CAS 4.2 Presentation at ESUP Days in Paris

1. What’s new in CAS 4.2?
Jérôme Leleu
leleuj@gmail.com
@leleuj
Misagh Moayyed
mmoayyed@unicon.net
@misagh84
ESUP-Days #21/ Apereo Europe 2016

2. General
● 1100+ stargazers @ Github
● A new chairman, 2 new committers, many contributions
○ 1 PR a day
Dmitriy Kopylenko Daniel Frett

3. CAS 4.2 Main Objectives
● Easy to use (Plug-N-Play)
○ You want SAML/OAuth/OpenID? Drop the module dependency into your overlay…
○ ...and done!
● Reduce configuration noise
○ Say NO to XML (well, almost!)
● Universal support (protocols, backends)

4. Auto-configuration
To customize your CAS server (Maven overlay), you needed to (add
dependencies and) override XML files: web.xml, login-webflow.xml,
ticketGrantingTicketCookieGenerator.xml, ticketRegistry.xml…
Now:
● Express Feature Intent (Add dependency, if needed)
● Add Settings (Change cas.properties)

5. Auto-configuration: CASTGC cookie
v4.1: src/main/webapp/WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml:
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
c:casCookieValueManager-ref="cookieValueManager"
p:cookieSecure="true"
p:cookieMaxAge="-1"
p:cookieName="TGC"
p:cookiePath="/cas"/>
v4.2: ticketGrantingTicketCookieGenerator.xml
@Component("ticketGrantingTicketCookieGenerator")
public class TGCCookieRetrievingCookieGenerator extends CookieRetrievingCookieGenerator {
@Override
@Autowired
public void setCookieName(@Value("${tgc.name:TGC}") final String cookieName) {
super.setCookieName(cookieName);
}
cas.properties:
# Decides whether SSO cookie should be created only
under secure connections.
# tgc.secure=true
# The name of the SSO cookie
# tgc.name=TGC
# The path to which the SSO cookie will be scoped
# tgc.path=/cas

6. Auto-configuration: OAuth server support
v4.1: cas-server-support-oauth module + servlet mapping on /oauth2.0/* +
oauth20WrapperController in cas-servlet.xml + OAuthCallbackAuthorizeService +
OAuthRegisteredService
v4.2: add the dependency + OAuthRegisteredService
@WebListener
@Component
public class OAuthServletContextListener extends AbstractServletContextInitializer {
…
@Override
protected void initializeServletContext(final ServletContextEvent event) {
if (WebUtils.isCasServletInitializing(event)) {
addEndpointMappingToCasServlet(event, “/oauth2.0/*”);
}
}
}

7. pac4j contributions
pac4j is a Java security engine which supports
most authentication mechanisms (like CAS,
OAuth, SAML) and is available for most
frameworks: J2E, Spring MVC, Play, Vertx,
Ratpack…

8. pac4j contributions: CASify any webapp
Using any pac4j library: j2e-pac4j, spring-webmvc-pac4j, play-pac4j, vertx-pac4j,
spring-security-pac4j, buji-pac4j, etc., you can CASsify any J2E, Spring MVC,
Play, Vertx, Spring Security, Shiro… webapp
@Configuration
public class Pac4jConfig {
@Bean
public Config config() {
final CasClient casClient = new CasClient("https://casserverpac4j.herokuapp.com/login");
return new Config("http://localhost:8080/callback", casClient);
}
}
@Configuration
@ComponentScan(basePackages = "org.pac4j.springframework.web")
public class SecurityConfig extends WebMvcConfigurerAdapter {
@Autowired
private Config config;
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new RequiresAuthenticationInterceptor(config, "CasClient")).addPathPatterns("/cas/*");
}
}

9. pac4j contributions: pac4j replaced Spring Security in CAS
The security of the CAS server and CAS management web applications is now
ensured by pac4j
<context:component-scan base-package="org.pac4j.springframework.web" />
<bean id="config" class="org.pac4j.core.config.Config" c:callbackUrl="${cas-management.securityContext.serviceProperties.service}"
c:client-ref="casClient" p:authorizer-ref="requireAdminRoleAuthorizer" />
<bean id="casClient" class="org.pac4j.cas.client.CasClient" p:casLoginUrl="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}"
p:authorizationGenerator-ref="authorizationGenerator" />
<bean id="requireAdminRoleAuthorizer" class="org.pac4j.core.authorization.RequireAnyRoleAuthorizer"
c:roles="${cas-management.securityContext.serviceProperties.adminRoles}" />
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/callback*" />
<mvc:exclude-mapping path="/logout*" />
<mvc:exclude-mapping path="/authorizationFailure.html" />
<bean class="org.pac4j.springframework.web.RequiresAuthenticationInterceptor" c:config-ref="config" c:clientName="CasClient"
c:authorizerName="securityHeaders,csrfToken,RequireAnyRoleAuthorizer" />
</mvc:interceptor>
</mvc:interceptors>

