Skip to content

CAS – Agreement Page

July 1, 2008
cas diagram

cas diagram

any service can call CAS.
web service – or – rmi,servlet – etc.

svc ->cas login -> ticket created -> url rewritten with ticket=AXVSDFDX

and on the client side the validate url called with ticket and service as params.

and msg received is the netid. – or user id.

===========================================

Sequence of Authentication

=========================================

AuthenticationViaFormAction.processAuthentication

CentralAuthenticationServiceImpl.validateUser

AuthenticationManagerImpl.authenticate

AbstractPersonDirectoryCredentialsToPrincipalResolver.resolvePrincipal

UsernamePasswordCredentialsToPrincipalResolver.extractPrincipalId

it has a ticket registry which creates ticket
(TGT)

and TGT is associated with a Principal.
(needs to be serializable).

it has plugins for for CredentialValidator.

On the client side – it is checked if ticket generated was for the requesting service or not.

So you have two things:
1. TGT – simple ticket or token to store user identity
2. ST – Service ticket to validate the requester.
– with ST a validation URL is called – to server and that the server – checks and confirms for go ahead.So client side cas jar plays a role for this.

===============================================

AuthenticationManager

Searches for right credential validator handler and invoke it,
if user valid – that is true, it calls CredentialsToPrincipal resolver. that creates principal to be linked to TGT.

and it fills the Authentication Attributes in authentication object. (AuthenticationMetaDataPopulator)

Then we can have different sources from which we can validate the credentials.
Password-based credentials may be
* tested against an external LDAP, Kerberos, JDBC source. Certificates may be checked against a list of CA’s and do the usual chain validation.

HttpBasedServiceCredentialsToPrincipalResolver
| extracts the callbackUrl from
| * the HttpBasedServiceCredentials and constructs a SimpleService with the
| * callbackUrl as the unique Id.
|
|
V>>>This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
a server side SSL certificate. I DONT UNDERSTAND HOW THEY CAN USE SSL TO VALIDATE THE SERVICES???

<bean^M
class=”org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler”>
<property
name=”httpClient”
ref=”httpClient” />
</bean>^M
^M

centralAuthenticationService

login-webflow-> to
authenticationViaFormAction has the object of credentialsBinder,warnCookieGenerator,centralAuthenticationService

centralAuthenticationService manages everything
its class is org.jasig.cas.CentralAuthenticationServiceImpl
grantingTicketExpirationPolicy
serviceTicketExpirationPolicy
authenticationManager
ticketGrantingTicketUniqueIdGenerator
ticketRegistry
servicesManager
persistentIdGenerator

authenticationManager is org.jasig.cas.authentication.AuthenticationManagerImpl

AuthenticationManagerImpl
has authenticationHandler
and credentialtoPrincipalResolver

(Defined in deployerconfig.xml)

flowRedirect: directive to tell Spring Web Flow to redirect the user to
the beginning of a flow. In this case, we’re redirecting to the same flow we just finished,
so that the user can enter another pizza order.
Although all flows must have exactly one <start-state>, a flow can have as
many <end-state>s as you want to define alternate endings for a flow. Each flow
can take the user to a different view after the flow ends

=======================================================

DESIGN NOTES

TGT -> Refc authentiction class in constructor -> cannot change this

CAM -> Creates authentication and calls TGT

Problem is Credential object is store in AVF class and is used for authentication

So we keep validateUser( ) method in AVF which also has reference of TPA instance that stores the Authenticate object

On click of Login ->processTPA -> cam.authenticate( ) -> uses authenticateManager to authenticate and returns the authenticated object to AVF.

AVF -> Instance of TPA in it -> sets the authenticate object in it.

Query ->TPA->Is user internal -> Yes ?

set decision variable to redirection to submit flow

else has user already accepted registration -> Yes?

set decision variable to redirection to submit flow

else

set decision variable to redirection to tpa display flow

On click of Accept TPA -> the AVF uses TPA to go ahead with submit

CAM

======================

Remove the creation of authentication in createTicket() to another method in CAM validateUser()

Modify the createTicket( ) to take authenticate as a param instead of credentials.

Create a new method call validateUser to authenticate user and return the authenticate object.

AVF

======================

Create a new method in AVF – named processTPA that calls cam.authenticate and store it in TPA object.

Modify the submit method in AVF to call the createTicket() with param = Authenticate object in TPA class rather than Credential .

TPA Class has instance Authentication stored

TPA is member of AVF.

Call getPrincipal from Authenticate to get userid and then -> set request flow attributes based on logic.

Spring and SWF.

====================================================

doBind
referenceData
domain Bean

how is credentials being put in authenticateviaformflow?
what do you mean by accesskey value in input type
final is heavily heavily used in cas code.
!this.getClass().isAssignableFrom(o.getClass())) {
CasVersion.class.getPackage().getImplementationVersion()
Collections.unmodifiableMap(attributes);
Does a final user in local method and called on another modifiable???

svn list -v http://svn.collab.net/repos/svn
svn propget
svn proplist
svn propset/propedit

Jboss – DataSource definition

3 files need to be modified:

1. xxx -ds.xml has datasource definition


<datasources>
   <local-tx-datasource>
        <jndi-name><strong><span style="color: #339966;">jdbc/TPAPool</span></strong></jndi-name>
        <connection-url>
                jdbc:oracle:thin:@xxx.com:1531:myalias
        </connection-url>
        <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
        <user-name>oluser</user-name>
<password>olpass</password>
        <min-pool-size>3</min-pool-size>
        <max-pool-size>10</max-pool-size>
   </local-tx-datasource>
</datasources>

2. jboss-web.xml has datasource alias creation:java:comp/env


<?xml version="1.0"?>
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
<jboss-web>
        <context-root>/myapplication</context-root>
        <resource-ref>
                <res-ref-name><span style="color: #339966;"><strong>jdbc/TPAPool</strong></span></res-ref-name>
                <res-type>javax.sql.DataSource</res-type>
                <jndi-name><span style="color: #ff0000;"><strong>java:/jdbc/TPAPool</strong></span></jndi-name>
        </resource-ref>
</jboss-web>

3. web.xml has the resource ref definition :java:jndi-name.


 <resource-ref>
                <res-ref-name><span style="color: #339966;"><strong>jdbc/TPAPool</strong></span></res-ref-name>
                <res-type>javax.sql.DataSource</res-type>
                <res-auth>Container</res-auth>
        </resource-ref>

4. ojdbc.jar to be copied in server/deploy/lib

Concept of Resource ref

JNDI names look like URLs. A typical name for a database pool is java:comp/env/jdbc/test. The java: scheme is a memory-based tree. comp/env is the standard location for Java configuration objects and jdbc is the standard location for database pools.

res-ref-name: JNDI path attribute to store the pool. The path is relative to java:comp/env

So we finally used:

datasource.context=java:comp/env/jdbc/TPAPool

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: