Fork me on GitHub

Installing Tomcat

Download and install the last release of Tomcat from the Apache Tomcat website. Don't forget to define the environment variables : JAVA_HOME and CATALINA_HOME.
Now, you can edit the file server.xml and allow the SSL connector by uncommenting the following element and configuring the paths to the keystore an trustore :

        <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
        <Connector port="8443" maxHttpHeaderSize="8192"
            maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
            enableLookups="false" disableUploadTimeout="true"
            acceptCount="100" scheme="https" secure="true"
            clientAuth="false" sslProtocol="TLS"
            keystoreFile="C:/Java/keystore.jks"
            keystorePass="changeit"
            truststoreFile="C:/Java/keystore.jks"/>

Installing the CAS Server

Download the latest CAS Server package from the CAS Website. Extract the WAR file from the archive in cas-server-3.4.2\modules and copy into in $CATALINA_HOME/webapps. Rename the WAR into cas.war.

Configuring the authentication mecanism

The CAS Server is configured using the file deployerConfigContext.xml in the directory $CATALINA_HOME/webapps/cas/WEB-INF.

Default Mode

By default, the authentication checks that the password matches the login. This is configured with the following deployerConfigContext.xml :

        <beans xmlns="http://www.springframework.org/schema/beans"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xmlns:p="http://www.springframework.org/schema/p"
            xsi:schemaLocation="http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

          <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
            <property name="credentialsToPrincipalResolvers">
              <list>
                <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
                <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
              </list>
            </property>

            <property name="authenticationHandlers">
              <list>
                <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
                  p:httpClient-ref="httpClient" />
                <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
              </list>
            </property>
          </bean>

          <bean id="userDetailsService" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
            <property name="userMap">
              <value>
              </value>
            </property>
          </bean>

          <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
            <property name="backingMap">
              <map>
                <entry key="uid" value="uid" />
                <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
                <entry key="groupMembership" value="groupMembership" />
              </map>
            </property>
          </bean>

          <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
        </beans>

JDBC Mode

        <beans xmlns="http://www.springframework.org/schema/beans"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xmlns:p="http://www.springframework.org/schema/p"
            xsi:schemaLocation="http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

          <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
            <property name="credentialsToPrincipalResolvers">
              <list>
                <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
                <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
              </list>
            </property>

            <property name="authenticationHandlers">
              <list>
                <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
                  p:httpClient-ref="httpClient" />

                <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
                  <property name="dataSource" ref="dataSource" />
                  <property name="sql"
                    value="select password from login_table_name where lower(login_column_name) = lower(?)" />
                </bean>
              </list>
            </property>
          </bean>

          <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
            <property name="driverClassName">
              <value>org.postgresql.Driver</value>
            </property>
            <property name="url">
              <value>jdbc:postgresql://serverB:5432/database_name</value>
            </property>
            <property name="username">
              <value>database_username</value>
            </property>
            <property name="password">
              <value>database_password</value>
            </property>
          </bean>

          <bean id="userDetailsService" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
            <property name="userMap">
              <value>
              </value>
            </property>
          </bean>

          <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
            <property name="backingMap">
              <map>
                <entry key="uid" value="uid" />
                <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
                <entry key="groupMembership" value="groupMembership" />
              </map>
            </property>
          </bean>

          <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
        </beans>

The previous example uses a connection to PostgreSQL (configure the datasource bean according to your RDBMS). Don't forget to add the JDBC driver into your WEB-INF/lib directory.

LDAP Mode

        <beans xmlns="http://www.springframework.org/schema/beans"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xmlns:p="http://www.springframework.org/schema/p"
            xsi:schemaLocation="http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

          <bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
            <property name="pooled" value="true"/>
            <property name="urls">
              <list>
                <value>ldap://ldap_server_name:ldap_port</value>
              </list>
            </property>
            <property name="userName" value="uid=admin,ou=system"/>
            <property name="password" value="secret"/>
            <property name="baseEnvironmentProperties">
              <map>
                <entry>
                  <key>
                    <value>java.naming.security.authentication</value>
                  </key>
                  <value>simple</value>
                </entry>
              </map>
            </property>
          </bean>

          <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
            <property name="credentialsToPrincipalResolvers">
              <list>
                <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
                <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
              </list>
            </property>

            <property name="authenticationHandlers">
              <list>
                <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
                  p:httpClient-ref="httpClient" />

                <bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >
                  <property name="filter" value="uid=%u,ou=Users,dc=example,dc=com" />
                  <property name="contextSource" ref="contextSource" />
                </bean>
              </list>
            </property>
          </bean>

          <bean id="userDetailsService" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
            <property name="userMap">
              <value>
              </value>
            </property>
          </bean>

          <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao">
            <property name="backingMap">
              <map>
                <entry key="uid" value="uid" />
                <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
                <entry key="groupMembership" value="groupMembership" />
              </map>
            </property>
          </bean>

          <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
        </beans>

You need to configure your LDAP parameters, and to download the Jar file cas-server-support-ldap and add it to your WEB-INF/lib directory.

Customizing the CAS pages

You can customize les pages of the CAS Server by editing the JSPs in $CATALINA_HOME/webapps/cas/WEB-INF/view/jsp/default/ui or the stylesheets in $CATALINA_HOME/webapps/cas/css.