10. pac4j contributions: delegate authentication
The cas-server-support-pac4j module handles the authentication delegation
##
# Authentication delegation using pac4j
#
# cas.pac4j.client.authn.typedidused=true
# cas.pac4j.facebook.id=
# cas.pac4j.facebook.secret=
# cas.pac4j.facebook.scope=
# cas.pac4j.facebook.fields=
# cas.pac4j.twitter.id=
# cas.pac4j.twitter.secret=
# cas.pac4j.saml.keystorePassword=
# cas.pac4j.saml.privateKeyPassword=
# cas.pac4j.saml.keystorePath=
# cas.pac4j.saml.identityProviderMetadataPath=
# cas.pac4j.saml.maximumAuthenticationLifetime=
# cas.pac4j.saml.serviceProviderEntityId=
# cas.pac4j.saml.serviceProviderMetadataPath=
# cas.pac4j.cas.loginUrl=
# cas.pac4j.cas.protocol=
# cas.pac4j.oidc.id=
# cas.pac4j.oidc.secret=
# cas.pac4j.oidc.discoveryUri=
# cas.pac4j.oidc.useNonce=
<bean id="caswrapper1" class="org.pac4j.oauth.client.CasOAuthWrapperClient">
<property name="key" value="this_is_the_key" />
<property name="secret" value="this_is_the_secret" />
<property name="casOAuthUrl" value="http://localhost:8080/cas2/oauth2.0" />
</bean>
<bean id="cas1" class="org.pac4j.cas.client.CasClient">
<property name="casLoginUrl" value="http://localhost:8080/cas2/login" />
</bean>

11. pac4j contributions: use pac4j authenticators
The cas-server-integration-pac4j module wraps the pac4j authenticators as
CAS authentication handlers:
1. MongoAuthenticationHandler (cas-server-support-mongo)
2. StormpathAuthenticationHandler (cas-server-support-stormpath)
3. TokenAuthenticationHandler (cas-server-support-token)

12. Build/Packaging: Gradle
● CAS 4.2 uses Gradle as its internal build mechanism
○ Codebase broken down to 86 modules
○ You still use Maven for your CAS overlays.
● Patch releases every month
● Minor releases every 3 months
● SNAPSHOT releases on every change

13. Build/Packaging: Docker
● CAS Docker images:
https://hub.docker.com/r/apereo/cas/
● Images work with a Maven overlay from a git repo
○ Jetty 9.3.x bundled
○ Java 8 bundled

14. Authentication
● Delegate AuthN to ADFS/WS-Fed
● Support for
○ Basic AuthN
○ JWT AuthN
○ MongoDb
○ Stormpath
○ Apache Shiro
● JSON as the validation response type
● YubiKey/DuoSecurity (MFA WIP)

15. Ticket Registry
● Apache Ignite
● Couchbase
● Infinispan Cache
○ Redis
○ Cassandra
○ MongoDb
○ Amazon S3
○ Rackspace
○ LevelDB

16. Service Registry
● Couchbase
● MongoDB
● JSON
Many core enhancements to the CAS service model, such as authorizations,
custom properties, etc.

17. Services Management Web Application

18. Services Management Web Application

19. Authorizations: ABAC
● Support for service-based authorizations based on:
○ User Attributes: “only users with attribute X can access application”
○ Date/Time: “application is only accessible on Fridays between 8-10am”
○ Internet2 Grouper: “only members of this Grouper group are allowed”

20. Statistics/Reports

21. Statistics/Reports

22. Roadmap: CAS 4.3 @ Open Apereo 2016
● Java 8
● MFA support
○ Based on DuoSecurity, YubiKey, RSA/Radius
○ Include authN risk-assessment engine
● Better OAuth/OpenID Connect Support
● SAML2 Web.SSO support
● Groovy Management Console
● Cloudy-friendly/Better administrative UIs

23. Questions/Comments?
Jérôme Leleu
leleuj@gmail.com
@leleuj
Misagh Moayyed
mmoayyed@unicon.net
@misagh84
Docs: https://jasig.github.io/cas