Embed Size (px)
Citation preview
Open Apereo 2015Higher Education ... Open Source in a New Age
"Esup CAS Packaging": Deploy
and customize easily a CAS4 serverLudovic Auxepaules UPMC, Paris, France
https://github.com/EsupPortail/cas-toolbox-new 1
Few words about UPMCPierre et Marie Curie University
• UPMC Facts and Figures– French excellence in Medicine and Science
– 18 sites across 4 regions in France• 15 in Paris region
• 3 stations (Banyuls, Roscoff, Villefranche)
– 34 000 students, of whom• 20% foreign students
• 3300 doctoral candidates
– 10 500 staffs, of whom• 8200 in research units (120 research laboratories)
• Ludovic Auxepaules– At IT Department of UPMC since 2011
– Integration / Software Engineer
– “Portal, Authentication and Authorizations” Projects
– Github : https://github.com/auxepaul
– Member of Esup-Portail Consortium
2Open Apereo 2015
The Esup-Portail ConsortiumOverview
• Objectives– Facilitate learning and campus life for students... but also the daily work of the staff
members
– Pool development of digital services to divide costs between french universities
– Share technological developments and new services
– Conceive and plan for the evolution of portals, collaborative tools and mobile services
• Nine knowledge areas (with “working groups”)– Portal solution (National “Digital Work Space” - “Espace Numérique de Travail” – ENT)
– Mobile
– Mail / Calendar solutions
– Groups
– OAE (Open Academic Environment)
– Authentication
– Document Management (DMS)
– Analytics
– Programming / Development
• Collaborations with Apereo Foundation
3Open Apereo 2015
The Esup-Portail ConsortiumIn Practice
• 70 member institutions
• Contributions from french universities and engineering schools
• Esup-Days: 2 conferences a year in Paris– Esup-Days 19 & Apereo Europe in February 2015
• WebSite & Wiki: https://www.esup-portail.org/
• Github: https://github.com/EsupPortail
• For more information– ESUP-Portail & OAE: Keys to success, Tomorrow from 2:30pm to 3:15pm
• http://lanyrd.com/2015/apereo/sdmmpt/
– Apereo & ESUP-Portail: Brothers in Arms (Open Apereo 2014)• http://lanyrd.com/2014/apereo/sdbbgk/
– Alain Mayeur / Mathilde Guerin
4Open Apereo 2015
Plan of the presentation
• Some information about CAS
• Esup-Portail Works and Toolbox related to CAS
(2003-2011)
• New Esup CAS Toolbox v3 and v4 (2011-…)
5Open Apereo 2015
What is CAS?
• Central Authentication Service SSO : a Single Sign-On / Single Sign-Off for the web
• A secure way for users to access multiple services/applications– Passwords crypted and transmitted between the navigator and CAS
– Opaque tickets without personal informations
• An open-source project– Created by Yale University in 2001
– Hosted by Jasig (now Apereo Foundation) since December 2004
• Wide adoption within higher education institutions and corporations around the world
Open Apereo 2015 6
What is CAS?
• Public protocol specifications: CAS 1.0, 2.0 and 3.0
• One CAS server (written in JAVA)
– Authenticate users and grant accesses to applications
• N CAS client embedded in cassified applications
– Protect and retrieve the identity of the granted users from the server
• Key concepts
– The TGT (Ticket Granting Ticket) stored in the CASTGC cookie,
represents a SSO session
– The ST (Service Ticket), transmitted as a GET parameter in urls,
stands for the access granted by the CAS server to
the cassified application for a specific user
Open Apereo 2014 7
A “recipe” to adopt CASApereo 2014 (M. Moayyed)
• Use a latest stable version of the CAS server
• Add the “skin” of your institution
• Add the configuration of your institution– How do users authenticate?
– Where do user attributes come from?
– Which application are allowed to use CAS?
• Build, test and deploy
• Update and secure cassified applications with CAS clients
Open Apereo 2015 8
Requirements to deploy a server
• Java Development Kit 6 7 (8?)
• A Servlet container (Apache Tomcat 6 7)
• Apache Maven >= 3 (3.0.x)
• HTTP Apache Server 2.x with mod_proxy_ajp (Optional)
• SSL Certificates (CAS must use https in production)
• « Basic Knowledge » about the Spring Framework
CAS installation is a fundamentally source-oriented process
Open Apereo 2015 9
Jasig / Apereo CAS ServerDistributions since 2010
• CAS Server 4.0.1 January 2015 recommended in June 2015?
• CAS Server 4.0 May 2014 recommended in June 2014
• Security patches for SAML2 (e.g. Google Apps), HTTP attacks,…– CAS Server 3.5.3 January 2015
– CAS-server-security-filter 1.0 August 2014 2.0.x May 2015
– CAS Server 3.5.2.1 April 2014
– CAS Server 3.4.12.1 April 2014
• CAS Server 3.5.2 February 2013 recommended in June 2013
...
• CAS Server 3.5.0 July 2012
• CAS Server 3.4.12 May 2012 recommended in June 2012
…
• CAS Server 3.4.7 March 2011
…
• CAS Server 3.4.0 May 2010
https://www.apereo.org/tags/cas-product-release https://github.com/Jasig/cas/releases/
10Open Apereo 2015
How to install / deploy a CAS server ?
• Install a quickstart produced by Apereo/Jasig or Esup-Portail
– Discover quickly CAS functionalities, perform trainings, demos…
• Do direct modifications in the source of a CAS stable version?
• Deploy a WAR and perform changes in the Tomcat webapps directory
– More difficult to update the CAS server
• Maven WAR Overlays
– The Apereo recommended method to deploy a CAS server
– Beware of files and directories movements during version upgrades
• Esup CAS-toolbox or Esup CAS-toolbox-new
– Facilitate deployment by centralizing configuration items and by presettingsome CAS modules
Open Apereo 2015 11
Open Apereo 2015Higher Education ... Open Source in a New Age
HISTORY OF ESUP WORKS / TOOLBOX
AND CAS SERVER
2003-2007 Esup CAS Generic Handler Yale/Jasig CAS 2.x
2008-2011 Esup CAS-toolbox Jasig CAS 3.x
2011-2014 Esup CAS-toolbox-new v3 Jasig CAS 3.4.1x
2014-… Esup CAS-toolbox-new v4 Apereo CAS 4.x
12Open Apereo 2015
2003-2007: Esup cas-genericAnt-based project and Yale/Jasig CAS v2 Server
• Esup-Portail Generic Handler
– A plugin giving CAS the ability to authenticate users with different methods
• 3 packages
– esup-casgeneric
• The CAS Generic Handler, to be deployed into the cas-server sources hierarchy
– esup-cas-server
• The CAS Generic Handler, already shipped into CAS server
– esup-cas-quick-start
• An Apache Jakarta Tomcat-based package for CAS server, shipped with the Handler
• Latest release in SourceForge
– http://sourceforge.net/projects/esup-casgeneric/files/
• Documentations
– http://www.esup-portail.org/consortium/espace/SSO_1B/tech/cas/cas_install.html
Open Apereo 2015 13
2003-2007: Esup cas-genericUser Interface at UPMC with esup-cas-server
Open Apereo 2015 14
2008-2011: Esup cas-toolboxAnt-based project and Jasig CAS v3 Server
• Overview– Deploying a CAS server into an existing Tomcat installation
– Simplifying CAS configuration
– Customizing the CAS server
– Building quickstart distributions
• Handle different configuration customization levels– An 'update' folder: containing add-ons to the original CAS Server
– A 'custom' folder : every customized aspects (skin, Java sources, configurations)
– A 'config.properties' file: properties used by the Spring configuration files
• Latest release in SourceSup and based on CAS v3.4.7– https://sourcesup.renater.fr/frs/?group_id=401&release_id=1461
• Documentations– https://wiki.jasig.org/display/CAS/CAS-toolbox
– https://subversion.renater.fr/cas-toolbox/tags/3.4.7-1/README
Open Apereo 2015 15
2008-2011: Esup cas-toolboxDeployment Example
• Download cas-toolbox.X-Y.tar.gz fromhttps://sourcesup.renater.fr/projects/cas-toolbox/ and expand
• Rename build.sample.properties to build.properties
• Set the deploy.path property in build.properties
• Rename config.sample.properties to config.properties
• Configure config.properties (and set customizations in the custom directory)
