I'm guessing that such a thing wouldn't exist in Apache Tomcat. I'm not
sure what you hope to gain by doing that. Surely each context /
application is going to have its own security needs. CAS should just
bring back enough information for Spring Security or Apache Shiro to
take over for the rest of the application security. Spring and Shiro
will quite nicely hand over to a CAS handler to force that
authentication to CAS.
From my understanding, to have it on the container level would require
shared session state amongst all of your contexts. If any of the apps
serialize any specific information in to the session, it may be required
that all of the apps/contexts have the same libraries to load that
serialized information. Not sure how good of a job Tomcat does handling
competing session writes from different contexts.
Simplest solution is to have each application be in charge of its own
security, and use SSO so it is transparent to the end user.
On 08/17/2016 12:20 PM, Ray Bon wrote:
Brad,
Sounds like you are looking for mod_auth_cas for tomcat. It could be
useful but I have not heard of anything like this (though my exposure
is limited).
Ray
On 2016-08-17 09:48, Brad wrote:
Given the lack of any coverage on this in the documentation, and void
of any reply here, is it a reasonable conclusion that there is no
configuration to secure the entire Tomcat 8 container with CAS, and
that the only option is securing each individual deployed app WAR via
configuration within that WAR?
Any confirmation on this would be great. Of course, lack of any doc
on configuration or general knowledge about it presents its own
pragmatic support barrier to use even if it is possible, but it would
be helpful to confirm whether it is possible or not regardless.
Thanks in advance for any help.
Brad
On Monday, August 15, 2016 at 4:19:17 PM UTC-7, Brad wrote:
As a first exercise, I configured CAS 4.2.1 on Tomcat 8 / Java 8
using the Maven overlay, configuring the resulting cas.war and
the sample Java client webapp (cas-sample-java-webapp) to
authenticate against LDAP. I was able to get this working
successfully.
Now that I have this initial configuration working -- which
essentially requires every new webapp to be individually
configured to use CAS, I would like to transition to secure the
entire Tomcat container to use CAS to authenticate against LDAP,
such that all deployed webapps are secured with SSO, without
requiring any specific configuration in the deployed webapps. I
have seen references to this in older versions of the CAS /
client documentation, but nothing that really shows definitively
how to configure this, or to hit LDAP. I tried throwing a valve
in the server's context.xml file as follows:
<Valve
className="org.jasig.cas.client.tomcat.v8.Cas20CasAuthenticator"
encoding="UTF-8"
casServerLoginUrl="https://localhost:8443/cas/login
<https://localhost:8443/cas/login>"
casServerUrlPrefix="https://localhost:8443/cas
<https://localhost:8443/cas>"
serverName="localhost"
/>
But this just blows up Tomcat on startup -- every webapp startup
fails. So I have two questions:
1. At this point, is it even possible to set up CAS 4.2.1 on Java
8/Tomcat 8 to authenticate against LDAP using server-wide
configuration (i.e. no deployed web-apps need CAS-specific
configuration, in other words, any app deployed to that Tomcat
instance will be secured behind LDAP-authenticated SSO)?
2. If the answer to #1 is that yes, it is possible, how is this
accomplished in Tomcat config?
Thanks in advance for your help.
Brad
--
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
Visit this group at
https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/68122a6f-b951-45c9-b38c-42c0448bbfdb%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
--
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
Visit this group at
https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/305955dc-a0cb-3a3a-bb82-3ae8a9dcdbe5%40uvic.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/305955dc-a0cb-3a3a-bb82-3ae8a9dcdbe5%40uvic.ca?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f640b7d3-25ac-9a00-e09a-f378cd087979%40ndsu.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
