Single Sign-On in CAS Server with java spring security
Central Authentication System is a Single-Sign-On Service. Let’s take a scenario of having different applications which requires users authentication. The most straightforward way is to create a security mechanism for each application. But it is better to implement a mechanism to perform authentication for all applications in single place.(i.e Single-Sign-On).
How it works!
To understand how the CAS works and its protocol specification please refer this link.
There are two components involved in CAS. They are
- Setting the CAS server.
- Setting the CAS clients (i.e one or more applications) which connects with CAS server for authentication.
In this blog, we are going to check out how to build the CAS Server using spring boot.
Clone using Maven-Overlay
The quickest way to implement and deploy the CAS server is by Maven-Overlay method.Here we look at the quick start template which can be cloned and used as a CAS server. Now we can modify the cas server according to our needs in our local system.
Adding necessary dependencies
Here I am going to use jdbc for database authentication. Add the following dependencies in pom.xml.
<dependency><groupId>org.apereo.cas</groupId><artifactId>cas-server-support-jdbc</artifactId><version>${cas.version}</version></dependency><dependency><groupId>org.apereo.cas</groupId><artifactId>cas-server-support-jdbc-drivers</artifactId><version>${cas.version}</version></dependency>
Note: The CAS will automatically extract the latest version. So it is not necessary to specify the version.
Generating the SSL keystore for secured connections
Next create the src/main/resources folder and copy the contents of cas-server/etc in to it.
In Order to establish the https connection. we have to generate the local SSL keystore. You can generate the keystore by following the instructions using the given link.
Then the generated keystore has to be imported to the java cacerts keystore. It can be done using those terminal commands,
keytool -import -alias thekeystore -storepass changeit -file thekeystore.crt-keystore C:\ProgramFiles\Java\jdk1.8.0_152\jre\lib\security\cacerts”keytool -import -alias thekeystore -storepass changeit -file thekeystore.crt-keystore “C:\Program Files\Java\jre1.8.0_152\lib\security\cacerts”
Specifying port and SSL configurations
In src/main/resources/application.properties add the following lines to configure the SSL keystore.
server.port=6443cas.standalone.config=classpath:/etc/cas/config
After successfully adding the keystore, we need to restart the system and eventually kill the running JVM.
Building the project
Then generate the war file using command Maven → install and deploy it. Starting the server may take it some time when it is ready then it will print ready in the console. Now you can see the default login screen by visiting https://localhost:6443/cas.
The default username is casuser and password is Mellon.
Connecting the CAS server to the Database
Since we have connected the CAS with the static credentials, however in real time applications we need to connect the CAS server to the Database. We will show you how to connect CAS to the MSSQL Server.
Add the following data to the src/main/resources/application.properties file.
#cas.authn.accept.users=casuser::Melloncas.authn.accept.users=cas.authn.accept.name=#CAS Database Authentication Propertycas.authn.jdbc.query[0].sql=SELECT * FROM USER WHERE USERNAME= ?cas.authn.jdbc.query[0].url=jdbc:sqlserver://127.0.0.1:1433;databaseName=TESTcas.authn.jdbc.query[0].dialect=org.hibernate.dialect.SQLServer2012Dialectcas.authn.jdbc.query[0].user=rootcas.authn.jdbc.query[0].password=rootcas.authn.jdbc.query[0].ddlAuto=none#cas.authn.jdbc.query[0].driverClass=com.mysql.jdbc.Drivercas.authn.jdbc.query[0].driverClass=com.microsoft.sqlserver.jdbc.SQLServerDrivercas.authn.jdbc.query[0].fieldPassword=PASSWORDcas.authn.jdbc.query[0].passwordEncoder.type=DEFAULTcas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=NONEcas.authn.jdbc.query[0].passwordEncoder.characterEncoding=NONE
Leaving the field cas.authn.accept.users and cas.authn.accept.name as blank it will deactivate the static user repositories by the server.
According to the above SQL we have the database called TEST and it is having the table USER in which all user details are stored. The principal for the server is USERNAME. Also we have declared the password field as cas.authn.jdbc.query[0].fieldPassword=PASSWORD.
Encryption and character encoding
Apart from these, CAS server also supports encryption and character encoding. It can support many encryption mechanism such as BCRYPT. In this case it is set to NONE. Running the server now(Build) will enable the authentication of the users which are present in configured database.
That’s it. We had build the CAS server and it is ready to work. There are many other aspects from the CAS server and they can be configured by following the document using this link.
In next blog, will write about CAS client with spring security configuration.
$……………….………… Happy learning…………………………….$
If you enjoyed this article, feel free to hit that clap button 👏 to help others find it.