• Initialize by running ant init
• Deploy into an existing Tomcat by running ant deploy
• Start Tomcat and browse http://localhost:8080/cas
Open Apereo 2015 16
2008-2011: Esup cas-toolbox v3UI with Esup-portail Theme (v3.4.7)
Open Apereo 2015 17
Open Apereo 2015Higher Education ... Open Source in a New Age
NEW ESUP CAS TOOLBOX V3 AND V4
2011-2014 Esup CAS-toolbox-new v3 (CAS server 3.4.1x)
2014-… Esup CAS-toolbox-new v4 (CAS server 4.0.x)
Open Apereo 2015 18
Maven WAR Overlay
General principles
• Local sources control (with Git) that contains only specific dependencies,
configurations and customizations of the institution
– The pom.xml (Project Object Model) file describes the project, its dependencies
and automated tasks…
– Added or modified files or directories: .java, .properties, .xml,…
• Rebuilding of the Web application ARchive (WAR to deploy within Tomcat)
– From the original release version of the CAS server defined in the pom.xml file
– With all configurations and customizations in superposition
• Replacement of original files
• Documentations
– https://wiki.jasig.org/display/CASUM/Best+Practice+-
+Setting+Up+CAS+Locally+using+the+Maven+WAR+Overlay+Method
– http://jasig.github.io/cas/current/installation/Maven-Overlay-Installation.html
Open Apereo 2015 19
Maven WAR OverlayExamples and demos for CAS server
• CAS server 3.4.1x
– https://subversion.renater.fr/cas-toolbox/branches/cas-toolbox-new/
– https://github.com/EsupPortail/cas-toolbox-new/tree/v3.4.x
• CAS server 3.5.x
– https://github.com/UniconLabs/simple-cas-overlay-template
– https://github.com/Unicon/unicon-cas-overlay
– https://github.com/leleuj/cas-overlay-3.5.x
• CAS server 4.0.x
– https://github.com/leleuj/cas-overlay-demo
– https://github.com/UniconLabs/simple-cas4-overlay-template
– https://github.com/EsupPortail/cas-toolbox-new/tree/v4.0.x
Open Apereo 2015 20
Esup cas-toolbox-new v3 and v4Maven-based project and CAS 3.4.1x / 4.0.x
• Overview of the new toolbox capabilities
– Deploying a CAS server into an existing Tomcat installation
– Simplifying and centralizing CAS configuration
• config.properties file and Authentication “HandlersDiscover” functionality
– Esup pre-settings and add-ons
• Esup Theme, LDAP, Logging, TraceMe, Stats, BlockAttack, SAML 1.1…
• Configured modules that user can activate : Memcached, Rest…
– Quickstart built with Ant
• Initial works of simplification of the projet Esup cas-toolbox (J. Marchal)
– https://subversion.renater.fr/cas-toolbox/branches/cas-toolbox-new/
• Svn2git, transfer and update of the project on Github (L. Auxepaules)
– https://github.com/auxepaul/cas-toolbox-new
Open Apereo 2015 21
Esup cas-toolbox-new v3 & v4Files and Directories organization
• cas-toolbox-core (Esup addons and preconfigurations)– src/main
• java
• webapp
– pom.xml
• cas-toolbox-custom (University customizations and addons)– src/main
• webapp
– pom.xml
• etc (HowTo and « scripts » examples)
• config.sample.properties (« localhost » configuration)
• pom.xml
• Better differentiation between the Esup and the Institution customizations and configurations
• An integrator can easily copy the files from cas-toolbox-core (or the Apereo CAS project) to cas-toolbox-custom and thenmodify the files
Open Apereo 2015 22
Esup cas-toolbox-new v3 and v4UI with the Esup Theme
Open Apereo 2015 23
Esup cas-toolbox-new v3 and v4UI with the UPMC Theme (v3.4.12.1)
Open Apereo 2015 24
Esup cas-toolbox-new v3 and v4Statistics, Monitoring and Logs
• Esup Stats Page: /cas/stats.jspSERVICE_TICKET_CREATED : 1TICKET_GRANTING_TICKET_CREATED : 1AUTHENTICATION_SUCCESS : 1AUTHENTICATION_FAILED : 1SERVICE_TICKET_VALIDATED : 1TICKET_GRANTING_TICKET_NOT_CREATED : 1
• Apereo Monitoring Page: /cas/statusHealth: OK
1.MemoryMonitor: OK - 418,07MB free, 623,54MB total.2.SessionMonitor: OK - 1 sessions. 0 service tickets.
