ALA CAS openid integration - AtlasOfLivingAustralia/ala-cas GitHub Wiki
##intro The purpose of this project is to add OpenID support to Atlas of Living Australia. The system should allow the user to chose either:
- register/login with ALA cas user credentials, or to
- let the user to use their existing OpenID credentials (see http://openid.net/get-an-openid for a list of OpenID providers)
##upgrading existing cas installation/configuration The best/easiest (if not the only) approach to upgrade your existing cas project is:
- Decide which version of jasig cas do you need
- Setup from scratch a new jasig cas maven overlay project
- Port your existing cas modifications to the newly setup cas project
- Adjust your existing cas properties file to the new version of jasig cas
- Add suport for OpenID delegated authentication
- cas clients upgrade
####Decide which version of jasig cas do you need In our case we want to use the jasig cas version with "the best support" for OpenID, however we have to take into the consideration that Google just deprecated OpenID (at the end of April 2015, see: https://developers.google.com/identity/protocols/OpenID2) in favour of OpenID Connect and/or: http://openid.net/connect/faq
####Setup from scratch a new jasig cas maven overlay project
- setup new jasig cas maven overlay project, build, deploy, test it - make sure you can login with static username and password
- replace the (test) static username password authentication handler with your existing JDBC authentication handler
org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler(andpasswordEncoder(custom? default?)) - deploy and verify the login
- https://jasig.github.io/cas/4.0.x/installation/Database-Authentication.html
- https://github.com/Jasig/cas/wiki/Configuring-Authentication-Components
- add OpenID authenticator
org.jasig.cas.support.pac4j.authentication.handler.support.ClientAuthenticationHandler
- https://jasig.github.io/cas/4.0.x/integration/Delegate-Authentication.html
cas-4.0.1 - https://jasig.github.io/cas/development/integration/Delegate-Authentication.html
cas-4.1.0-SNAPSHOT - https://github.com/leleuj/cas-pac4j-oauth-demo (cas-pac4j-oauth-client-demo)
- https://github.com/leleuj/pac4j supported providers
- TODO: add & test OpenID Connect (google deprecated OpenId, replacing it with OpenID Connect in April 2015)
NOTE: The jasig cas upgrade info is incomplete.
All of my attempts to simply upgrade the existing ALA cas (based on jasig cas 3.4.2) to the latest stable version of jasig cas 4.0.1 failed. Even if you painstakingly upgrade all the JASIG_CAS_ROOT/src/main/webapp/WEB-INF xml files, and there are no exceptions on cas deploy, the cas won't work and you get a lot of runtime exceptions without specific details, for example:
2015-04-29 01:22:02,089 ERROR [org.jasig.cas.web.init.SafeDispatcherServlet] - <SafeDispatcherServlet:
The Spring DispatcherServlet we wrap threw on init.
But for our having caught this error, the servlet would not have initialized.>
java.lang.NoSuchMethodError: org.springframework.web.context.support.WebApplicationContextUtils.initServletPropertySources(Lorg/springframework/core/env/MutablePropertySources;Ljavax/servlet/ServletContext;Ljavax/servlet/ServletConfig;)V
at org.springframework.web.context.support.StandardServletEnvironment.initPropertySources(StandardServletEnvironment.java:94)
at org.springframework.web.servlet.FrameworkServlet.configureAndRefreshWebApplicationContext(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:599)
at org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:665)
at org.springframework.web.servlet.FrameworkServlet.initWebApplicationContext(FrameworkServlet.java:518)
at org.springframework.web.servlet.FrameworkServlet.initServletBean(FrameworkServlet.java:459)
at org.springframework.web.servlet.HttpServletBean.init(HttpServletBean.java:136)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at org.jasig.cas.web.init.SafeDispatcherServlet.init(SafeDispatcherServlet.java:76)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1279)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1192)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1073)
at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1857)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Most likely because of jasig cas depending on some (newer) version of spring, spring-security, etc. To avoid these types of problems it is much easier to setup a new cas maven overlay project, that should pull in all the dependencies and then add your cas modifications into the generated boilerplate".
####Port your existing cas modifications to the newly setup cas project This was in fact the easiest/smoothest.
####Adjust your existing cas properties file to the new version of jasig cas
####Add suport for OpenID delegated authentication
references:
- http://www.pac4j.org/#1
- https://github.com/leleuj/pac4j
- https://github.com/leleuj/cas-pac4j-oauth-demo
- https://wiki.jasig.org/pages/viewpage.action?pageId=56164890
- https://github.com/Jasig/cas/blob/master/cas-server-documentation/integration/Delegate-Authentication.md
####cas clients upgrade TODO
###old notes
- current version of jasig cas used by ala-cas is 3.4.2 - this might be a problem/constraint if some of the functionality related to openid integration is not available in the currently used older version 3.4.2
- possible jasig cas upgrade:
- 3.5.3 simple upgrade, build succeeded, looks promising has to deploy/install and test this version; we might get lucky; no we didn't, it was not starting/running.
