CASsify application with role-based security constraints in web.xml?

Hello,

I would like to know how to/ get some pointers on how to CASsify an application that protects resources based on roles. More specifically, uses security-constraint's in web.xml to protect resources. To be clear I mean this:
    <security-constraint>
        <web-resource-collection>
            <url-pattern>/notforeveryCASauthenticateduser/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>    
        </web-resource-collection>
        <auth-constraint>
            <role-name>SuperSpecialAdmin</role-name>
        </auth-constraint>
    </security-constraint>


I understand that CAS only deals with the authentication part, but to CASsify an existing application fully I still have to deal with roles. And I am totally confused as to where to set things now.

The particular application in question runs in JBoss, and currently authentication/ role determination happens through a login-module which has a form that posts to j_security_check, and that then gets handled by a LoginModule configured in JBoss, which has a chance to set the roles.

If I switch to CAS servlets, where can I set the roles in a way that they are picked by by a security-constraint configured in web.xml (I understand I have to code it myself, and I can determine the role-names based on a username in code if CAS tells me the username, I just don't understand where I would have to place such code so that the roles would be picked up).

Can I even use security-constraint in combination with CAS? For instance
http://tp.its.yale.edu/pipermail/cas/2008-March/007725.html suggests that security-constraints will be checked before the CAS filters are even executed?

I would be grateful for any tips.

Kind regards,

--Sander.

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Sander,

Most people use Spring Security 2.0 to incorporate CAS and Servlet Container Management. ( http://static.springsource.org/spring-security/site/index.html )  If that doesn’t meet your needs, then you need to create a custom JAAS module that can register users and their roles with the servlet container.

HTH,
A-

On 7/9/09 11:43 AM, "Sander Bos" <sander.bos@...> wrote:

Hello,

I would like to know how to/ get some pointers on how to CASsify an application that protects resources based on roles. More specifically, uses security-constraint's in web.xml to protect resources. To be clear I mean this:
    <security-constraint>
        <web-resource-collection>
           <url-pattern>/notforeveryCASauthenticateduser/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>     
        </web-resource-collection>
        <auth-constraint>
            <role-name>SuperSpecialAdmin</role-name>
        </auth-constraint>
    </security-constraint>


I understand that CAS only deals with the authentication part, but to CASsify an existing application fully I still have to deal with roles. And I am totally confused as to where to set things now.

The particular application in question runs in JBoss, and currently authentication/ role determination happens through a login-module which has a form that posts to j_security_check, and that then gets handled by a LoginModule configured in JBoss, which has a chance to set the roles.

If I switch to CAS servlets, where can I set the roles in a way that they are picked by by a security-constraint configured in web.xml (I understand I have to code it myself, and I can determine the role-names based on a username in code if CAS tells me the username, I just don't understand where I would have to place such code so that the roles would be picked up).

Can I even use security-constraint in combination with CAS? For instance
http://tp.its.yale.edu/pipermail/cas/2008-March/007725.html suggests that security-constraints will be checked before the CAS filters are even executed?

I would be grateful for any tips.

Kind regards,

--Sander.

--
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Hello Andrew,

Thank you for your response.

I don't want to move to another security mechanism at this point, because I only need to cassify these apps to be able to access them from a portal, so not do a complete rearchitecture of them. Changing web.xml and introducing a few jars is about as far as I wish to go.

With respect to what you say about a custom JAAS module, do you mean something like is described at
    http://www.kopz.org/public/documents/tomcat/jaasintomcat.html
?
(because technically that seems very doable, but already involves a lot of deployment config changes so I hoped to stay away from that)

Kind regards,

--Sander.

Andrew Feller schreef:

Sander,

Most people use Spring Security 2.0 to incorporate CAS and Servlet Container Management. ( http://static.springsource.org/spring-security/site/index.html )  If that doesn’t meet your needs, then you need to create a custom JAAS module that can register users and their roles with the servlet container.

HTH,
A-

On 7/9/09 11:43 AM, "Sander Bos" <sander.bos@...> wrote:

Hello,

I would like to know how to/ get some pointers on how to CASsify an application that protects resources based on roles. More specifically, uses security-constraint's in web.xml to protect resources. To be clear I mean this:
    <security-constraint>
        <web-resource-collection>
           <url-pattern>/notforeveryCASauthenticateduser/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>     
        </web-resource-collection>
        <auth-constraint>
            <role-name>SuperSpecialAdmin</role-name>
        </auth-constraint>
    </security-constraint>


I understand that CAS only deals with the authentication part, but to CASsify an existing application fully I still have to deal with roles. And I am totally confused as to where to set things now.

The particular application in question runs in JBoss, and currently authentication/ role determination happens through a login-module which has a form that posts to j_security_check, and that then gets handled by a LoginModule configured in JBoss, which has a chance to set the roles.

If I switch to CAS servlets, where can I set the roles in a way that they are picked by by a security-constraint configured in web.xml (I understand I have to code it myself, and I can determine the role-names based on a username in code if CAS tells me the username, I just don't understand where I would have to place such code so that the roles would be picked up).

Can I even use security-constraint in combination with CAS? For instance
http://tp.its.yale.edu/pipermail/cas/2008-March/007725.html suggests that security-constraints will be checked before the CAS filters are even executed?

I would be grateful for any tips.

Kind regards,

--Sander.

--
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Sander,

Spring security only requires you to introduce a few JARs and a Spring configuration, so it is suppose to be pretty easy to use.  Hopefully someone else can chime in on the details.  We currently use a custom JAAS authentication module like the one you reference in the link.  I can attest to the problems inherent with the JAAS module approach:

1. CON: Customization of Tomcat server prevents quick setup
2. CON: Complications with classloader issues if login module needs to use JARs needed by other apps (database connection, logging, etc)
3. PRO: Authorization is handled in spot in a consistent manner across all apps without individual customization
   

Anyhow, I think the Spring Security route is probably the best due to all of the features it offers, however I am not the authority in it.

HTH,
A-


On 7/9/09 12:01 PM, "Sander Bos" <sander.bos@...> wrote:

Hello Andrew,

Thank you for your response.

I don't want to move to another security mechanism at this point, because I only need to cassify these apps to be able to access them from a portal, so not do a complete rearchitecture of them. Changing web.xml and introducing a few jars is about as far as I wish to go.

With respect to what you say about a custom JAAS module, do you mean something like is described at
    http://www.kopz.org/public/documents/tomcat/jaasintomcat.html
?
(because technically that seems very doable, but already involves a lot of deployment config changes so I hoped to stay away from that)

Kind regards,

--Sander.

Andrew Feller schreef:

Re: [cas-user] CASsify application with role-based security constraints in web.xml? Sander,
 
Most people use Spring Security 2.0 to incorporate CAS and Servlet Container Management. ( http://static.springsource.org/spring-security/site/index.html )  If that doesn’t meet your needs, then you need to create a custom JAAS module that can register users and their roles with the servlet container.
 
HTH,
A-
 
On 7/9/09 11:43 AM, "Sander Bos" <sander.bos@...> wrote:
 
 

Hello,
 
I would like to know how to/ get some pointers on how to CASsify an application that protects resources based on roles. More specifically, uses security-constraint's in web.xml to protect resources. To be clear I mean this:
    <security-constraint>
        <web-resource-collection>
           <url-pattern>/notforeveryCASauthenticateduser/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>     
        </web-resource-collection>
        <auth-constraint>
            <role-name>SuperSpecialAdmin</role-name>
        </auth-constraint>
    </security-constraint>
 
 
I understand that CAS only deals with the authentication part, but to CASsify an existing application fully I still have to deal with roles. And I am totally confused as to where to set things now.
 
The particular application in question runs in JBoss, and currently authentication/ role determination happens through a login-module which has a form that posts to j_security_check, and that then gets handled by a LoginModule configured in JBoss, which has a chance to set the roles.
 
If I switch to CAS servlets, where can I set the roles in a way that they are picked by by a security-constraint configured in web.xml (I understand I have to code it myself, and I can determine the role-names based on a username in code if CAS tells me the username, I just don't understand where I would have to place such code so that the roles would be picked up).
 
Can I even use security-constraint in combination with CAS? For instance
 http://tp.its.yale.edu/pipermail/cas/2008-March/007725.html suggests that security-constraints will be checked before the CAS filters are even executed?
 
I would be grateful for any tips.
 
Kind regards,
 
--Sander.
 
 

 --
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400
 
   

--
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

> I understand that CAS only deals with the authentication part, but to
> CASsify an existing application fully I still have to deal with roles. And I
> am totally confused as to where to set things now.

That is correct, CAS has no direct support for authorization.  But it
can provide data, e.g. for authorization, to clients via the attribute
release mechanism,
http://www.ja-sig.org/wiki/display/CASUM/Attributes.  It is entirely
within the purview of the client application to consume the data and
make authorization decisions.  That's why Andrew suggested a framework
such as Spring security.  You don't have to use that, but you do have
to use _something_.  Just happens that Spring Security is a good
something.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user