• Esup User and Service Stats Logs: serviceStats.log[Sun May 31 16:01:15 CEST 2015] [IP:127.0.0.1] [ID:admin] [TICKET:ST-1-ZW74nIKOVEECbowbB0BT-localhost] [SERVICE:http://localhost:8080/cas-management/j_spring_cas_security_check] [USER-AGENT:Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0]
• Apereo Performance Statistics Logs: perfStats.logPerformance Statistics 2015-05-31 16:01:00 - 2015-05-31 16:02:00Tag Avg(ms) Min Max Std Dev CountAUTHENTICATE 21,0 21 21 0,0 1CREATE_TICKET_GRANTING_TICKET 25,0 25 25 0,0 1GRANT_SERVICE_TICKET 3,0 3 3 0,0 1VALIDATE_SERVICE_TICKET 1,0 1 1 0,0 1
25Open Apereo 2015
Esup cas-toolbox-new v3 and v4Logging in Log4j.xml
• Tickets: tickets.log2015-05-31 16:01:15,606 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-ZW74nIKOVEECbowbB0BT-localhost] for service [http://localhost:8080/cas-management/j_spring_cas_security_check] for user [admin]
• Success and failed authentications, blockAttack: auth.log (works with CAS 3)Thu Dec 18 15:47:00 CET 2014 - AUTHENTICATION_FAILED for '[username: admin]' from '127.0.0.1'AccountLockingService::incrementAttempts() : [admin] - number of attempts : 3 of 3AccountLockingService::isAccountLocked() : [admin] added to user listAccountLockingService::isAccountLocked() : [admin] lockedAccount "admin" is locked for : 3 sAccountLockingService::run() : [admin] removed from user listThu Dec 18 15:48:00 CET 2014 - AUTHENTICATION_SUCCESS for '[username: admin]' from '127.0.0.1‘
• Rejected Services: rejectedServices.log2015-05-31 16:02:31,091 WARN [org.jasig.cas.web.flow.ServiceAuthorizationCheck] - ServiceManagement: Unauthorized Service Access. Service [http://loc:8080/cas-management/j_spring_cas_security_check] is not found in service registry.
• CAS management Services: cas-management.log2015-05-31 16:01:15,606 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-ZW74nIKOVEECbowbB0BT-localhost] for service [http://localhost:8080/cas-management/j_spring_cas_security_check] for user [admin]
• Trace (used by Esup AGIMUS-ng: Indicators and Usage): trace.logTRACE-1-70RFFjeWwSqCfoqwHxUoimyMBELrhdlqAjhtlhoIpChkFnuG5f-localhost:admin
26Open Apereo 2015
Esup cas-toolbox-new v3 and v4Deployment Example
• git clone https://github.com/EsupPortail/cas-toolbox-new.git
• git checkout v4.0.x
• Rename config.sample.properties to config.properties
• Set the deploy.path property in config.properties
• Configure config.properties
• (Set customizations in the cas-toolbox-custom directory)
• Initialize and deploy in an existing Tomcat by running mvn clean package
• Start Tomcat and browsehttp://localhost:8080/cas
http://localhost:8080/cas-management
Open Apereo 2015 27
Esup cas-toolbox-new v3 and v4Authentication handlers « Discover »
• Set Handlers to use in config.properties (reported in esup.properties file)# Handler to use (cf cas\WEB-INF\*.auth.xml to find id)# - ldapFastBindHandler : make a fast bind in ldap (AD or direct bind configuration)# - ldapFullBindHandler : make a search after a bind with find dn (OpenLdap or anonymous)# - fileEncAuthHandler : use a flat encoded file# - filePlainAuthHandler : use a flat plaintext fileauthHandlers=fileEncAuthHandler# IF USE ldapFullBindHandler#authHandlers=fileEncAuthHandler,ldapFullBindHandler
authResolvers=primaryPrincipalResolver# IF USE ldapFullBindHandler#authResolvers=primaryPrincipalResolver,ldapPrincipalResolverdefaultResolver=primaryPrincipalResolver
• HandlersDiscover JAVA class: org.esupportail.cas.HandlersDiscover.java– Browse the list of authentication Handlers, the list of authentication Resolvers
– Put each couple <AuthHandler, AuthResolver> within the HandlerMap used by Authentication Manager bean
• Handlers to discover within src\main\webapp\WEB-INF\auth-configuration\*-auth.xml
Open Apereo 2015 28
Esup cas-toolbox-new v3 and v4Authentication handlers « Discover »
• HandlerDiscover bean defined in src\main\webapp\WEB-INF\deployerConfigContext.xml
<bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg ref="handlerMap"/>...<property name="authenticationPolicy">
<bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /></property>
</bean>
<bean id="handlerMap" class="org.springframework.beans.factory.config.MapFactoryBean"><property name="sourceMap"><map>
<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /></map></property>
</bean>
<bean id="handlerDiscover" class="org.esupportail.cas.HandlersDiscover"><property name="handlersId" value="${cas.authHandlers}"/><property name="resolversId" value="${cas.authResolvers}"/><property name="defaultResolverId" value="${cas.defaultResolver}"/><property name="mapToAdd" ref="handlerMap"/>
</bean>
Open Apereo 2015 29
Apereo CAS v4.0.xSome new features, changes, updates
• New CAS 3.0 protocol: User attributes in ticket validation response
• Greater modularity and new submodules– Services management, SAML 1.1
• Redesign authentication API
• Updated or replaced dependencies– Spring LDAP Ldaptive
– REST module– CredentialsToPrincipalResolver, ***Credentials*** class or attributes ***Credential***
• User Interface improvements (“Responsive”)
Source code not backward-compatible with 3.x– Difficulties to export some configurations and customizations from 3.x to 4.x
• For more information– The latest about the Central Authentication Service, Tomorrow from 10:15pm to 11:00pm
• http://lanyrd.com/2015/apereo/sdmmpw/
– http://jasig.github.io/cas/current/
Open Apereo 2015 30
Esup cas-toolbox-new v4Things to do and Perspectives
• Fix bugs and test some functionalities and modules
– Fix SAML 1.1 (search filter bug), echos in cas.log…
– Set and Test Memcached
– Test REST
• Add and test new maven tasks to support development activities
– mvn jetty:run or mvn jetty;run-war
– mvn tomcat7:deploy or mvn tomcat7:redeploy
• Rewrite HowTo guides, documentations and links to the Apereo CAS
documentations and guides
• Replace old Esup functionalities by “equivalent” Apereo functionalities
– BlockAttacks Throttling Authentication Attempts
31Open Apereo 2014
Esup cas-toolbox-new v4Things to do and Perspectives
• Set a new Esup theme (Responsive Web Design)
• Add and preset new authentication configurations
– Spnego (Kerberos Windows), Trusted (REMOTE_USER)…
• Add and preset other modules and functionalities of the Apereo CAS
server
– LPPE, Clearpass
• Study (and create?) more “specific” projects based on
– RBAC (Role-Based Access Control) by service with CAS and Grouper
– MFA (Multi-Factor Authentication) with the LOA implementation
32Open Apereo 2014
Open Apereo 2015Higher Education ... Open Source in a New Age
DEMONSTRATION
33Open Apereo 2015
Demonstration
Windows demonstration environment
• Quickstart uPortal 4.1– C:/portal
– Apache Maven 3.0.4
– Apache Tomcat 7.0.32
• Running scripts of tomcat in the apache-tomcat-7.0.32/bin directory– startup.bat et shutdown.bat
• Oracle Java JDK 1.7
• Environment variables– JAVA_HOME, JAVA_OPTS, CATALINA_OPTS
– Path : MAVEN_HOME%\bin
• Git : Github for Windows
34Open Apereo 2014
