Overview:

In one of our assignments, we use CAS 4.0 (Central Authentication Service) for SSO (Single Sign On) server and its respective java client. We installed the CAS-Server using war-overlay method.

With this, when a user gets authenticated by CAS server, he would be allowed to access other applications (cas enabled services) which are configured to have SSO with the same CAS server.

What is CAS?

CAS is SSO for the web. The CAS server is Java servlet built on the Spring Framework whose primary responsibility is to authenticate users and grant access to CAS-enabled services.

What is RESTFul Integration?

Applications need to programmatically access CAS. Say one casified application can invoke other casified application’s REST APIs on behalf of an authenticated user as shown.Environment

For this purpose, CAS exposes REST Protocol which allows us to model applications as users, programmatically acquiring tickets to authenticate to other applications.

Problem Domain:

Though we have followed the steps described in the protocol, we received ‘400 Bad Request error ‘ in the client and in the CAS server, we saw the below information in the console.

And we also got this confirmed that this issue exists with CAS java client. Ref: https://github.com/Jasig/cas/issues/886

Solution Domain:

By looking at  ‘null+password’ in the console, we found that there is an issue in passing the credentials to the server. While troubleshooting we identified that though the credentials (username and password) exist as part of the request, it does not seem to be available in the  ‘AuthenticationHandler’ configured in CAS Server.

By doing the below steps, we are able to make it pass the credentials to CAS Server and successfully get the requests authenticated.

Step#1 : Extend ‘TicketResource’ class

What is TicketResource?

The credential object which is supposed to be passed to the underlying ‘AuthenticationHandler’ by the TicketResource class. Basically it handles the creation of Ticket Granting Tickets (session token).

Extend it and override the ‘obtainCredentials()’ method as shown below to pass the username and password along with the credential object.

 Step-2 : Change the bean in ‘restlet-servlet.xml’

TicketResource is configured in ‘restlet-servlet.xml’ which must be changed to configure to ‘ExtTicketResource’. To do this, replace the below line with your ExtTicketResource bean

like the below

Conclusion:

With the fix in place, we are able to  programmatically acquire tickets to authenticate to other applications using java client.

Ref: