Re: [play 2.x] Authentication using CAS

[James Roper]

Well, Play 2 is quite different from Play 1, so don't expect it to be easy to port.  You have two general approaches:

1) The easy but not as good approach, use the official CAS Java client to make blocking calls on the CAS server.  Make sure your Akka thread pools are tuned for this, by default they give you one thread per core, if you go with this approach you probably want 100-200 threads all up, otherwise other requests are going to get blocked by requests that are trying to talk to the CAS server, especially if the CAS server is ever slow to repsond.

2) The hard but better approach, implement your own non blocking CAS client using the Play WS API.  The protocol is described here: http://www.jasig.org/cas/protocol

On Friday, 2 November 2012 09:08:54 UTC+11, Byron Weber Becker wrote:

Tomorrow's project is hooking up my Play! 2.x app to CAS for authentication.  I haven't been able to find anything for Play! 2.x and CAS.  I'm aware of the Play 1.x logisima-cas module (http://www.playframework.org/modules/cas).  I'll start there unless someone has different advice.  Has anyone else solved this for Play! 2.x?  Any suggestions/gotchas for updating the logisima-cas module?  

Thanks,

Byron

[Byron Weber Becker]

Thanks for the bad news, James :)

Are there other alternatives?  For example, a previous web site I worked on in Python on an Apache server, the redirect was handled by the server before my code even saw the request.  I see on http://www.playframework.org/documentation/2.0.4/HTTPServer that another server can be set up as a front-end that could presumably do this work.  Any comments on this approach?

[James Roper]

There are many different things you could do, the issue is communicating to Play which user is currently logged in.  The redirect could easily be handled by an Apache out the front, but you would still need something to verify the SSO cookie.  This would normally be in Play, and for that you need a CAS client making calls on the CAS server.  This really shouldn't be hard to implement, since they provide a working Java client.  I've implemented integration with an SSO server in Play 2 before (not CAS, but I've worked with lots of SSO services before, they are all the same, you find an SSO cookie, you verify it against the SSO server, if it verifies, they are logged in, if not, they aren't), you're looking at about 100 lines of straight forward code max (assuming the CAS client API is simple to work with).  Just implement an authenticator that checks for a session, if it finds a session, verify the session matches the current SSO cookie, if it finds no session, check for an SSO cookie, if it finds an SSO cookie, call the verify method on the CAS client, and if it verifies, add the user and the cookie to the current session.

If you *really* didn't want to implement it in Play, your alternative would be having Apache add a header to requests when it finds and verifies an SSO cookie, and then write an authenticator in Play that uses this.  But it really would be easier to implement the authenticator in Play.

[Jérôme LELEU]

Hi,

I've created what you're looking for : a Play 2.x client in Scala and Java which supports OAuth/CAS/OpenID/HTTP authentication and user profile retrieval : https://github.com/leleuj/play-pac4j.

It completely supports the CAS protocol :

 - CAS 1.0 / 2.0 / SAML valition + proxy ticket validation

 - logout request

 - CAS proxification.

Best regards,

Jérôme

[Sean Brady]

Hi Jérôme,

I'm late to the party here, but I was wondering:

1) is this library being actively developed/maintained?

2) is it implemented in the non-blocking manner that James described above?  or is it blocking?

Thanks,

Sean

[Jérôme LELEU]

Hi,

1) Yes, but you shouldn't take my word for granted, you should take a look at the commits ;-)

I'm the Chairman of the CAS open source project so I'm willing to maintain all the CAS clients I have created (through pac4j). In fact, there is a Play implementation (play-pac4j), but there are also Shiro (https://github.com/bujiio/buji-pac4j), Spring Security (https://github.com/leleuj/spring-security-pac4j), J2E (https://github.com/leleuj/j2e-pac4j) and Ratpack (https://github.com/ratpack/ratpack/tree/master/ratpack-pac4j) implementations: http://www.pac4j.org. And we are currently working on a Vertx one...

2) From my point of view, it's almost done: https://github.com/leleuj/play-pac4j/blob/master/play-pac4j_java/src/main/java/org/pac4j/play/java/RequiresAuthenticationAction.java#L102 & https://github.com/leleuj/play-pac4j/pull/28.

But I'm open to further discussion on this.

I have developed a lot for Open Source (pac4j is 300 classes and more than 26000 lines of source code, just to talk about pac4j), but the play-pac4j library, which is finally a bridge between Play and pac4j, has always been intented to be driven, developed and supported by the Play community (I'm not a Play specialist, far from it and my time is limited).

I have had a few contributors on pac4j libraries, and lately Michaël has jumped deeply in pac4j and you know that smart guys always make the difference.

By the way, someone asked me about using roles with pac4j and we are working on it also (https://pac4jos.atlassian.net/browse/PLAYP-1). So all your suggestion and help will be appreciated.

Best regards,

Jérôme

--
You received this message because you are subscribed to a topic in the Google Groups "play-framework" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/play-framework/YxmkJXgfEwQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to play-framewor...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sean Brady]

Thanks for the reply.  I do see quite an active commit history!  I've just been thrown into a project with SSO requirements, so I'm doing early investigations at the moment.