Introducing JA-SIG Central Authentication Service 3.0Scott [email protected], the State University of New Jersey
Outline
What is CAS? History of CAS
CAS 1.x CAS 2.x
Introducing CAS 3 Development Process/Developers Design Goals Why build CAS 3?
Advanced CAS 3 Usage Clustering/Load Balancing Accepting Multiple Credential Types SAML Support
The Future Helping with CAS Development
What is CAS?
CAS is…Single sign on for the webA trusted intermediaryA proxy authenticator to back-end services
History of CAS: CAS 1.x
Original version released by Yale University
Offered single sign on for the web Consisted of servlets and JSP pages
History of CAS: CAS 2
Also developed at Yale University Introduced concept of proxy authentication
to CAS Simple: 6 servlets and fewer than 10 JSPs Extremely popular Large User Community
CAS 3.0: Why Build CAS 3?
CAS 2.0 was an excellent project CAS 2.0 was easy to use CAS 2.0 was not easy to extend or
augment with local requirements CAS 3.0 attempts to solve the last
problem!
CAS 3.0: Why Build CAS 3?
Making changes to CAS 2.0 generally requires forking the code base
Adding new features may require a lot of copying and pasting which may get out of sync with core code base.
CAS 3.0: Why Build CAS 3?
CAS 3 offers…CAS 2 compliance out of the boxUnit/Integration Tests and Compliance TestsProper domain modelRevamped architectureSupport for well-known modifications
CAS 3.0: Design Goals
First and foremost CAS3 will be Flexible, Extensible and Elegant.
CAS3 will maintain backward compatibility with CAS 2.0 and CAS 1.0 protocols while providing extension points for well-known modifications and new features such as support for Web Services, SAML and Shibboleth.
CAS Clients written for older versions of CAS will work with CAS3 without modification.
CAS 3.0: Development Process
Started as a Yale/Rutgers collaboration Became JA-SIG Project in December
2004 JA-SIG project makes it open-source Available in public JA-SIG CVS, nightly
builds on Clearinghouse machines, etc.
CAS 3.0: Development Team
Yale University Susan Bramhall Howard Gilbert Drew Mazurek Andy Newman Andrew Petro
Rutgers, the State University of New Jersey Scott Battaglia Dmitriy Kopylenko Bill Thompson
CAS 2 Compliance
In terms of protocol, drop in replacement for CAS 2.0
Requires no modifications to client applications
Includes adaptor to allow plugging in CAS 2 PasswordHandler into CAS 3 architecture
Unit/Integration/Compliance Tests
Unit and Integration Tests coverage of major components Utilizes JUnit, Clover According to Clover, 99.5% test coverage Allows us to refactor with confidence!
Compliance Tests Run against live server Test compliance to CAS 2 specification Currently 48 tests
Proper Domain Model
Major Breakthrough: Only Two Types of Tickets Ticket Granting Ticket Service Tickets
Domain logic belongs with Domain Objects Example: A ticket can determine if its expired Simplifies implementations of supporting pieces
Revamped Architecture
Built on popular open-source frameworks Spring Framework Quartz xFire Jakarta Commons Log4j Maven
Design Philosophy: don’t reinvent the wheel
Revamped Architecture
Loose coupling of componentsVia Dependency InjectionDeclarative configuration via XML files
Coding to interfacesSwap implementations to suite needs Implementations adhere to contractExample: TicketRegistry
Revamped Architecture
Uses Design PatternsPatterns allow for a common understandingExample: Template Design Pattern
Layered ArchitectureSeparation of UI concerns from business
concernsAllows for better re-use of codeExample: Web Tier vs. Web Service
Revamped Architecture
Use of AOP to separate cross-cutting concerns for business logicAllows for major additions to functionality
without modifying core codeExample: auditing
Use of Spring Workflow allows for declarative reconfiguration of Login process
Support for Well-Known Modifications Gathered list from current and future
(potential) CAS deployers CAS 3 includes extensions points for well-
known modifications CAS 3 (via Spring) supports using AOP to
introduce modifications
Support for Well-Known Modifications Audit Trail Modification (identified by
CalPoly) Services Whitelist (identified by Columbia
and University of Delaware) Additional Principal (and Authentication)
Attributes (Rutgers, others) Ticket Statistics (Yale)
Support for Well-Known Modifications Audit Trail Modification
CAS supports publishing of eventsEventListener listens for eventsDeployers can code and register
“EventHandlers” that allow them to log particular events
Support for Well-Known Modifications Attributes
CAS supports plugging in PrincipalResolvers and MetaDataPopulators
Allow to attach attributes to principals (i.e. hair color or employee type)
Attach attributes to Authentication (i.e. safeword authentication)
Can customize view to pass back attributes.
Support for Well-Known Modifications Ticket Statistics
Exposed via JMXTell how many of each ticket type were
vendedTell how many tickets of each type were
vended per second
Clustering/Load Balancing CAS
All CAS Domain objects are serializable Tickets are only stored in TicketRegistry TicketRegistry is interface Implement JGroups TicketRegistry (David
Stacey)
Accepting Multiple Credential Types Web Login defined by workflow Dartmouth identified need to have
augmented login workflow Need to check for Client Certificate before
displaying login form
SAML Support
Standard XML-based framework Used to create and exchange info
amongst online partners CAS can offer alternatives to the CAS 2
Protocol views One alternative is a SAML response
The Future of CAS
Advanced SAML Support Support for both SAML request and responses
Shibboleth Support Requires advanced SAML support Allow CAS to speak to Shibboleth
Who knows what else… current architecture allows for many possibilities
The Future of CAS
Already working on a 3.0.1 (and beyond)XMLBeans viewMore robust registry cleaners Increased compatibility testingSupport for Single Sign out (requires new
clients)
Helping with CAS 3.0 Development
What can YOU do to help? Look at what CAS 3 has to offer Use CAS 3 Report bugs/feature requests/etc to the development
list Give your extensions back to the community Share your experiences using CAS with the
community Join the CAS mailing list