1. Home
2. Webhosting
3. Cas

CAS (Centrale Authentication Service): for developers

Intro

CAS is the Central Authentication Service for UGent. CAS allows you to log on to secured UGent pages using your account.

If you develop web applications which require user authentication, you can make use of CAS. CAS provides single sign on and single sign out and can return extra parameters along with the authenticated login name.

Tip: on the CAS (Centrale Authentication Service): introduction-page you find the answers to questions as "What is CAS?/ What is Central Authentication?", "How long do I remain logged on?", "How do I log out?".

How CAS works

Your web application directs the user to the CAS login page.

e.g.

https://login.ugent.be/login?service=https://login.ugent.be/cas-java-demo

Following authentication, CAS redirects the user to the original web application, which was passed within the url as service parameter. If the user is logged on to another web application, no login page will be presented. (= Single Sign On)

For single sign out, CAS sends a POST request to all applications the user is logged on to.

CAS can be tested following the instructions below. Please send your remarks about CAS to login@UGent.be .

Setting up a CAS client

Registration is required. Enter the following:

1. your web application url
2. a short descriptionof your web application
3. the attributes you wish to use

URL

A registration is only possible when

• the dns record must exist
• the dns record must be registered by UGent DICT
• the server hosting the url must be on the infrastructure of UGent DICT (no external hosting).
  Via a 301 redirect external hosted sites can use the CAS SR on a internal site.
• the url must be hosted on a ssl / tls protected site. It must start with https://.
  For webshares this is provided automatically by DICT. For webservers on vm's you must provide this. See also: https://helpdesk.ugent.be/webhosting/csr.php
  The ssl certificate and installation is validated before the CAS SR will be approved.

CAS uses your web application url to compare the service parameter with the registered web applications. If a CAS redirect occurs in several pages of an application, you can enter the main url, followed by 2 *s (= wildcards). Be careful if you have other web applications in the same domain.

https://foo.UGent.be/bar/**

Attributes (optional)

By default, the login name (uid) is returned. Following LDAP attributes are available on demand:

• mail
• department
• givenname
• surname
• objectClass
• lastenrolled
• jobcategory
• addressingtitle
• extcategory
• ugentID
• faculty

In this way, you can request LDAP attributes without having to resort to adressing the UGent LDAP from within your application . Based on the requirements of your applications, the above attribute list may be adapted.

Use CAS for authentication only, not for session management. You should provide session management in your application. Make sure that the authenticated login name is stored after succesful authentication.

Examples for users

• Simple CAS authentication on webshares
• php
• java
• .NET

Simple CAS authentication on webshares

CAS is enabled by default on the webshare servers.
Authentication can be enabling by adding this to the .htaccess file on your webshare :

Authtype Cas
Require valid-user

This enables CAS and requires a successful login with an active UGent account
People without a UGent account, can't access your site.
Limiting access to a specific user :

Require user username

Replace 'username' by the actual username
This line can be used multiple times.
Other CAS attributes can be used as well :

Require cas-attribute surname:Peters

this allows access to people whose surname is 'Peters'
You can use any attribute that you enable in your CAS service registration.

More info is available on https://github.com/apereo/mod_auth_cas

Php examples

1. The general example applies to most situations but NOT to webpages.ugent.be (= sites on webshares).
   Test the example: http://login.ugent.be/cas-php-demo.
2. UGCAS_Simple is a client module with restricted functionality.
   Is is meant specifically for webpages.ugent.be (= sites on webshares) but can be used in other environments.

Requirements

PHP 7.3

• −with-curl
• −with-openssl
• −with-dom
• −with-zlib

General example

A php CAS library is available at: https://github.com/apereo/phpCAS : Download version 1.3.8.
The example below illustrates the use of the library:

Please adapt the certificate path to the actual certificate location! When the certificate path is incorrect, it will produce an infinite redirect loop error.

<?php

include_once('CAS.php');

//phpCAS::setDebug('/srv/vhost/mijnsite.ugent.be/htdocs/tmp/phpCAS.log'); // Schrijft debug informatie naar een log-file

// Parameters: CAS version, CAS server url, CAS server port, CAS server URI (same as host),
// boolean indicating session start
phpCAS::client(CAS_VERSION_2_0,'login.ugent.be',443,'', true);

// Server from which logout requests are sent
phpCAS::handleLogoutRequests(true, array('login.ugent.be'));

// Path to the "trusted certificate authorities" file:
phpCAS::setCasServerCACert('/etc/ssl/certs/ca-certificates.crt');
// No server verification (less safe!):
//phpCAS::setNoCasServerValidation();
// The actual user authentication
phpCAS::forceAuthentication();

// Handle logout requests
if (isset($_REQUEST['logout'])) {
        phpCAS::logout();
}


?>

<html>
  <head>
    <title>phpCAS simple client</title>
  </head>
  <body>
    <h1>Successfull Authentication!</h1>

    <p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p>
    <p>the attributes are:
    <?php
    echo '<ul>';
    $attr = phpCAS::getAttributes();
    foreach ($attr as $key => $value)
    {
        if(!is_array($value))
        {
                echo '<li>' . $key . ' => ' . $value . '</li>';
        }
        else
        {
                echo '<li>' . $key . '</li>';
                echo '<ul>';
                foreach($value as $v)
                {
                        echo '<li>' . $v . '</li>';
                }
                echo '</ul>';
        }
    }
    echo '</ul>';
    ?>

    </p>
    <p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p>
    <p><a href="?logout=">Logout</a></p>

  </body>
</html>

UGCAS_Simple example (specifically for webpages.ugent.be)

UGCAS_Simple is a CAS client module which returns the username of the person after a succesful login. No extra attributes nor logout are supported.

UGCAS_Simple can be downloaded from UGCAS_Simple-0.1.zip and contains:

• UGCAS_Simple.php: php cas module. Place it where php can find it.
• hello.php: simple example
• hello2.php: slightly extended example

Java example

Test the example: https://login.ugent.be/cas-java-demo

You can download an example from cas-java-demo.zip

For a Java web application you only have to use a number of filters provided by the CAS developers.

Important: instructions below are for CAS client version 3.1.3 specifically

1. Add the following libraries to WEB-INF/lib (or use Maven):

cas-client-core-3.1.3.jar
commons-logging-1.1.jar
log4j-1.2.5.jar
opensaml-1.1.jar
xmlsec-1.3.0.jar

Download them here: java_servlet_filter_libs.zip

2. add the required filters to WEB-INF/web.xml.

	<context-param>
		<param-name>serverName</param-name>
		<param-value>https://mijnserver.ugent.be</param-value>
	</context-param>

	<filter>
		<filter-name>CAS Single Sign Out Filter</filter-name>
		<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
	</filter>
	<filter-mapping>

		<filter-name>CAS Single Sign Out Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<listener>
		<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>

	</listener>
	<filter>
		<filter-name>CAS Authentication Filter</filter-name>
		<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
		<init-param>

			<param-name>casServerLoginUrl</param-name>
			<param-value>https://login.ugent.be/</param-value>
		</init-param>
		<init-param>
			<param-name>renew</param-name>

			<param-value>false</param-value>
		</init-param>
		<init-param>
			<param-name>gateway</param-name>
			<param-value>false</param-value>

		</init-param>
	</filter>
	<filter>
		<filter-name>CAS Validation Filter</filter-name>
		<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>

		<init-param>
			<param-name>casServerUrlPrefix</param-name>
			<param-value>https://login.ugent.be/</param-value>
		</init-param>
		<init-param>

			<param-name>tolerance</param-name>
			<param-value>300000</param-value>
		</init-param>
	</filter>
	<filter>

		<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
		<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>CAS Authentication Filter</filter-name>

		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>CAS Validation Filter</filter-name>
		<url-pattern>/*</url-pattern>

	</filter-mapping>
	<filter-mapping>
		<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<servlet>
		<description>DemoServlet</description>
		<display-name>DemoServlet</display-name>
		<servlet-name>DemoServlet</servlet-name>

		<servlet-class>be.ugent.dict.ugentssoauth.demo.servlet.DemoServlet</servlet-class>
	</servlet>
	<servlet-mapping>
		<servlet-name>DemoServlet</servlet-name>
		<url-pattern>/*</url-pattern>

	</servlet-mapping>
</web-app>

Short explanation:

• mijnserver.ugent.be: host on which the application runs
• tolerance: the tolerance (in ms) for drifting clocks when validating SAML tickets
• redirectAfterValidation: if false, the ticket parameter remains in the url, if true it does not.

3. You can then request the user using request.getRemoteUser() . Attributes can be retrieved from request.getUserPrincipal()

Below an example of how you can retrieve the remote user and its attributes.

import org.jasig.cas.client.authentication.AttributePrincipal;

...

                out.println("You are succesfully logged in as user <b>"	+ request.getRemoteUser() + "</b><br/><br/>");

		AttributePrincipal principal = (AttributePrincipal) request.getUserPrincipal();
		Map attributes = principal.getAttributes();

		if (attributes.size() > 0) {

			out.println("You have " + attributes.size() + " attributes : <br/>");
			Iterator keyIterator = attributes.keySet().iterator();

			while (keyIterator.hasNext()) {

				Object key = keyIterator.next();
				Object value = attributes.get(key);
				out.println("<b>" + key + "</b>" + " : " + value);
		        }
		} else {
			out.println("You have no attributes set");
		}

Spring security

The Spring framework is used in the EDO framework. CAS authentication can be integrated in a Spring based application, using Spring Security.

Spring Security offers out-of-the-box support for CAS 3. Cf. http://static.springframework.org/spring-security/site/reference/html/cas.html for the excellent Spring Security online documentation.

You can download an example from CasSpringsecurityExample.zip . Developers must reconfigure the UserDetailService bean for their environment.

Maven

The Java CAS client can easily be integrated into a Maven-based build system:

<dependency>
    <groupId>org.jasig.cas</groupId>
    <artifactId>cas-client-core</artifactId>
    <version>3.1.4</version>

</dependency>
<dependency>
    <groupId>opensaml</groupId>
    <artifactId>opensaml</artifactId>
    <version>1.1b</version>

</dependency>

SSL

Service tickets are validated over an SSL connection with the CAS server. It is therefore necessary that the CAS server certificate is installed into the JVM on which te Java application will run.

sudo $JAVA_HOME/bin/keytool -import -alias login.ugent.be -file CERTIFICATE_FILE
     -keystore $JAVA_HOME/jre/lib/security/cacerts

.NET example

You can download an example from cas-NET-demo.zip.
Below you find the required code to implement the .NET client in your project.

Step 1: add properties in Web.config

	<appSettings>
		<add key="casLoginURL" value="https://login.ugent.be/login"/>
		<add key="casValidateURL" value="https://login.ugent.be/serviceValidate"/>
		<add key="casSamlValidateURL" value="https://login.ugent.be/samlValidate"/>
		<add key="serviceURL" value="jouw geregistreerde cas url"/>
	</appSettings>

Step 2: add the classes "DotNetCasClient" and "DotNetCasAttributePrincipal" to your project. Step 3: add the code below to your main page.

    protected void Page_Load(object sender, EventArgs e)
    {
        DotNetCasAttributePrincipal principal= null;
        String userId = (String)Session["userId"];
        if (userId == null)
        {
            DotNetCASClientServiceValidate client = new DotNetCASClientServiceValidate();

            principal = client.AuthenticatePrincipal(Request, Response);
        }
        if (principal != null && principal.isAutheniticated)
        {
            Session["userId"] = principal.userName;
            Session["userAttributeTable"] = principal.attributes;
        }
    }

From now on your application uses CAS.
Remark: The attributes are stored in a HashTable, each attribute is an arraylist of Strings. The Single Sign Out is not implemented. If you wish to use it, you will have to take care of it.
More information on Single Sign Out can be found on the cas help pages.