CasLoginModule (Jasig CAS Client for Java

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.jasig.cas.client.jaas
Class CasLoginModule

java.lang.Object
  org.jasig.cas.client.jaas.CasLoginModule

All Implemented Interfaces:: LoginModule

public class CasLoginModule
extends Object
implements LoginModule
extends Object
implements LoginModule

JAAS login module that delegates to a CAS TicketValidator component for authentication, and on success populates a Subject with principal data including NetID and principal attributes. The module expects to be provided with the CAS ticket (required) and service (optional) parameters via PasswordCallback and NameCallback, respectively, by the CallbackHandler that is part of the JAAS framework in which the servlet resides.

Module configuration options:

ticketValidatorClass - Fully-qualified class name of CAS ticket validator class.
casServerUrlPrefix - URL to root of CAS Web application context.
service (optional) - CAS service parameter that may be overridden by callback handler. NOTE: service must be specified by at least one component such that it is available at service ticket validation time
defaultRoles (optional) - Comma-delimited list of static roles applied to all authenticated principals.
roleAttributeNames (optional) - Comma-delimited list of attribute names that describe role data delivered to CAS in the service-ticket validation response that should be applied to the current authenticated principal.
principalGroupName (optional) - The name of a group principal containing the primary principal name of the current JAAS subject. The default value is "CallerPrincipal", which is suitable for JBoss.
roleGroupName (optional) - The name of a group principal containing all role data. The default value is "Roles", which is suitable for JBoss.
cacheAssertions (optional) - Flag to enable assertion caching. This may be needed for JAAS providers that attempt to periodically reauthenticate to renew principal. Since CAS tickets are one-time-use, a cached assertion must be provided on reauthentication.
cacheTimeout (optional) - Assertion cache timeout in minutes.

Module options not explicitly listed above are treated as attributes of the given ticket validator class, e.g. tolerance in the following example.

Sample jaas.config file entry for this module:

 cas {
   org.jasig.cas.client.jaas.CasLoginModule required
     ticketValidatorClass="org.jasig.cas.client.validation.Saml11TicketValidator"
     casServerUrlPrefix="https://cas.example.com/cas"
     tolerance="20000"
     service="https://webapp.example.com/webapp"
     defaultRoles="admin,operator"
     roleAttributeNames="memberOf,eduPersonAffiliation"
     principalGroupName="CallerPrincipal"
     roleGroupName="Roles";
 }

Since:: 3.1.11
Version:: $Revision: 22122 $ $Date: 2010-10-28 13:44:53 -0400 (Thu, 28 Oct 2010) $
Author:: Marvin S. Addison

Field Summary
`protected Assertion`	`assertion` CAS assertion
`protected static Map<TicketCredential,Assertion>`	`ASSERTION_CACHE` Stores mapping of ticket to assertion to support JAAS providers that attempt to periodically re-authenticate to renew principal.
`protected boolean`	`cacheAssertions` Enables or disable assertion caching
`protected static Executor`	`cacheCleanerExecutor` Executor responsible for assertion cache cleanup
`protected int`	`cacheTimeout` Assertion cache timeout in minutes
`protected CallbackHandler`	`callbackHandler` JAAS callback handler
`static int`	`DEFAULT_CACHE_TIMEOUT` Default assertion cache timeout in minutes.
`static String`	`DEFAULT_PRINCIPAL_GROUP_NAME` Default group name for storing caller principal.
`static String`	`DEFAULT_ROLE_GROUP_NAME` Default group name for storing role membership data.
`protected String[]`	`defaultRoles` Roles to be added to all authenticated principals by default
`protected org.apache.commons.logging.Log`	`log` Logger instance
`static String`	`LOGIN_NAME` Constant for login name stored in shared state.
`protected String`	`principalGroupName` Name of JAAS Group containing caller principal
`protected Set<String>`	`roleAttributeNames` Names of attributes in the CAS assertion that should be used for role data
`protected String`	`roleGroupName` Name of JAAS Group containing role data
`protected String`	`service` CAS service parameter used if no service is provided via TextCallback on login
`protected Map<String,Object>`	`sharedState` Login module shared state
`protected Subject`	`subject` JAAS authentication subject
`protected TicketCredential`	`ticket` CAS ticket credential
`protected TicketValidator`	`ticketValidator` CAS ticket validator

Constructor Summary
`CasLoginModule()`

Method Summary
`boolean`	`abort()`
`boolean`	`commit()`
`void`	`initialize(Subject subject, CallbackHandler handler, Map<String,?> state, Map<String,?> options)` Initializes the CAS login module.
`boolean`	`login()`
`boolean`	`logout()`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

LOGIN_NAME

public static final String LOGIN_NAME

Constant for login name stored in shared state.

See Also:: Constant Field Values

DEFAULT_PRINCIPAL_GROUP_NAME

public static final String DEFAULT_PRINCIPAL_GROUP_NAME

Default group name for storing caller principal. The default value supports JBoss, but is configurable to hopefully support other JEE containers.

See Also:: Constant Field Values

DEFAULT_ROLE_GROUP_NAME

public static final String DEFAULT_ROLE_GROUP_NAME

Default group name for storing role membership data. The default value supports JBoss, but is configurable to hopefully support other JEE containers.

See Also:: Constant Field Values

DEFAULT_CACHE_TIMEOUT

public static final int DEFAULT_CACHE_TIMEOUT

Default assertion cache timeout in minutes. Default is 8 hours.

See Also:: Constant Field Values

ASSERTION_CACHE

protected static final Map<TicketCredential,Assertion> ASSERTION_CACHE

Stores mapping of ticket to assertion to support JAAS providers that attempt to periodically re-authenticate to renew principal. Since CAS tickets are one-time-use, a cached assertion must be provided on re-authentication.

cacheCleanerExecutor

protected static Executor cacheCleanerExecutor

Executor responsible for assertion cache cleanup

log

protected final org.apache.commons.logging.Log log

Logger instance

subject

protected Subject subject

JAAS authentication subject

callbackHandler

protected CallbackHandler callbackHandler

JAAS callback handler

ticketValidator

protected TicketValidator ticketValidator

CAS ticket validator

service

protected String service

CAS service parameter used if no service is provided via TextCallback on login

assertion

protected Assertion assertion

CAS assertion

ticket

protected TicketCredential ticket

CAS ticket credential

sharedState

protected Map<String,Object> sharedState

defaultRoles

protected String[] defaultRoles

Roles to be added to all authenticated principals by default

roleAttributeNames

protected Set<String> roleAttributeNames

Names of attributes in the CAS assertion that should be used for role data

principalGroupName

protected String principalGroupName

Name of JAAS Group containing caller principal

roleGroupName

protected String roleGroupName

Name of JAAS Group containing role data

cacheAssertions

protected boolean cacheAssertions

Enables or disable assertion caching

cacheTimeout

protected int cacheTimeout

Assertion cache timeout in minutes

Constructor Detail

CasLoginModule

public CasLoginModule()

Method Detail

initialize

public void initialize(Subject subject,
                       CallbackHandler handler,
                       Map<String,?> state,
                       Map<String,?> options)

Initializes the CAS login module.

Specified by:: initialize in interface LoginModule

Parameters:

subject - Authentication subject.

handler - Callback handler.

state - Shared state map.

options - Login module options. The following are supported:

service - CAS service URL used for service ticket validation.
ticketValidatorClass - fully-qualified class name of service ticket validator component.
defaultRoles (optional) - comma-delimited list of roles to be added to all authenticated principals.
roleAttributeNames (optional) - comma-delimited list of attributes in the CAS assertion that contain role data.
principalGroupName (optional) - name of JAAS Group containing caller principal.
roleGroupName (optional) - name of JAAS Group containing role data
cacheAssertions (optional) - whether or not to cache assertions. Some JAAS providers attempt to reauthenticate users after an indeterminate period of time. Since the credential used for authentication is a CAS ticket, which by default are single use, reauthentication fails. Assertion caching addresses this behavior.
cacheTimeout (optional) - assertion cache timeout in minutes.

login

public boolean login()
              throws LoginException

Specified by:: login in interface LoginModule

Throws:: LoginException

abort

public boolean abort()
              throws LoginException

Specified by:: abort in interface LoginModule

Throws:: LoginException

commit

public boolean commit()
               throws LoginException

Specified by:: commit in interface LoginModule

Throws:: LoginException

logout

public boolean logout()
               throws LoginException

Specified by:: logout in interface LoginModule

Throws:: LoginException