Pierce County IT Department GIS Division Xuejin Ruan Dan King
Web Application Work Flow
Main Topics Authentication Authorization Session Management * Concurrent Session Management * Session Timeout Single Sign Out
Part I Authentication (Single Sign On with Central Authentication Service) Authorization Session Management: * Concurrent Session Management * Session Timeout Single Sign Out?
Single Sign On (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Why SSO?
Multiple Frameworks
Diversified Users
Server Locations
Multiple Access Points County User - External Gaylynn Wilke PCSD Neighborhood Crime Admin County User - Internal Tom Symonds DEM School Threat System County User - Internal Joyce Seger Tacoma Pierce County Health Department West Nile Virus Non-County User - External City of Puyallup DEM Entire Department School Threat System Non-County User - External Dena Berkey Leroy Surveyors CountyView Web County User - Internal Dave Peterson PALS CountyView Web
Why Not Make Our Life Easier? For Users No more stickers with usernames/passwords flying around No more banging the wall No more pulling the hair For Developers Removed authentication from application code Authentication is centralized to a unique server, the only machine receiving users credentials, through an encrypted tunnel
Why CAS? Central Authentication System/Services (CAS) is an Central Authentication System/Services (CAS) is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. CAS became a Jasig project in December 2004.
CAS Technology Stack Java and JSPs Spring Framework Spring Web Flow Spring Security Maven2 Jasig Person Directory CAS is designed to run on any Java 1.5 or higher virtual machine and in any container that supports Servlet 2.4 or higher
CAS Work Flow User try to access a secured resource If the user has not already signed in, then he/she will be redirected to CAS for login. After the user is authenticated, user name will be passed to application code which will handle authorization If the user has already been authenticated by CAS, then he/she will not be shown the login screen if he/she is trying to access any applications that are configured to work with CAS.
CAS Key Parties User Database CAS Server Client web browser(s) The web application(s) CAS server Database server(s) Application Server Web Browser
How Does CAS Work User Database CAS Server When requesting a protected resource, if the user is not authenticated yet, the user will be redirected to CAS login page with requested resource appended in the service url. After user is authenticated with correct username/password, CAS server will issue a TGC. HTTPS Username/ Password TGC Application Server Web Browser TGC
How Does CAS Work CAS Server Application HTTPS TGC Web Browser TGC When accessing a resource protected by a CAS client, the web browser is redirected to the CAS server. The browser, previously authenticated, provides the CAS server its TGC Reference: ESUP-Portail: open source Single Sign-On with CAS (Central Authentication Service) By Pascal Aubry, Vincent Mathieu, Julien Marchal, 2004
How Does CAS Work CAS Server Application ST TGC ST Web Browser TGC On presentation of the TGC, the CAS server delivers a Service Ticket (ST) to the browser. It is an opaque ticket (no user information), and is usable only by the service that required it. At the same time, the CAS server redirects the browser to the calling service (the Service Ticket is a CGI parameter). The browser then presents the ST to the application. Reference: ESUP-Portail: open source Single Sign-On with CAS (Central Authentication Service) By Pascal Aubry, Vincent Mathieu, Julien Marchal, 2004
How Does CAS Work CAS Server ST ID Application ST TGC ST Web Browser TGC The ST is then validated by the CAS client against the CAS server using HTTP request, and the requested resource can be delivered to the browser. Reference: ESUP-Portail: open source Single Sign-On with CAS (Central Authentication Service) By Pascal Aubry, Vincent Mathieu, Julien Marchal, 2004
It Works for us Security: Passwords only pass from browsers to the authentication server, always through an encrypted tunnel; Re-authentications are transparent to users, providing that they accept a single cookie, called the Ticket Granting Cookie (TGC). This cookie is opaque, protected, and private; Applications know users identities without seeing any password, thanks to opaque one-time Service Tickets (ST). Flexibility: multiple authentication handler: LDAP directory, database, x509 certificate Rich Client Libraries: Jsp, Perl, Java, ASP, Coldfusion, PHP, uportal, Ruby on Rails Client Authentication proxying with PGT and PT
What We ve Achieved with CAS: One login and password. If user has not logged in or has timed out then return to login page. If user has already logged in and is in an active session then the user will be redirected to the requested resource Language-specific libraries available to developer to communicate with SSO Server. Generic but customizable login widgets that applications can embed in UI. Track login history for each user/each server. Track login failures. Throttle dictionary attack.
CAS Default Login Page
Pierce County Custom CAS Login Page
Pierce County User Login Auditing
Part II Authentication: SSO with CAS (Single Sign On with Central Authentication Services Authorization Session Management: * Concurrent Session Management * Session Timeout Single Sign Out?
Authorization CAS is for authentication ONLY! After the user is authenticated with CAS, the only thing passed from CAS server to the application (requested services) is AuthUser (username) The application itself is responsible for Authorization
Authorization Requirements Each application has it s own set of roles. Users are assigned to roles. Departments are assigned to roles. Groups are assigned to roles. A group consists of users and departments. SSO Server tells the Application who the user is Authorization module pull together user s role information Applications use role information to control access to pages or UI elements.
Authorization ColdFusion applications: <cfset auser = createobject("component","#request.pathtoportalobjects#.model_userone").init(qryc hecklogin.user_id)> Java applications with Acegi security: PortalAcegi.jar created PortalUserService with username passed from CAS server <bean id="portaluserservice" class="gov.pc.portal.acegi.portaluserservice"> <property name="datasource" ref="portaldatasource"/> <property name="applicationid" value="63"/></bean> Java applications with Spring security: PortalSpringSecurity.jar created PortalUserService with username passed from CAS server <bean id="userservice" class="gov.pc.portal.springsecurity.portaluserservice"> <property name="datasource" ref="portaldatasource"/> <property name="applicationid" value="107"/> </bean>
Part III Authentication: SSO with CAS (Single Sign On with Central Authentication Services Authorization Session Management * Concurrent Session Management * Session Timeout Single Sign Out?
Session Management Requirements Wrap a filter around the application (Application.cfm, web.xml, etc.) to check session status on every request from user. Application can override default session timeout. See if user s session is still active. Upon timeout user automatically redirected to a login page See if more than one session is active. If so then prompt user to terminate one of the sessions.
Session Timeout Global Session Timeout (CAS Timeout) In CAS, ticketexpirationpolicies.xml <bean id="grantingticketexpirationpolicy" class="org.jasig.cas.ticket.support.timeoutexpirationpolicy"> <constructor-arg </bean> index="0 " value="600000" />
Session Timeout Local Session Timeout (Application Timeout) In web.xml: <session-config> <session-timeout>1</session-timeout> </session-config> Application Timeout Overwrite CAS Timeout Custom SessionExpirationFilter This filter will check whether an application has reached timeout; if yes, it will invalidate the session variables for this application, and it will send a callback url to CAS, triggering CAS logout behavior
Concurrent Session Management for Acegi Security <bean id="sessionregistry" class="org.acegisecurity.concurrent.sessionregistryimpl" /> <bean id="sessioncontroller" class="org.acegisecurity. concurrent.concurrentsessioncontrollerimpl"> <property name="exceptionifmaximumexceeded" value="true"/> <property name="maximumsessions" value="1" /> <property name="sessionregistry" ref="sessionregistry"/> </bean> <bean id="authenticationmanager" class="org.acegisecurity.providers.providermanager"> <property name="providers"> <list> <ref local="daoauthenticationprovider"/> </list> </property> <property name="sessioncontroller" ref="sessioncontroller"/> </bean>
Concurrent Session Control for Spring Security In Web.xml: <listener> <listener-class> org.springframework.security.ui.session.httpsessioneventpublisher </listener-class> </listener> In applicationcontext.xml: <sec:concurrent-session-control max-sessions="1"/> This will prevent a user from logging in multiple times - a second login will cause the first to be invalidated <concurrent-session-control max-sessions="1" exception-if-maximumexceeded="true"/> The second login will then be rejected.
Concurrent Session Management For ColdFusion Apps Custom Tag: CheckedLoggedIn.cfm <cfset variables.timeout = 30> <cf_chkpermissions appname="#request.nameofthisapp#" timeout="#variables.timeout#" homefusepath="#client.homefusepath#">
Part IV Authentication: SSO with CAS (Single Sign On with Central Authentication Services Authorization Session Management: * Concurrent Session Management * Session Timeout Single Sign Out?
Single Sign Out Sign out of one app will automatically sign you out of all active apps that are part of CAS <!--CAS single sign out--> <filter> <filter-name>cas Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.singlesignoutfilter</filter-class> </filter> <filter-mapping> <filter-name>cas Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.singlesignouthttpsessionlistener</listener-class> </listener> <!--End of CAS single sign out configuration-->
Summary Use CAS to achieve SSO in a diversified system Create authorization modules that would be reused by different apps. Control current session management and session timeout Make both users and developers life happier
Thanks for Your Attention! QUESTION??? xruan@co.pierce.wa.us dan.king@viewpoint.pro