- 4.0.1 simple upgrade, build failed (this would clearly require to update the ala-cas component first)
- simple/naive search for ("any") openid related files in the both latest stable jasig cas streams versions:
bash-3.2$ find ~/src/cas-4.0.1 -type file | grep openid | grep -v test | sed -e 's/^.*\/cas\-[0-9]\.[0-9]\.[0-9]\///g'
cas-server-support-openid/NOTICE
cas-server-support-openid/pom.xml
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/handler/support/OpenIdCredentialsAuthenticationHandler.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/principal/OpenIdCredential.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/principal/OpenIdPrincipalResolver.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/principal/OpenIdService.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/flow/OpenIdSingleSignOnAction.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/mvc/SmartOpenIdController.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/OpenIdProviderController.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/DefaultOpenIdUserNameExtractor.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/OpenIdArgumentExtractor.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/OpenIdPostUrlHandlerMapping.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/OpenIdUserNameExtractor.java
cas-server-support-openid/src/site/site.xml
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/casOpenIdAssociationFailureView.jsp
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/casOpenIdAssociationSuccessView.jsp
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/casOpenIdServiceFailureView.jsp
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/casOpenIdServiceSuccessView.jsp
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/user.jsp
bash-3.2$ find ~/src/cas-3.5.3 -type file | grep openid | grep -v test | sed -e 's/^.*\/cas\-[0-9]\.[0-9]\.[0-9]\///g'
cas-server-support-openid/NOTICE
cas-server-support-openid/pom.xml
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/handler/support/OpenIdCredentialsAuthenticationHandler.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/principal/OpenIdCredentials.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/principal/OpenIdCredentialsToPrincipalResolver.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/principal/OpenIdService.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/flow/OpenIdSingleSignOnAction.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/mvc/SmartOpenIdController.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/DefaultOpenIdUserNameExtractor.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/OpenIdArgumentExtractor.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/OpenIdPostUrlHandlerMapping.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/OpenIdUserNameExtractor.java
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/casOpenIdAssociationFailureView.jsp
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/casOpenIdAssociationSuccessView.jsp
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/casOpenIdServiceFailureView.jsp
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/casOpenIdServiceSuccessView.jsp
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/user.jsp
bash-3.2$ find ~/src/cas-3.4.2 -type file | grep openid | grep -v test | sed -e 's/^.*\/cas\-[0-9]\.[0-9]\.[0-9]\///g'
cas-server-support-openid/pom.xml
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/handler/support/OpenIdCredentialsAuthenticationHandler.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/principal/OpenIdCredentials.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/principal/OpenIdCredentialsToPrincipalResolver.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/authentication/principal/OpenIdService.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/flow/OpenIdSingleSignOnAction.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/DefaultOpenIdUserNameExtractor.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/OpenIdArgumentExtractor.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/OpenIdPostUrlHandlerMapping.java
cas-server-support-openid/src/main/java/org/jasig/cas/support/openid/web/support/OpenIdUserNameExtractor.java
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/casOpenIdServiceFailureView.jsp
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/casOpenIdServiceSuccessView.jsp
cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/openid/user.jsp
- cas-pac4j-oauth-demo
cas-pac4j-oauth-client-demois a demo app of how to use jasig cas to delegate/forward authentication to an OpenID provider (google, facebook, etc.)
| jasig cas version | ala-cas upgrade result |
|---|---|
| 3.4.2 | OK (currently used) |
| 3.4.2.1 | OK |
| 3.4.3 | "CAS is unavailable" |
| 3.4.3.1 | "CAS is unavailable" |
| 3.4.4 | "CAS is unavailable" |
| 3.4.5 | "CAS is unavailable" |
| 3.4.6 | tomcat exception |
| 3.4.7 | tomcat exception |
| 3.4.8 | tomcat exception |
| 3.4.9 | tomcat exception |
| 3.4.10 | tomcat exception |
| 3.4.11 | tomcat exception |
| 3.4.12 | tomcat exception |
| 3.4.12.1 | tomcat exception |
| 3.5.3 | tomcat exception |
| 4.0.1 | |
| 4.1.0-SNAPSHOT | compile errors (not compatible even with cas 4.0.1 compatible source/configuration) |
CAS is Unavailable
There was an error trying to complete your request. Please notify your support desk or try again.
- official upgrade guide: https://wiki.jasig.org/display/CASUM/Upgrading
- check/describe/document the diff jasig cas versions and their java version requirements/constraints