CAS-LDAP groups for authorization

[öncül korkut]

Hi,
I just started using CAS (v5.0.5), so if this is a silly question, please lead me to the right way.

I created a docker image for openldap (without tls) and add some ldif files for groups and users (some of them are at the end of this post, if it is required *) 
I have managed to configure and login from CAS using ldap. After that I also implement a basic SpringBoot application, configure SSL, and also can login from spring-boot application (using spring-security-cas).
The next thing for me to achive is to get user groups from CAS (as far I understood from docs, this could be achievable) and map them to spring-security constructs (within spring-boot application). With some googling, I read some posts (i.e. JA-SIG CAS with Ldap attributes | BowerStudios.com  ) that shows how to code this functionality.

Isn't it possible to get ldap group membership (or other attributes / links) from configuration and provide them to clients by tokens?

If I inferred right, it should be possible ( since it is possible in management server using 'cas.mgmt.authzAttributes[]' keyword to find out the user privileges with conjunction cas.mgmt.adminRoles);  and  (from https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#ldap-authentication-1 ) there are some attributes in configuration  (such as  cas.authn.ldap[0].additionalAttributes or cas.authn.ldap[0].credentialCriteria -which I could not find any documentation of what are those-).

Thanks in advance.  



*
dn: cn=appadmins,ou=Groups,dc=...
cn: appadmins
objectClass: top
objectClass: posixGroup
gidNumber: 1000
---
dn: cn=appoperators,ou=Groups,dc...
cn: appoperators
objectClass: top
objectClass: posixGroup
gidNumber: 2000
....
dn: cn=appadmin1,ou=Users,dc=....
cn: appadmin1
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: appadmin-1
uid: appadmin1
uidNumber: 16005
gidNumber: 1000
homeDirectory: /home/appadmin1
loginShell: /bin/bash
....
dn: cn=operator1,ou=Users,dc....
cn: operator1
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: operator1
uid: operator1
uidNumber: 16003
gidNumber: 2000
homeDirectory: /home/operator1
loginShell: /bin/bash
....

[öncül korkut]

Well, finally I could achieve what I asked. Thank for CAS development team for the functionality provided; although, I had to merge some blogs , how-to's and stackoverflow questions to achieve this. For any one who would like to use same approach I wrote my resolution below (please notify me if there exists any inconvenience; since I am new to CAS my soln may be incomplete; but it works for cas v5.0.5 , openldap and spring-security    ) :

Firstly CAS clients need to be updated for CAS protocol version 3 , to provide additional attributes. (in my case 'gidNumber' )
Then adding
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://....
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=ou=Users,dc=...
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=cn=admin,dc=...
cas.authn.ldap[0].bindCredential=
cas.authn.attributeRepository.ldap.ldapUrl=ldap://:...
cas.authn.attributeRepository.ldap.useSsl=false
cas.authn.attributeRepository.ldap.useStartTls=false
cas.authn.attributeRepository.ldap.connectTimeout=5000
cas.authn.attributeRepository.ldap.baseDn=ou=Users,dc=...
cas.authn.attributeRepository.ldap.userFilter=uid={user}
cas.authn.attributeRepository.ldap.subtreeSearch=true
cas.authn.attributeRepository.ldap.bindDn=cn=admin,dc=....
cas.authn.attributeRepository.ldap.bindCredential=.....
cas.authn.attributeRepository.ldap.minPoolSize=3
cas.authn.attributeRepository.ldap.maxPoolSize=10
cas.authn.attributeRepository.ldap.validateOnCheckout=true
cas.authn.attributeRepository.ldap.validatePeriodically=true
cas.authn.attributeRepository.ldap.validatePeriod=600
cas.authn.attributeRepository.ldap.failFast=true
cas.authn.attributeRepository.ldap.idleTime=500
cas.authn.attributeRepository.ldap.prunePeriod=600
cas.authn.attributeRepository.ldap.blockWaitTime=5000
cas.authn.attributeRepository.attributes.uid=uid
cas.authn.attributeRepository.attributes.displayName=displayName
cas.authn.attributeRepository.attributes.cn=commonName
cas.authn.attributeRepository.attributes.gidNumber=groupNumber
cas.authn.attributeRepository.defaultAttributesToRelease=groupNumber,displayName

resolved my problem.

Spring boot side of my application is as follows:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements ServletContextAware {

    private final Logger logger = LoggerFactory.getLogger(WebSecurityConfig.class);

    private ServletContext servletContext;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilter(casAuthenticationFilter());
        http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint());
        http.csrf().disable();
        http.authorizeRequests().antMatchers("/....").authenticated();
    };

    @Bean
    public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
        CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
        casAuthenticationEntryPoint.setLoginUrl("https://onculk:6443/cas/login");
        casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
        return casAuthenticationEntryPoint;
    }

    @Bean
    public ServiceProperties serviceProperties() {
        ServiceProperties serviceProperties = new ServiceProperties();
        serviceProperties.setService("https://onculk:2222/login/cas");
        serviceProperties.setSendRenew(false);
        return serviceProperties;
    }

    @Bean
    public CasAuthenticationProvider casAuthenticationProvider() {
        CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
        casAuthenticationProvider.setAuthenticationUserDetailsService(casUserDetailsService());
        casAuthenticationProvider.setServiceProperties(serviceProperties());
        casAuthenticationProvider.setTicketValidator(cas30ServiceTicketValidator());
        casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
        return casAuthenticationProvider;
    }

    @Bean
    public CasUserDetailsService casUserDetailsService() {
        return new CasUserDetailsService();
    }

    @Bean
    public Cas30ServiceTicketValidator cas30ServiceTicketValidator() {
        return new Cas30ServiceTicketValidator("https://onculk:6443/cas");
    }

    @Bean
    public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
        CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
        casAuthenticationFilter.setAuthenticationManager(authenticationManager());
        // casAuthenticationFilter.setAuthenticationSuccessHandler(successHandler());
        casAuthenticationFilter.setAuthenticationFailureHandler(failureHandler());
        return casAuthenticationFilter;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(casAuthenticationProvider());
    }

    @Override
    public void setServletContext(ServletContext servletContext) {
        this.servletContext = servletContext;

    }

    @Bean
    LoginAuthenticationFailureHandler failureHandler() {
        final LoginAuthenticationFailureHandler failureHandler = new LoginAuthenticationFailureHandler();
        failureHandler.setDefaultFailureUrl("https://onculk:2222");
        return failureHandler;
    }




20 Haziran 2017 Salı 11:20:52 UTC+3 tarihinde öncül korkut yazdı: