Presto Administration : Presto Security : Authentication with Single Sign-On Solutions : Configuration for the CAS SSO Solution
Configuration for the CAS SSO Solution
CAS uses tickets in requests that 'secured services' can use to validate the user is authenticated, as shown below:
When users access Presto, if they have logged in with CAS, the request includes a service ticket unique to that user. Presto validates this ticket to retrieve user ID information needed for authorization.
Presto also obtains a proxy granting ticket from CAS to use if the user runs a mashable that is also secured by CAS. This proxy feature allows Presto to send the mashable a proxy ticket that the mashable can use to authenticate the user.
If users access Presto without first logging in with CAS, Presto redirects users to the login page for CAS instead of the default Presto login page.
To configure Presto authentication using CAS, handle login redirects and enable CAS security profiles for mashables:
1. Enable HTTPS for communication between the Presto Server and the CAS Server. You must:
a. Configure the application server hosting the Presto Server to listen to separate ports for HTTP and for HTTPS. In addition, you must configure a certificate store for the application server.
See Configure HTTPS and Certficate Stores in the Application Server for instructions for Tomcat. If Presto is deployed in another application server, see documentation for your application server for more information.
b. Obtain a certificate for the Presto Server and add it to the certificate store.
If the CAS Server uses a self-signed certificate, you must also add this to the certificate store.
See The Certificate Store and Certificates for more information.
2. Open applicationContext-security.xml in any text or XML editor.
This file is located in the web-apps-home/presto/WEB-INF/classes folder.
3. Make sure that the import statement for applicationContext-security-authn-cas2.xml is uncommented.
For example:
...
<import resource="applicationContext-security-authn-rememberme.xml"/>
<import resource="applicationContext-scheduler.xml"/>

<!-- import resource="applicationContext-security-authn-x509.xml"/-->
<!-- import resource="applicationContext-security-authn-rsa.xml"/-->

<import resource="applicationContext-security-authn-cas2.xml"/>
...
4. Find the bean with authenticationEntryPointFilter ID and change the value of the defaultAuthenticationModuleName property to cas.
For example:
...
<bean id="authenticationEntryPointFilter"
>
<property name="authentiationModules">
<map>
<entry key="cas" value-ref="casAuthenticationEntryPoint"/>
<entry key="prestohub"
value-ref="prestoDefaultAuthenticationEntryPoint"/>
</map>
</property>
<property name="defaultAuthenticationModuleName" value="cas"/>
</bean>
...
5. Find the bean with preauthAuthProvider ID and:
a. Comment out the preauthenticated user details property based on UserDetailsByNameServiceWrapper.
b. Uncomment the preauthenticated user details property based on casAuthenticatedUserDetailsService.
For example:
<bean id="preauthAuthProvider"
class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService"
ref="casAuthenticationUserDetailsService"/>
<!-- property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userRepositoryAccessAdapter"/>
</bean>
</property -->
</bean>
6. Save your changes to applicationContext-security.xml.
7. Open applicationContext-security-filters-default.xml in any text or XML editor.
This file is located in the web-apps-home/presto/WEB-INF/classes folder.
8. Make sure that the line beginning with /**/cas/** is not commented out. Save your changes, if any.
9. Set configuration properties to redirect users to the CAS login form if requests attempt to access Presto directly without a valid CAS ticket. You must:
a. Open the sso.properties file in any text editor.
This file is located in the web-apps-home/presto/WEB-INF/classes folder.
b. Set the following properties for the Presto Server:
*prestoServerInfo.host = the host name or IP address for this Presto Server.
*prestoServerInfo.httpPort = the HTTP port for this Presto Server. This is 8080 if you installed Presto with default ports.
*prestoServerInfo.httpsPort = the HTTPS port for this Presto Server. For Tomcat, 8443 is the default HTTPS port.
c. Set the following properties for the CAS Server:
*ssoServerInfo.host = the host name or IP address for this CAS Server.
If the CAS server is deployed at https://cas.myOrg.com:9443/cas, for example, the host would be cas.myOrg.com.
*ssoServerInfo.httpsPort = the HTTPS port for this CAS Server.
If the CAS server is deployed at https://cas.myOrg.com:9443/cas, for example, the HTTPS port would be 9443.
*ssoServerInfo.rootPath = the relative path, starting from the host and HTTPS port for this CAS Server.
If the CAS server is deployed at https://cas.myOrg.com:9443/cas, for example, the root path would be cas.
*ssoServerInfo.loginPath = the relative path, starting from the root path where this CAS server is deployed, to the login page where users should be redirected if they do not have a valid CAS ticket.
If the URL for your CAS login page is https://cas.myOrg.com:9443/cas/login, this property should be login as the rest of the URL is set in other properties.
d. Save your changes.
10. Restart the Presto Server. See Start and Stop the Presto Server for instructions.
Copyright © 2013-2015 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback