1 2 Previous Next 18 Replies Latest reply on Jan 24, 2008 6:59 AM by koenhandekyn

    How can I integrate CAS client into Seam?

    wuhaixing

      Is there any 'deep' integration solution?

        • 1. Re: How can I integrate CAS client into Seam?
          matt.drees

          I don't think there's a standard way to do it yet. I took the Jasig cas client and configured it with Seam instead of spring, and though I'm not really using it the way it was intended, it's working. It's not in a place where I could easily share what I have right now, but I hope to put together a blog or wiki page with what I have in the next few months.

          • 2. Re: How can I integrate CAS client into Seam?
            wuhaixing

            Thanks!One more question,how did you create the seam Identity after authentication?

            • 3. Re: How can I integrate CAS client into Seam?
              matt.drees

              I haven an Authenticator component that looks in the session for the CAS assertion, and sets the Identity username appropriately. (It assumes that the Cas ticket validation has already happened).

              • 4. Re: How can I integrate CAS client into Seam?
                wuhaixing

                Thanks a lot

                • 5. Re: How can I integrate CAS client into Seam?
                  wuhaixing

                  hi,matt.I set the edu.yale.its.tp.cas.client.filter.serviceUrl to my login page in the web.xml.
                  And then the login.xhtml's action as identity.login in the page.xml.
                  In the authenticator component,it seems identity.login reset the session,and I cann't get the username at all.
                  Would you like to tell me what should I do?
                  thanks in advance!

                  • 6. Re: How can I integrate CAS client into Seam?
                    matt.drees

                    It sounds like you're using an approach that should work.

                    Why do you think identity.login is resetting the session? How are you trying to get the Cas username?

                    And also, I'm not using the Yale client, but the Ja-sig client. The Yale one should work fine, though, for what you're doing.

                    • 7. Re: How can I integrate CAS client into Seam?
                      wuhaixing

                      This is what in my web.xml

                       <filter>
                       <filter-name>CAS Filter</filter-name>
                       <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
                       <init-param>
                       <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
                       <param-value>https://localhost:8443/cas/login</param-value>
                       </init-param>
                       <init-param>
                       <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
                       <param-value>https://localhost:8443/cas/proxyValidate</param-value>
                       </init-param>
                       <init-param>
                       <param-name>edu.yale.its.tp.cas.client.filter.serviceUrl</param-name>
                       <param-value>http://localhost:8080/epass/login.seam</param-value>
                       </init-param>
                       </filter>
                      


                      and this is in the page.xml
                       <page view-id="/login.xhtml" action="#{identity.login}">
                       <navigation from-action="#{identity.login}">
                       <rule if="#{identity.loggedIn}">
                       <redirect view-id="/home.xhtml"></redirect>
                       </rule>
                       <rule if="#{not identity.loggedIn}">
                       <redirect view-id="/users/register.xhtml"></redirect>
                       </rule>
                       </navigation>
                       </page>
                      


                      and then in the components.xml ,I have this
                      <security:identity authenticate-method="#{authenticator.authenticate}"/>
                      

                      In the authenticator...
                       public boolean authenticate()
                       {
                       String username = (String)Contexts.getSessionContext().get(CASFilter.CAS_FILTER_USER);
                       if(username != null) {
                       identity.setUsername(username);
                       }
                       log.info("authenticating #0", identity.getUsername());
                       //write your authentication logic here,
                       identity.addRole("admin");
                       return true;
                       }
                      

                      the log told me

                      09:18:11,085 INFO [Contexts] starting up: org.jboss.seam.security.identity
                      09:18:11,092 WARN [RuleBasedIdentity] no security rule base available - please install a RuleBase with the name 'securityRules' if permission checks are required.
                      09:18:11,095 INFO [Contexts] starting up: org.jboss.seam.web.session
                      09:18:13,283 INFO [STDOUT] 2007-10-02 09:18:13,282 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting ContextPath for cookies to: /cas>
                      09:18:19,535 INFO [STDOUT] 2007-10-02 09:18:19,534 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler successfully authenticated the user which provided the following credentials
                      >
                      09:18:19,572 INFO [STDOUT] 2007-10-02 09:18:19,572 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-1-lHKcFO0JY3WxO3lLJrx0a17yhjDhF5fhUmD-20] for service [http://localhost:8080/epass/login.seam] for user [wuhaixing]>
                      09:18:19,709 INFO [Contexts] starting up: org.jboss.seam.security.identity
                      09:18:19,715 WARN [RuleBasedIdentity] no security rule base available - please install a RuleBase with the name 'securityRules' if permission checks are required.
                      09:18:19,718 INFO [Contexts] starting up: org.jboss.seam.web.session
                      09:18:20,054 WARN [SkinFactoryImpl] Init parameter for a skin name changed to org.richfaces.SKIN
                      09:18:20,177 INFO [Authenticator] authenticating null

                      What's wrong?

                      • 8. Re: How can I integrate CAS client into Seam?
                        matt.drees

                        It looks like you've set things up the way I would.

                        The log makes it look you're being given a new session when you return from CAS; do you have cookies enabled in your browser? Are you sure the filter is validating the ticket successfully?

                        • 9. Re: How can I integrate CAS client into Seam?
                          wuhaixing

                          Yes,If I don't call the identitiy.login,the thing is ok.That's why I think identity.login reset the session.

                          • 10. Re: How can I integrate CAS client into Seam?
                            matt.drees

                            I don't know what to tell you. You could put a breakpoint in Identity.login() and see what's going on. I'm guessing that's not where the problem is, though, but I could be wrong.

                            • 11. Re: How can I integrate CAS client into Seam?

                              I use CAS and I have this working. You may want to review this thread http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119167.
                              I use a different approach than the CAS Filter for authentication, but the process should be the same because by the time Seam steps in to the request processing cycle, your CAS Filter should already have authenticated the user (with the user-Principal being available in the HttpServletRequest - request.getUserPrincipal()).

                              Here is part of my pages config and the relevant code of my authenticator for integrating with Seam identity.

                              <?xml version="1.0" encoding="UTF-8"?>
                              <pages xmlns="http://jboss.com/products/seam/pages"
                               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                               xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.0.xsd"
                              
                               no-conversation-view-id="/index.xhtml">
                              
                               <page view-id="/index.xhtml" action="#{ssoAuthenticator.checkLogin}" login-required="false"/>
                              
                               <page view-id="/*" login-required="true"/>
                              
                               <exception class="org.jboss.seam.security.NotLoggedInException">
                               <redirect view-id="/index.xhtml">
                               <message>Please log in first</message>
                               </redirect>
                               </exception>
                              
                               ...
                              
                              </pages>


                              and here is the authenticator

                              @Name("ssoAuthenticator")
                              @Scope(ScopeType.SESSION)
                              public class SSOAuthenticator {
                              
                               @Logger
                               private Log log;
                              
                               private UserPrincipal userPrincipal;
                              
                               // see http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119167
                               // This method is configured in pages.xml as an action called for all pages:
                               // <page view-id="/*" login-required="true" action="#{authenticator.checkLogin}"/>
                               public void checkLogin() {
                               Identity identity = Identity.instance();
                               final boolean isLoggedIn = identity.isLoggedIn();
                               // user may already be logged in - check
                               if (!isLoggedIn) {
                               authenticate();
                               } /* else {
                               do nothing - user is logged in from identity perspective
                               } */
                               }
                              
                               public boolean authenticate() {
                               Identity identity = Identity.instance();
                               boolean authenticated = !(userPrincipal == null);
                               if (!authenticated) {
                               try {
                               // Obtain authenticated UserPrincipal from Servlet container
                               FacesContext facesContext = FacesContext.getCurrentInstance();
                               Principal rawPrincipal = facesContext.getExternalContext().getUserPrincipal();
                               userPrincipal = (UserPrincipal) rawPrincipal;
                              
                               // trigger the identity login sequence and add roles
                               if (userPrincipal != null) {
                               // Identity must have 'fresh' credentials for authenticat() call to proceed
                               identity.setUsername(userPrincipal.getUserid());
                               identity.setPassword(userPrincipal.getUserid());
                               identity.authenticate();
                               // in my case, our system makes roles available in the UserPrincipal - do what's right for your system
                               Group[] roleGroups = userPrincipal.getUserRoles();
                               if (roleGroups != null) {
                               for (Group group : userPrincipal.getUserRoles()) {
                               Enumeration<? extends Principal> roles = group.members();
                               while (roles.hasMoreElements()) {
                               identity.addRole(roles.nextElement().getName());
                               }
                               }
                               }
                               authenticated = true;
                               }
                               } catch (Exception e) {
                               log.error(e, e);
                               }
                               }
                               return authenticated;
                               }
                              }


                              You'll need to work out which URL's the CASFilter handles; you may also need to tweak a bit with security constraints (in web.xml). But the code above illustrates a basic approach to integrating Seam identity with any solution in which the user-Principal has somehow been pre-set on the HttpServletRequest.

                              Hope this helps.
                              Brad Smith

                              • 12. Re: How can I integrate CAS client into Seam?

                                One other item - CAS SSO server should be deployed standalone in a separate server. Your Seam app (or any app) typically should not be presenting its own login page in a CAS SSO architecture. In other words, there shouldn't be any concept of a 'login.xhtml' in your CAS-adapted Seam application.

                                • 13. Re: How can I integrate CAS client into Seam?
                                  wuhaixing

                                  Thanks,I have readed the thread.
                                  And I also found this,http://www.ja-sig.org/wiki/display/CASC/CASLoginModule+for+JAAS+applications
                                  Do u think this is a better way?
                                  I'm know little about JAAS and CAS,so I cann't do the decision by myself.
                                  Thanks for all of you!

                                  • 14. Re: How can I integrate CAS client into Seam?
                                    matt.drees

                                    I certainly don't know JAAS, but I don't think that will integrate nicely with Seam security.

                                    1 2 Previous Next