CAS is the Central Authentication Service for UGent. CAS allows you to log on to secured UGent pages using your account.
If you develop web applications which require user authentication, you can make use of CAS. CAS provides single sign on and single sign out and can return extra parameters along with the authenticated login name.
Tip: on the CAS (Centrale Authentication Service): introduction-page you find the answers to questions as "What is CAS?/ What is Central Authentication?", "How long do I remain logged on?", "How do I log out?".
Your web application directs the user to the CAS login page.
e.g.
https://login.ugent.be/login?service=https://login.ugent.be/cas-java-demo
Following authentication, CAS redirects the user to the original web application, which was passed within the url as service parameter. If the user is logged on to another web application, no login page will be presented. (= Single Sign On)
For single sign out, CAS sends a POST request to all applications the user is logged on to.
CAS can be tested following the instructions below. Please send your remarks about CAS to login@UGent.be .
Registration is required. Enter the following:
A registration is only possible when
CAS uses your web application url to compare the service parameter with the registered web applications. If a CAS redirect occurs in several pages of an application, you can enter the main url, followed by 2 *s (= wildcards). Be careful if you have other web applications in the same domain.
https://foo.UGent.be/bar/**
By default, the login name (uid) is returned. Following LDAP attributes are available on demand:
In this way, you can request LDAP attributes without having to resort to adressing the UGent LDAP from within your application . Based on the requirements of your applications, the above attribute list may be adapted.
Use CAS for authentication only, not for session management. You should provide session management in your application. Make sure that the authenticated login name is stored after succesful authentication.
CAS is enabled by default on the webshare servers.
Authentication can be enabling by adding this to the .htaccess file on your webshare :
Authtype Cas Require valid-userThis enables CAS and requires a successful login with an active UGent account
Require user usernameReplace 'username' by the actual username
Require cas-attribute surname:Petersthis allows access to people whose surname is 'Peters'
More info is available on https://github.com/apereo/mod_auth_cas
PHP 7.3
A php CAS library is available at: https://github.com/apereo/phpCAS : Download version 1.3.8.
The example below illustrates the use of the library:
Please adapt the certificate path to the actual certificate location! When the certificate path is incorrect, it will produce an infinite redirect loop error.
<?php include_once('CAS.php'); //phpCAS::setDebug('/srv/vhost/mijnsite.ugent.be/htdocs/tmp/phpCAS.log'); // Schrijft debug informatie naar een log-file // Parameters: CAS version, CAS server url, CAS server port, CAS server URI (same as host), // boolean indicating session start phpCAS::client(CAS_VERSION_2_0,'login.ugent.be',443,'', true); // Server from which logout requests are sent phpCAS::handleLogoutRequests(true, array('login.ugent.be')); // Path to the "trusted certificate authorities" file: phpCAS::setCasServerCACert('/etc/ssl/certs/ca-certificates.crt'); // No server verification (less safe!): //phpCAS::setNoCasServerValidation(); // The actual user authentication phpCAS::forceAuthentication(); // Handle logout requests if (isset($_REQUEST['logout'])) { phpCAS::logout(); } ?> <html> <head> <title>phpCAS simple client</title> </head> <body> <h1>Successfull Authentication!</h1> <p>the user's login is <b><?php echo phpCAS::getUser(); ?></b>.</p> <p>the attributes are: <?php echo '<ul>'; $attr = phpCAS::getAttributes(); foreach ($attr as $key => $value) { if(!is_array($value)) { echo '<li>' . $key . ' => ' . $value . '</li>'; } else { echo '<li>' . $key . '</li>'; echo '<ul>'; foreach($value as $v) { echo '<li>' . $v . '</li>'; } echo '</ul>'; } } echo '</ul>'; ?> </p> <p>phpCAS version is <b><?php echo phpCAS::getVersion(); ?></b>.</p> <p><a href="?logout=">Logout</a></p> </body> </html>
UGCAS_Simple is a CAS client module which returns the username of the person after a succesful login. No extra attributes nor logout are supported.
UGCAS_Simple can be downloaded from UGCAS_Simple-0.1.zip and contains:
Test the example: https://login.ugent.be/cas-java-demo
You can download an example from cas-java-demo.zip
For a Java web application you only have to use a number of filters provided by the CAS developers.
Important: instructions below are for CAS client version 3.1.3 specifically
1. Add the following libraries to WEB-INF/lib (or use Maven):
cas-client-core-3.1.3.jar commons-logging-1.1.jar log4j-1.2.5.jar opensaml-1.1.jar xmlsec-1.3.0.jar
Download them here: java_servlet_filter_libs.zip
2. add the required filters to WEB-INF/web.xml.
<context-param> <param-name>serverName</param-name> <param-value>https://mijnserver.ugent.be</param-value> </context-param> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://login.ugent.be/</param-value> </init-param> <init-param> <param-name>renew</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>gateway</param-name> <param-value>false</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://login.ugent.be/</param-value> </init-param> <init-param> <param-name>tolerance</param-name> <param-value>300000</param-value> </init-param> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <servlet> <description>DemoServlet</description> <display-name>DemoServlet</display-name> <servlet-name>DemoServlet</servlet-name> <servlet-class>be.ugent.dict.ugentssoauth.demo.servlet.DemoServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>DemoServlet</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> </web-app>
Short explanation:
3. You can then request the user using request.getRemoteUser() . Attributes can be retrieved from request.getUserPrincipal()
Below an example of how you can retrieve the remote user and its attributes.
import org.jasig.cas.client.authentication.AttributePrincipal; ... out.println("You are succesfully logged in as user <b>" + request.getRemoteUser() + "</b><br/><br/>"); AttributePrincipal principal = (AttributePrincipal) request.getUserPrincipal(); Map attributes = principal.getAttributes(); if (attributes.size() > 0) { out.println("You have " + attributes.size() + " attributes : <br/>"); Iterator keyIterator = attributes.keySet().iterator(); while (keyIterator.hasNext()) { Object key = keyIterator.next(); Object value = attributes.get(key); out.println("<b>" + key + "</b>" + " : " + value); } } else { out.println("You have no attributes set"); }
The Spring framework is used in the EDO framework. CAS authentication can be integrated in a Spring based application, using Spring Security.
Spring Security offers out-of-the-box support for CAS 3. Cf. http://static.springframework.org/spring-security/site/reference/html/cas.html for the excellent Spring Security online documentation.
You can download an example from CasSpringsecurityExample.zip . Developers must reconfigure the UserDetailService bean for their environment.
The Java CAS client can easily be integrated into a Maven-based build system:
<dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-client-core</artifactId> <version>3.1.4</version> </dependency> <dependency> <groupId>opensaml</groupId> <artifactId>opensaml</artifactId> <version>1.1b</version> </dependency>
Service tickets are validated over an SSL connection with the CAS server. It is therefore necessary that the CAS server certificate is installed into the JVM on which te Java application will run.
sudo $JAVA_HOME/bin/keytool -import -alias login.ugent.be -file CERTIFICATE_FILE -keystore $JAVA_HOME/jre/lib/security/cacerts
You can download an example from cas-NET-demo.zip.
Below you find the required code to implement the .NET client in your project.
Step 1: add properties in Web.config
<appSettings> <add key="casLoginURL" value="https://login.ugent.be/login"/> <add key="casValidateURL" value="https://login.ugent.be/serviceValidate"/> <add key="casSamlValidateURL" value="https://login.ugent.be/samlValidate"/> <add key="serviceURL" value="jouw geregistreerde cas url"/> </appSettings>
Step 2: add the classes "DotNetCasClient" and "DotNetCasAttributePrincipal" to your project. Step 3: add the code below to your main page.
protected void Page_Load(object sender, EventArgs e) { DotNetCasAttributePrincipal principal= null; String userId = (String)Session["userId"]; if (userId == null) { DotNetCASClientServiceValidate client = new DotNetCASClientServiceValidate(); principal = client.AuthenticatePrincipal(Request, Response); } if (principal != null && principal.isAutheniticated) { Session["userId"] = principal.userName; Session["userAttributeTable"] = principal.attributes; } }
From now on your application uses CAS.
Remark: The attributes are stored in a HashTable, each attribute is an arraylist of Strings.
The Single Sign Out is not implemented. If you wish to use it, you will have to take care of it.
More information on Single Sign Out can be found on the cas help pages.