How to add an Authentication Handler

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

> I am going to use the x509 handler as a template unless anyone has a  
> better suggestion.

Use the existing handler that is most like the one you are planning to  
write.  Is this the Sun Access Manager SSO product?  I know nothing  
about it, but unless it uses client certificates, the X.509 handler is  
probably the wrong choice.  Certificate handling code is pretty  
specific to a single purpose.

> 1.       Get CAS into a source control system
> 2.       Modify the cas-server-webapp/pom.xml to recognize my new  
> handler package
> 3.       Include my handler in source structure
> 4.       Add our existing Access Manager jar files and Access  
> Manager SDK jars files to the source (modify the pom.xml to find  
> them?)

I would not advise the above strategy.  You would be better served to  
create a new Mavenized project containing your authentication handler,  
and add a dependency to it like any other module using the tried and  
true Maven War overlay process, http://www.ja-sig.org/wiki/display/CASUM/Maintaining+local+customizations+using+Maven+2 
.

> 5.       Add entry to web-flow.xml for my handler (how do I choose  
> “action-state id”?)
> a.       I can’t find either “startAthenticate” or “x509Check” in  
> the source

It's not clear that you need to modify the Web flow.  The only reason  
the Web flow has a special check for X.509 certificates is because the  
client certificate is immediately available after the SSL handshake  
and substitutes for username/password credentials being posted by the  
login form.  Does Access Manager have a similar flow where a token  
substitutes for username/password credentials?  If not you probably  
don't need to modify the Web flow.

M
--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

Thanks for the feedback.  I had just looked at the overlay stuff very briefly.

Let me try and explain what I have been told to do.

We have many CASifyed applications on campus.  I have been informed that they cannot be modified.  We need them to accept Access Manager (yes Open SSO) tokens in addition to CAS tickets as a valid credential.

When the CAS filter redirects the application to the CAS server we want to intercept the request and see if there is a Access Manager token (cookie) and validate it.  If the token is valid we want to return to the filter that the user is valid.  Same as if the application had a valid CAS ticket.

If there is no Access Manager token or it is invalid we want CAS to continue to follow it's normal processing and return that user is authenticated or if not present the CAS login page.

A little knowledge is dangerous.  My architect read the wiki page on X509 handlers and decided it would be very easy to just write a handler that is configured the same way (pom.xml, web-flow.xml, cas-serlvet.xml) but instead of validating an x509 cert it would simply validate the Access Manager token.

In his opinion I just need to write a org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction but call it org.jasig.cas.adaptors.x509.web.flow.AccessManagerCredentialsNonInteractiveAction.
And write a org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler called
org.jasig.cas.adaptors.x509.authentication.handler.support.AccessManagerCredentialsAuthenticationHandler.

Then org.jasig.cas.adaptors.x509.web.flow.AccessManagerCredentialsNonInteractiveAction  would pull the Access Manager token off the Spring RequestContext and call it a Credential.  This credential would then been passed to the org.jasig.cas.adaptors.x509.authentication.handler.support.AccessManagerCredentialsAuthenticationHandler doAuthenticate() method which would validate the token.

He is convinced this is the way to go, it's easy and I should have it completed by Friday.  My personal feeling is that this a hack and kludge, but I have little or no say in the matter.  But I will do my best to implement this using the overlay method.

Regards,

Bryan




-----Original Message-----
From: Marvin S. Addison [mailto:[hidden email]]
Sent: Monday, July 06, 2009 5:50 PM
To: [hidden email]
Subject: Re: [cas-dev] How to add an Authentication Handler

> I am going to use the x509 handler as a template unless anyone has a  
> better suggestion.

Use the existing handler that is most like the one you are planning to  
write.  Is this the Sun Access Manager SSO product?  I know nothing  
about it, but unless it uses client certificates, the X.509 handler is  
probably the wrong choice.  Certificate handling code is pretty  
specific to a single purpose.

> 1.       Get CAS into a source control system
> 2.       Modify the cas-server-webapp/pom.xml to recognize my new  
> handler package
> 3.       Include my handler in source structure
> 4.       Add our existing Access Manager jar files and Access  
> Manager SDK jars files to the source (modify the pom.xml to find  
> them?)

I would not advise the above strategy.  You would be better served to  
create a new Mavenized project containing your authentication handler,  
and add a dependency to it like any other module using the tried and  
true Maven War overlay process, http://www.ja-sig.org/wiki/display/CASUM/Maintaining+local+customizations+using+Maven+2 
.

> 5.       Add entry to web-flow.xml for my handler (how do I choose  
> "action-state id"?)
> a.       I can't find either "startAthenticate" or "x509Check" in  
> the source

It's not clear that you need to modify the Web flow.  The only reason  
the Web flow has a special check for X.509 certificates is because the  
client certificate is immediately available after the SSL handshake  
and substitutes for username/password credentials being posted by the  
login form.  Does Access Manager have a similar flow where a token  
substitutes for username/password credentials?  If not you probably  
don't need to modify the Web flow.

M
--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev


--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

> When the CAS filter redirects the application to the CAS server we want to intercept the request and see if there is a Access Manager token (cookie) and validate it.  If the token is valid we want to return to the filter that the user is valid.  Same as if the application had a valid CAS ticket.

What you have described is _not_ an authentication handler.  You want
one of two different ticket-granting-ticket tokens to be equivalent in
a single SSO session.  That is going to be a pretty core change to CAS
(e.g. CentralAuthenticationServiceImpl) and is not a simple add-on
module.  An authentication handler, on the other hand, is for
establishing a _new_ SSO session from primary credentials.  You have
made it clear that the Access Manager token is equivalent to the CAS
TGT, so it is by no means a primary credential and is not suitable for
handling by an authentication mananger.

> A little knowledge is dangerous.  My architect read the wiki page on X509 handlers and decided it would be very easy to just write a handler that is configured the same way (pom.xml, web-flow.xml, cas-serlvet.xml) but instead of validating an x509 cert it would simply validate the Access Manager token.

This is a dead-end strategy; you will not be able to accomplish your
goal as stated by creating an authentication handler for Access
Manager tokens.

> He is convinced this is the way to go, it's easy and I should have it completed by Friday.  My personal feeling is that this a hack and kludge, but I have little or no say in the matter.

It doesn't have to be a kludge, but it is a substantial change that
will take time to develop and will merit commensurate testing.  A
Friday deadline that includes testing and Q/A is wholly unreasonable.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

>This is a dead-end strategy; you will not be able to accomplish your
>goal as stated by creating an authentication handler for Access
>Manager tokens.

You have validated my concerns.

Unfortunately, even if I were to show your assessment to the architect I don't think he'd believe you.

I really have no choice but to make a good faith effort and code what he believes will work.  I promise not to bother you with any requests for help in this endeavor. :)

If by some miracle it does work, I'll share with everyone what I did.

Again I really appreciate the feedback.

Regards,

Bryan

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev

Its possible to use the token to create a TGT. 

The Access Manager token is a form of "non-interactive" credentials much like an X.509 Certificate or SPNEGO (assuming you're using a Microsoft browser that won't prompt).  Your architect's suggestion will work, similar to the way those methods work.  I.e.

1. A portion of the web flow captures the token.
2. The authentication handler validates the token.
3.  If its valid, then a TGT is created.
4. If its invalid, then the user is prompted by CAS for credentials, thus creating a TGT.

In this scenario you are creating a TGT and any CASified application will utilize that session instead of any access manager sessions.  You are essentially establishing a second SSO session which is independent from the Access Manager session from creation point forward.

Whether you trust your access manager token enough to create a CAS SSO session based off of it is an exercise left to the reader ;-) However, regardless of that, it should work.  Your security team should do an audit on whether this method is secure enough for them because you're essentially using one long-term session to create another session.

Cheers,
Scott

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev