Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages.

Published byEmily Osborne Modified over 8 years ago

Similar presentations

Presentation on theme: "The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages."— Presentation transcript:

1 The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages JSTL implementation lead (JCP, Apache)

2 Agenda Introduction to CAS Examples of CAS in action N-tier authentication Using CAS with applications like portals and web-based email CAS in context CAS at Yale Alternatives to CAS Summary, URLs, Q&A

3 Introducing CAS What is CAS, what does it offer, and how does it function?

4 What is CAS? CAS is a single sign-on framework for Web applications Resources that web applications use (e.g., mail servers) Why single sign-on? Convenience and security (unlikely allies) Users have to do less Applications are protected from one another Content aggregation

5 Aggregating content → Aggregating authentication BeforeAfter

6 CAS in a nutshell Browser Web application Authenticates without sending password Authenticates via password (once) Determines validity of user’s claimed authentication

7 Primary benefits of CAS Works with existing authentication infrastructures, such as Kerberos Can be used by nearly any Web-application development environment (JSP, Servlets, ASP, Perl, mod_perl, PHP, Python, PL/SQL, and so forth) — or as a server-wide Apache module Allows "proxy" authentication for Web portals Lets users authenticate securely to untrusted sites (e.g., student-run sites and third-party vendors) without supplying a password directly Is portable (written in Java: Servlets, JSP, and JSTL) Is freely available from Yale (with source code)

8 How CAS really works Web resource CAS Web browser S C ST ST

9 CAS requirements CAS uses but does not require JavaScript For consistent, secure redirection HTTP cookies For single sign-on CAS server requires Servlet 2.3, JSP 1.2 container

10 Side benefits of CAS Users can be asked to avoid supplying password except to trusted site. Expected URL Known “look and feel” Authentic peer certificate (if anyone cares)

11 Side benefits of CAS Easy way to “reach” users e.g., to require them to change password at regular intervals Centralized maintenance Can change many CAS details without changing client libraries Unified authentication Can manage smart cards, Kerberos, etc. from a single location

12 CAS examples Low-level and high-level APIs and tools

13 Example: Low-level API Java Servlet that authenticates users import edu.yale.its.tp.cas.client.ServiceTicketValidator; ServiceTicketValidator sv = new ServiceTicketValidator(); sv.setCasValidateUrl( "https://secure.its.yale.edu/cas/serviceValidate"); sv.setService(“http://my/url”); sv.setServiceTicket(request.getParameter(“ticket”)); sv.validate(); if (sv.isAuthenticationSuccesful()) { System.out.println("user: " + sv.getUser()); // record authentication in HttpSession } Application must manage redirection to CAS itself

14 Example: Reusable CAS component JSP page to authenticate users Welcome,. If you’ve gotten this far, you are authenticated. Come, make yourself at home. Redirection occurs automatically

15 Example: Declarative CAS authentication in application server Servlet 2.3 filter to assert requirement for CAS authentication CAS Filter edu.yale.its.tp.cas.client.filter.CASFilter edu.yale.its.tp.cas.client.filter.loginUrl https://secure.its.yale.edu/cas/login edu.yale.its.tp.cas.client.filter.validateUrl https://secure.its.yale.edu/cas/proxyValidate CAS Filter /filtered/* Application simply retrieves username from HttpSession

16 Example: Declarative CAS authentication in web server mod_cas for Apache 1.x, Apache 2.x Username exposed as CGI environment variable, REMOTE_USER Or… just protect static content mod_cas supports “Require user X,Y,Z” and “Require group” in addition to “Require valid-user” AuthType CAS Require valid-user Server manages authentication. Application simply checks with server.

17 N-Tier Authentication How can we use CAS in portals, web-based email applications, and other scenarios where non- web resources provide secure data?

18 The goal Portal Web-mail Channel Mail server

19 The problem Applications can authenticate users securely with CAS. But applications don’t have first-hand knowledge of users’ credentials. This is a good thing... Except that the application can’t impersonate the user in order to acquire secure data for the user.

20 CAS’s solution: proxiable credentials 1. During validation of ST, an application acquires a proxy-granting ticket (PGT) from CAS 2. When the application needs access to a resource, it uses the PGT to get a proxy ticket (PT) 3. The application sends the PT to a back- end application. 4. The back-end application confirms the PT with CAS, and also gains information about who proxied the authentication.

21 Proxiable credentials illustrated Web resource CAS ST Non-web resource PGT PT -Username -Identity of web resource

22 Characteristics of CAS’s solution Back-end applications maintain control over their data For instance, IMAP server may assert, “The only web-based email application I trust is https://www.mail.yale.edu/” https://www.mail.yale.edu/ Default: no proxies allowed! User logout or timeout destroys subordinate credentials User must be “present” for proxied authentication to occur.

23 CAS in context How is CAS used at Yale? Are there alternatives to CAS?

24 CAS at Yale Used by systems in support of students and administrators Used occasionally by unprivileged students Mostly Java and Perl; some ASP Apache module used widely Proxy authentication: incipient deployment PAM module to be used with email servers CAS to support uPortal deployment

25 Characteristics of alternative systems Typically require pre-registration Institution determines security requirements of services. May handle more than just authentication Session management ACLs Identification Principal translation May be platform- or server-specific Passport (Windows) Pubcookie May depend on particular institutional characteristics—e.g., Network topology Service hosting on institutionally managed web servers CAS’s main advantages: simplicity and generality.

26 Summary CAS… is a free single sign-on framework from Yale works with nearly all back-end authentication subsystems provides secure authentication for both trusted and untrusted applications CAS supports proxied authentication for applications like portals and web-based email

27 URLs CAS distribution site http://www.yale.edu/tp/cas/ Whitepapers Design Protocol Source distribution License information My email address shawn.bayern@yale.edu

28 Q&A Alternative single sign-on systems? CAS implementation questions? Statistics? Comments from schools already using CAS?

Download ppt "The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages."

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service)

Open-source Single Sign-On with CAS (Central Authentication Service)
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
WEB1P servintro1 Introduction to servlets and JSP Dr Jim Briggs.

WEB1P servintro1 Introduction to servlets and JSP Dr Jim Briggs.
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.

UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.

UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.
Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.

Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.

UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Similar presentations

Ads by Google