Multiple JAAS Realms for CAS Authentication Filter

In /WEB-INF/deployerConfigContext.xml, simply include additional authenticationHandlers of type JaasAuthenticationHandler for each JAAS realm you want to authenticate against.  Whenever someone attempts to login, CAS will try every authentication handler until one works, so I recommend ordering them by the most likely candidates first.

<property name="authenticationHandlers">
    <list>
        <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" />
        <bean id="kerberosActiveDirectory" class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" p:realm="realm1" />
        <bean id="kerberosActiveDirectory" class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" p:realm="realm2" />
        <bean id="kerberosActiveDirectory" class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" p:realm="realm3" />
    </list>
</property>

HTH,
A-

On 7/6/09 9:53 AM, "Burak Oăuz" <burak.oguz@...> wrote:

> Hi all,
>
> I have been working with several different applications on a server which all
> are authenticating via JAAS handler over CAS. But now I need different realms
> for different applications. What should I do in order to do this?
>
> I have seen that default realm is CAS.
>
> private static final String DEFAULT_REALM = "CAS";
>
> May I change this default realm via web.xml cas clients or http request
> parameters?
>
> Thanks in advance

--

Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Burak,

Hrmmm there is nothing out of the box to do that as far as I know.  However, if it is absolutely necessary, you could design a custom AuthenticationHandler based upon the JaasAuthenticationHandler that does what you want.  Unless there is an issue with App A authenticating with Realm X when it normally needs to authenticate to Realm Y, I would just setup the multiple realms and let CAS try all of them until it finds one that works.

Regards,
A-

On 7/7/09 2:00 AM, "Burak Oguz" <burak.oguz@...> wrote:

Hi Andrew,

Thanks for your reply, but I wonder that may I pass some http GET parameters to CAS server from the applications that uses CAS client. I want to use different realms for my different applications. Is it possible like:

https://myserver:8181/cas/login?service=xxxxx&realm=myrealm

https://myserver:8181/cas/login?service=yyyyy&realm=myrealm2

Thanks in advance..

On Mon, Jul 6, 2009 at 6:59 PM, Andrew Feller <afelle1@...> wrote:

In /WEB-INF/deployerConfigContext.xml, simply include additional authenticationHandlers of type JaasAuthenticationHandler for each JAAS realm you want to authenticate against.  Whenever someone attempts to login, CAS will try every authentication handler until one works, so I recommend ordering them by the most likely candidates first.

<property name="authenticationHandlers">
    <list>
        <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" />
        <bean id="kerberosActiveDirectory" class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" p:realm="realm1" />
        <bean id="kerberosActiveDirectory" class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" p:realm="realm2" />
        <bean id="kerberosActiveDirectory" class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" p:realm="realm3" />
    </list>
</property>

HTH,
A-

On 7/6/09 9:53 AM, "Burak Oăuz" <burak.oguz@... <http://burak.oguz@...> > wrote:

> Hi all,
>
> I have been working with several different applications on a server which all
> are authenticating via JAAS handler over CAS. But now I need different realms
> for different applications. What should I do in order to do this?
>
> I have seen that default realm is CAS.
>
> private static final String DEFAULT_REALM = "CAS";
>
> May I change this default realm via web.xml cas clients or http request
> parameters?
>
> Thanks in advance

--
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400

-- 

You are currently subscribed to [hidden email] as: [hidden email]


To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Just a note/reminder, CAS is a single sign on server that has one major assumption: you've solved the problem of multiple sets of credentials and have one universal identifier across your organization.

If you have Admin in Realm X and Admin in Realm Y and they're two distinct people, then CAS is not your solution until you solve that problem.  If you have Admin in Realm X and there is no Admin anywhere else, then you're okay.

Cheers,
Scott

On Tue, Jul 7, 2009 at 8:27 AM, Andrew Feller <[hidden email]> wrote:

Burak,

Hrmmm there is nothing out of the box to do that as far as I know.  However, if it is absolutely necessary, you could design a custom AuthenticationHandler based upon the JaasAuthenticationHandler that does what you want.  Unless there is an issue with App A authenticating with Realm X when it normally needs to authenticate to Realm Y, I would just setup the multiple realms and let CAS try all of them until it finds one that works.

Regards,
A-

On 7/7/09 2:00 AM, "Burak Oguz" <burak.oguz@...> wrote:

Hi Andrew,

Thanks for your reply, but I wonder that may I pass some http GET parameters to CAS server from the applications that uses CAS client. I want to use different realms for my different applications. Is it possible like:

https://myserver:8181/cas/login?service=xxxxx&realm=myrealm

https://myserver:8181/cas/login?service=yyyyy&realm=myrealm2

Thanks in advance..

On Mon, Jul 6, 2009 at 6:59 PM, Andrew Feller <afelle1@...> wrote:

In /WEB-INF/deployerConfigContext.xml, simply include additional authenticationHandlers of type JaasAuthenticationHandler for each JAAS realm you want to authenticate against.  Whenever someone attempts to login, CAS will try every authentication handler until one works, so I recommend ordering them by the most likely candidates first.

<property name="authenticationHandlers">
    <list>
        <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" />
        <bean id="kerberosActiveDirectory" class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" p:realm="realm1" />
        <bean id="kerberosActiveDirectory" class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" p:realm="realm2" />
        <bean id="kerberosActiveDirectory" class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler" p:realm="realm3" />
    </list>
</property>

HTH,
A-

On 7/6/09 9:53 AM, "Burak Oăuz" <burak.oguz@... <http://burak.oguz@...> > wrote:

> Hi all,
>
> I have been working with several different applications on a server which all
> are authenticating via JAAS handler over CAS. But now I need different realms
> for different applications. What should I do in order to do this?
>
> I have seen that default realm is CAS.
>
> private static final String DEFAULT_REALM = "CAS";
>
> May I change this default realm via web.xml cas clients or http request
> parameters?
>
> Thanks in advance

--
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400

-- 

You are currently subscribed to [hidden email] as: [hidden email]




To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user