağı ve lojistikİnsan Kaynağı ve lojistik
İnsan Kaynağı ve lojistik
Cafer SALCAN
 
Doc Ugur Sezerman JADE
Doc Ugur Sezerman JADEDoc Ugur Sezerman JADE
Doc Ugur Sezerman JADE
Cenk Tezcan
 
педсовет
педсоветпедсовет
педсовет
Svetlana-77
 
La prueba de la virginidad
La prueba de la virginidadLa prueba de la virginidad
La prueba de la virginidad
Cedoc Inamu
 
Doğuş Çay Durum Analizi
Doğuş Çay Durum AnaliziDoğuş Çay Durum Analizi
Doğuş Çay Durum Analizi
Mehmet KUZU
 

Andere mochten auch (20)

14
1414
14
 
Service Gagnant 9 Spring 2011
Service Gagnant 9 Spring 2011Service Gagnant 9 Spring 2011
Service Gagnant 9 Spring 2011
 
Certificate of Placement, Yasar
Certificate of Placement, YasarCertificate of Placement, Yasar
Certificate of Placement, Yasar
 
Sektorel ekonomi web
Sektorel ekonomi webSektorel ekonomi web
Sektorel ekonomi web
 
Mayas 3
Mayas 3Mayas 3
Mayas 3
 
EQUIPO MAYAS 9
EQUIPO MAYAS 9EQUIPO MAYAS 9
EQUIPO MAYAS 9
 
İnsan Kaynağı ve lojistik
İnsan Kaynağı ve lojistikİnsan Kaynağı ve lojistik
İnsan Kaynağı ve lojistik
 
Doc Ugur Sezerman JADE
Doc Ugur Sezerman JADEDoc Ugur Sezerman JADE
Doc Ugur Sezerman JADE
 
Оптимальные стратегии в аукционах, конкурсах и запросах котировок
Оптимальные стратегии в аукционах, конкурсах и запросах котировокОптимальные стратегии в аукционах, конкурсах и запросах котировок
Оптимальные стратегии в аукционах, конкурсах и запросах котировок
 
педсовет
педсоветпедсовет
педсовет
 
Исследование рынка товаров для уборки, октябрь 2011
Исследование рынка товаров для уборки, октябрь 2011Исследование рынка товаров для уборки, октябрь 2011
Исследование рынка товаров для уборки, октябрь 2011
 
vitamin
vitaminvitamin
vitamin
 
The WebRTC Data Channel
The WebRTC Data ChannelThe WebRTC Data Channel
The WebRTC Data Channel
 
INTERNATIONAL SALES COMMISSION CONTRACT
INTERNATIONAL SALES COMMISSION CONTRACTINTERNATIONAL SALES COMMISSION CONTRACT
INTERNATIONAL SALES COMMISSION CONTRACT
 
АКАР: Условия проведения тендера на выбор поставщика BTL услуг
АКАР: Условия проведения тендера на выбор поставщика BTL услугАКАР: Условия проведения тендера на выбор поставщика BTL услуг
АКАР: Условия проведения тендера на выбор поставщика BTL услуг
 
La prueba de la virginidad
La prueba de la virginidadLa prueba de la virginidad
La prueba de la virginidad
 
Doğuş Çay Durum Analizi
Doğuş Çay Durum AnaliziDoğuş Çay Durum Analizi
Doğuş Çay Durum Analizi
 
Just to say Hello is Enough
Just to say Hello is EnoughJust to say Hello is Enough
Just to say Hello is Enough
 
Abd sunumu
Abd sunumuAbd sunumu
Abd sunumu
 
WebRTC: Efficiency, Loyalty & Flexibility
WebRTC: Efficiency, Loyalty & FlexibilityWebRTC: Efficiency, Loyalty & Flexibility
WebRTC: Efficiency, Loyalty & Flexibility
 

Ähnlich wie Jasigsakai12 columbia-customizes-cas

Community call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformCommunity call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platform
Microsoft 365 Developer
 
13 asp.net session19
13 asp.net session1913 asp.net session19
13 asp.net session19
Vivek chan
 
Event Streaming with Kafka Streams and Spring Cloud Stream | Soby Chacko, VMware
Event Streaming with Kafka Streams and Spring Cloud Stream | Soby Chacko, VMwareEvent Streaming with Kafka Streams and Spring Cloud Stream | Soby Chacko, VMware
Event Streaming with Kafka Streams and Spring Cloud Stream | Soby Chacko, VMware
HostedbyConfluent
 
JavaCro'14 - Building interactive web applications with Vaadin – Peter Lehto
JavaCro'14 - Building interactive web applications with Vaadin – Peter LehtoJavaCro'14 - Building interactive web applications with Vaadin – Peter Lehto
JavaCro'14 - Building interactive web applications with Vaadin – Peter Lehto
HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Asp.Net Ajax Component Development
Asp.Net Ajax Component DevelopmentAsp.Net Ajax Component Development
Asp.Net Ajax Component Development
Chui-Wen Chiu
 
Dependency injection - the right way
Dependency injection - the right wayDependency injection - the right way
Dependency injection - the right way
Thibaud Desodt
 

Ähnlich wie Jasigsakai12 columbia-customizes-cas (20)

Web services in java
Web services in javaWeb services in java
Web services in java
 
Community call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformCommunity call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platform
 
Advanced #2 networking
Advanced #2 networkingAdvanced #2 networking
Advanced #2 networking
 
Symfony2 from the Trenches
Symfony2 from the TrenchesSymfony2 from the Trenches
Symfony2 from the Trenches
 
Symfony2 - from the trenches
Symfony2 - from the trenchesSymfony2 - from the trenches
Symfony2 - from the trenches
 
Multi Client Development with Spring
Multi Client Development with SpringMulti Client Development with Spring
Multi Client Development with Spring
 
70562-Dumps
70562-Dumps70562-Dumps
70562-Dumps
 
Asp.NET MVC
Asp.NET MVCAsp.NET MVC
Asp.NET MVC
 
Implement Service Broker with Spring Boot #cf_tokyo
Implement Service Broker with Spring Boot #cf_tokyoImplement Service Broker with Spring Boot #cf_tokyo
Implement Service Broker with Spring Boot #cf_tokyo
 
Camunda BPM 7.2: Tasklist and Javascript Forms SDK (English)
Camunda BPM 7.2: Tasklist and Javascript Forms SDK (English)Camunda BPM 7.2: Tasklist and Javascript Forms SDK (English)
Camunda BPM 7.2: Tasklist and Javascript Forms SDK (English)
 
WCF Fundamentals
WCF Fundamentals WCF Fundamentals
WCF Fundamentals
 
13 asp.net session19
13 asp.net session1913 asp.net session19
13 asp.net session19
 
Event Streaming with Kafka Streams and Spring Cloud Stream | Soby Chacko, VMware
Event Streaming with Kafka Streams and Spring Cloud Stream | Soby Chacko, VMwareEvent Streaming with Kafka Streams and Spring Cloud Stream | Soby Chacko, VMware
Event Streaming with Kafka Streams and Spring Cloud Stream | Soby Chacko, VMware
 
JavaCro'14 - Building interactive web applications with Vaadin – Peter Lehto
JavaCro'14 - Building interactive web applications with Vaadin – Peter LehtoJavaCro'14 - Building interactive web applications with Vaadin – Peter Lehto
JavaCro'14 - Building interactive web applications with Vaadin – Peter Lehto
 
Fm 2
Fm 2Fm 2
Fm 2
 
Asp.Net Ajax Component Development
Asp.Net Ajax Component DevelopmentAsp.Net Ajax Component Development
Asp.Net Ajax Component Development
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
State management
State managementState management
State management
 
Dependency injection - the right way
Dependency injection - the right wayDependency injection - the right way
Dependency injection - the right way
 
GAC Java Presentation_Server Side Include_Cookies_Filters 2022.ppt
GAC Java Presentation_Server Side Include_Cookies_Filters 2022.pptGAC Java Presentation_Server Side Include_Cookies_Filters 2022.ppt
GAC Java Presentation_Server Side Include_Cookies_Filters 2022.ppt
 

Kürzlich hochgeladen

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Jasigsakai12 columbia-customizes-cas

  • 1. Dan Ellentuck, Columbia University Bill Thompson, Unicon Inc. June 10-15, 2012 Growing Community; Growing Possibilities
  • 2. Reasons to Choose CAS: Google Apps SSO SAML Support Vendor Support Community Support Tie-in with other open source tools and products, e.g., Sakai  Complicating Factors: Pre-existing local web auth system Active, diverse client base  Question: How can legacy system be migrated to CAS?
  • 3. CAS support for Google Apps SSO  Migrating a pre-existing web auth system to CAS  CAS customizations and enhancements: • Adding support for a new protocol • Plugging in a custom service registry • Enabling per-service UI tweaks • Changing some basic login behavior
  • 4. Google Apps SSO is based on SAML 2. See: https://developers.google.com/google- apps/sso/saml_reference_implementation  Step-by-step instructions on configuring CAS for Google Apps sso: https://wiki.jasig.org/pages/viewpage.action?pageId=60634 84  Works OOTB.
  • 5. Sibling of CAS, called “WIND”.  Cookie-based SSO.  No generic login.  Per-service UI customization and opt-in SSO.  Similar APIs with different request param names: CAS: /login?service=https://MY-APPLICATION-PATH /logout /serviceValidate?service=https://APPLICATION-PATH&ticket=SERVICE-TICKET WIND: /login?destination=https://MY-APPLICATION-PATH /logout /validate?ticketid=SERVICE-TICKET
  • 6. 2 private validation response formats (text and xml): yes de3 <wind:serviceResponse xmlns:wind='http://www.columbia.edu/acis/rad/authmethods/wind'> <wind:authenticationSuccess> <wind:user>de3</wind:user> <wind:passwordtyped>true</wind:passwordtyped> <wind:logintime>1338696023</wind:logintime> <wind:passwordtime>1331231507</wind:passwordtime> <wind:passwordchangeURI>https://idmapp.cc.columbia.edu/acctmanage/changepasswd </wind:passwordchangeURI> </wind:authenticationSuccess> </wind:serviceResponse>
  • 7. Service registry with maintenance UI  Service attributes for UI customization, multiple destinations, attribute release, application contacts, etc. SERVICE DESTINATION SERVICE_LABEL SERVICE_LABEL DESTINATION SINGLE_SIGN_ON (T/F) PROXY_GRANTING (T/F) RETURN_XML (T/F) SERVICE_CONTACT ID_FORMAT DESCRIPTION SERVICE_LABEL HELP_URI (for customizing UI) EMAIL_ADDRESS IMAGE_PATH(for customizing UI ) CONTACT_TYPE HELP_LABEL(for customizing UI) AFFILIATION SERVICE_LABEL AFFILIATION (like ATTRIBUTE)
  • 8. Collaboration between Columbia and Unicon.  Tasks: ◦ Plug legacy service registry into CAS. ◦ Add legacy authentication protocol to CAS. ◦ Port login UI customizations to CAS. ◦ Change some login behavior (eliminate generic login.)  New service registrations must use CAS protocol.  Existing clients can use either legacy or CAS protocols during transition.
  • 9. Java • View technologies (JSP, CSS, etc.) • Maven (dependencies; overlays) • Spring configuration (CAS set up) • Spring Web Flow (SWF) • App server/web server (tomcat/apache)
  • 10. Service Registry is obvious extension point.  Advantages to plugging in local service registry: ◦ Retain extended service attributes and functions ◦ Remove migration headache ◦ Can continue to use legacy maintenance UI
  • 11. Step 1: Write a CAS RegisteredService adaptor, part 1. Write an interface that extends CAS RegisteredService with any extra attributes in the custom service registry. public interface WindRegisteredService extends RegisteredService { /** * Returns a display label for the help link. Can be null. * Ignored if getHelpUri() is null. * @return String */ String getHelpLabel(); /** * Returns a help URI. Can be null. * @return String */ String getHelpUri(); ...etc. }
  • 12. Step 2: Write a CAS RegisteredService adaptor, part 2. Write a RegisteredService implementation that adapts an instance of the custom service to the extended RegisteredService interface. public class WindRegisteredServiceImpl implements WindRegisteredService, Comparable<RegisteredService> { public boolean matches(Service targetService) { if (!isEnabled() || targetService == null || targetService.getId() == null || targetService.getId().isEmpty()) return false; for (String registeredDestination : List<String>) getWindService().getAllowed_destinations()) { String target = targetService.getId().substring(0, registeredDestination.length()); if (registeredDestination.equalsIgnoreCase(target)) return true; } return false; } ... }
  • 13. Step 3: Implement a CAS ServicesManager (maps incoming Service URL of a request with the matching CAS RegisteredService.) public class ReadOnlyWindServicesManagerImpl implements ReloadableServicesManager { ... public RegisteredService findServiceBy(Service targetService) { edu.columbia.acis.rad.wind.model.Service windService = findWindService(targetService); return ( windService != null ) ? getRegisteredServicesByName().get(windService.getLabel()) : null; } public RegisteredService findServiceBy(long id) { return getRegisteredServicesById().get(id); } ... }
  • 14. Step 4: Write Spring bean definitions for the new ServicesManager. applicationContext.xml <!– Default servicesManager bean definition replaced by custom servicesManager <bean id="servicesManager" class="org.jasig.cas.services.DefaultServicesManagerImpl"> <constructor-arg index="0" ref="serviceRegistryDao"/> </bean> --> <bean id="servicesManager" class="edu.columbia.acis.rad.wind.cas.ReadOnlyWindServicesManagerImpl"> <constructor-arg index=“0” ref =“wind-ServicesCollection"/> </bean> ...etc.
  • 15. Result…  Additional service attributes and functions are available to CAS  Custom maintenance UI can be used  Service registry uses custom logic to match Service URL of incoming request with appropriate registered service.  Easy migration
  • 16. CAS is multi-protocol  Wind and CAS protocols are similar but not identical  Different servlet API and validation response formats  Advantages to adding legacy protocol to CAS: ◦ Single authentication service ◦ Single SSO domain ◦ Easy migration from legacy system
  • 17. Step 1: Implement the CAS Service interface for the new protocol by subclassing abstractWebApplicationService: public class WindService extends AbstractWebApplicationService { private static final String DESTINATION_PARAM = "destination"; private static final String SERVICE_PARAM = "service"; private static final String TICKET_PARAM = "ticketid"; ... // Create a Service instance from the request: public static WindService from(HttpServletRequest request, HttpClient httpClient) { String origUrl = request.getParameter(DESTINATION_PARAM); ... new WindService(origUrl, origUrl, /*artifactId not used*/ null, httpClient); }
  • 18. Step 2: Write an ArgumentExtractor class to retrieve values of protocol-specific request parameters and return instances of the Service class created in Step 1: public class WindArgumentExtractor extends AbstractSingleSignOutEnabledArgumentExtractor { private static final String TICKET_PARAM = "ticketid"; ... protected WebApplicationService extractServiceInternal ( HttpServletRequest request) //Coming in from validation request if ("/validate".equals(request.getServletPath())) { String ticketId = request.getParameter(TICKET_PARAM); ServiceTicket st = (ServiceTicket) this.ticketRegistry.getTicket(ticketId, ServiceTicket.class); WindService ws = st != null ? (WindService) st.getService() : null; ... return WindService.from(ticketId, ws., getHttpClientIfSingleSignOutEnabled());
  • 19. Step 3: In web.xml, map the servlet path for the protocol’s version of the service ticket validation request to the cas servlet: <servlet> <servlet-name>cas</servlet-name> <servlet-class> org.jasig.cas.web.init.SafeDispatcherServlet </servlet-class> <init-param> <param-name>publishContext</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> ... <servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/validate</url-pattern> </servlet-mapping> ...
  • 20. Step 4: Write a view class to format the service ticket validation response: class WindResponseView extends AbstractCasView { .... private buildSuccessXmlResponse(Assertion assertion) { def auth = assertion.chainedAuthentications[0] def principalId = auth.principal.id def xmlOutput = new StreamingMarkupBuilder() xmlOutput.bind { mkp.declareNamespace('wind': WIND_XML_NAMESPACE) wind.serviceResponse { wind.authenticationSuccess { wind.user(principalId) wind.passwordtyped(assertion.fromNewLogin) wind.logintime(auth.authenticatedDate.time) ...etc. } } }.toString() }
  • 21. Step 5: Define and wire up beans for the various protocol operations: argumentExtractorsConfiguration.xml defines ArgumentExtractor classes for the various supported protocols: <bean id="windArgumentExtractor" class="edu.columbia.cas.wind.WindArgumentExtractor" p:httpClient-ref="httpClient" p:disableSingleSignOut="true"> <constructor-arg index="0" ref="ticketRegistry"/> </bean> uniqueIdGenerators.xml protocol is mapped to uniqueID generator for service tickets via Service class: <util:map id=“uniqueIdGeneratorsMap”> <entry key=“edu.columbia.cas.wind.WindService” value-ref=“serviceTicketUniqueIdGenerator” /> ...etc. </util:map>
  • 22. Step 5: Define and wire up beans for the various protocol operations (cont’d): cas-servlet.xml bean definitions made available to the web flow: <prop key=“/validate”> windValidateController </prop ... <bean id=“windValidateController” class=“org.jasig.cas.web.ServiceValidateController” p:proxyHandler-ref=“proxy20Handler” p:successView=“windServiceSuccessView” p:failureView=“windServiceFailureView” p:validationSpecificationClass= “org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification” p:centralAuthenticationService-ref=“centralAuthenticationService” p:argumentExtractor-ref=“windArgumentExtractor”/> ...etc.
  • 23. 2012 Jasig Sakai Conference 23
  • 24. Result…  CAS will detect a request in the new protocol;  Extract appropriate request parameters;  Respond in the appropriate format.  Legacy clients continue to use usual auth protocol until ready to migrate.  Single server/SSO realm.
  • 25. Adding local images and content to the CAS login UI is a common implementation step.  CAS lets each RegisteredService have its own style sheet (high effort.)  Legacy auth service allows per-service tweaks to the login UI (low effort): • Custom logo • Help link and help label • Choice of displaying institutional links • Popular with clients
  • 26. Prerequisite: ◦ Must have service-specific attributes that control the customization. ◦ Extend service registry with custom UI elements; or ◦ Plug in custom service registry (see above.)
  • 27. Step 1: Write a Spring Web Flow Action class to map the incoming Service to a RegisteredService and make the RegisteredService available in the web flow context. Public class ServiceUiElementsResolverAction extends AbstractAction { ... protected Event doExecute(RequestContext requestContext) throws Exception { // get the Service from requestContext. Service service = (Service) requestContext.getFlowScope().get("service", Service.class); ... // get the RegisteredService for this request from the ServicesManager. WindRegisteredService registeredService = (WindRegisteredService) this.servicesManager.findServiceBy(service); ... // make RegisteredService available to the view. requestContext.getRequestScope().put("registeredService", registeredService); ... } ... }
  • 28. Step 2: Define a bean for the Action class in cas- servlet.xml, to make the class available to the login web flow: cas-servlet.xml ... <bean id="uiElementsResolverAction“ class="edu.columbia.cas.wind.ServiceUiElementsResolverAction"> <constructor-arg index="0" ref=“servicesManager"/> </bean>
  • 29. Step 3: Make the RegisteredService available to the web flow by doing our Action in the login web flow just before the login UI is rendered: Login-webflow.xml ... <view-state id="viewLoginForm" view="casLoginView" model="credentials"> <binder> <binding property="username" /> <binding property="password" /> </binder> <on-entry> <set name="viewScope.commandName" value="'credentials'" /> <!– Make RegisteredService available in web flow context --> <evaluate expression="uiElementsResolverAction"/> </on-entry> <transition on="submit" bind="true" validate="true" to="realSubmit"> <evaluate expression="authenticationViaFormAction.doBind (flowRequestContext, flowScope.credentials)" /> </transition> </view-state>
  • 30. Step 4: In the login view, refer to RegisteredService attributes when customizing the UI markup: casLoginView.jsp ... <!-- Derive the path to the logo image from the registered service. --> <c:set var="imagePath" value = "${!empty registeredService.imagePath ? registeredService.imagePath : defaultImagePath}"/> ... <!-- display the custom logo --> <img src="<c:url value="${imagePath}" />" alt="${registeredService.name}" /> ...
  • 31. Result… ◦ Vanilla login page ◦ Login page with default logo, institutional links ◦ Login page with custom logo ◦ Login page with another custom logo and help link
  • 32. CAS allows a login without a service, a generic login, which creates a ticket granting ticket but no service ticket.  Generic login permitted  Legacy auth service assumes client is always trying to log into something. Treats a generic login as an error. We want to preserve this behavior.
  • 33. Step 1: Write a Spring Web Flow Action that checks if the login request has a known service destination and returns success/error. public class CheckForRegisteredServiceAction extends AbstractAction { ServicesManager servicesManager; protected Event doExecute(RequestContext requestContext) throws Exception { Service service = (Service) requestContext.getFlowScope().get("service", Service.class); RegisteredService registeredService = null; if(service != null) { registeredService = this.servicesManager.findServiceBy(service); } return ( registeredService==null ) ? error() : success(); } }
  • 34. Step 2: Make the class available to the login web flow by defining a bean in cas-servlet.xml: cas-servlet.xml ... <bean id="checkForRegisteredServiceAction“ class="edu.columbia.cas.wind.CheckForRegisteredServiceAction" > <constructor-arg index="0" ref="servicesManager"/> </bean> ...
  • 35. Step 3: In the login web flow add an action-state to check that the request has a service parameter, and it corresponds to a RegisteredService. login-webflow.xml ... <!-- validate the request: non-null service with corresponding RegisteredService --> <decision-state id="hasServiceCheck"> <if test="flowScope.service != null" then="hasRegisteredServiceCheck“ else="viewServiceErrorView" /> </decision-state> <!-- Is there a corresponding RegisteredService? --> <action-state id="hasRegisteredServiceCheck"> <evaluate expression="checkForRegisteredServiceAction"/> <transition on="success" to="ticketGrantingTicketExistsCheck" /> <transition on="error" to="viewServiceErrorView" /> </action-state>
  • 36. Result… ◦ CAS will now assume client is always trying to log into something and treat a request without a known service destination as an error. ◦ Users will not see login UI less they arrive with a registered service. ◦ Generic login not permitted
  • 37. Tasks accomplished: ◦ Support Google Apps SSO ◦ Plug legacy service registry into CAS ◦ Add legacy authentication protocol to CAS ◦ Port login UI customizations to CAS ◦ Eliminate generic login
  • 38.
  • 39. Dan Ellentuck, Columbia University de3@columbia.edu Bill Thompson, Unicon Inc. wgthom@unicon.net