JAAS Authentication

JAAS is a Java standard authentication and authorization API. JAAS is configured via externalized plain text configuration file. Using JAAS with CAS allows modification of the authentication process without having to rebuild and redeploy CAS and allows for PAM-style multi-module “stacked” authentication.

Configuration

JAAS components are provided in the CAS core module and require no additional dependencies to use. The JAAS handler delegates to the built-in JAAS subsystem to perform authentication according to the directives in the JAAS config file.

To see the relevant list of CAS properties, please review this guide.

JAAS Configuration File

The default JAAS configuration file is located at $JRE_HOME/lib/security/java.security. It’s important to note that JAAS configuration applies to the entire JVM. The path to the JAAS configuration file in effect may be altered by setting the java.security.auth.login.config system property to an alternate file path. A sample JAAS configuration file is provided for reference.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
/**
  * Login Configuration for JAAS. First try Kerberos, then LDAP, then AD
  * Note that a valid krb5.conf must be supplied to the JVM for Kerberos auth
  * -Djava.security.krb5.conf=/etc/krb5.conf
  */
CAS {
  com.ibm.security.auth.module.Krb5LoginModule sufficient
    debug=FALSE;
    edu.uconn.netid.jaas.LDAPLoginModule sufficient
    java.naming.provider.url="ldap://ldap.my.org:389/dc=my,dc=org"
    java.naming.security.principal="uid=cas,dc=my,dc=org"
    java.naming.security.credentials="password"
    Attribute="uid"
    startTLS="true";
  edu.uconn.netid.jaas.LDAPLoginModule sufficient
    java.naming.provider.url="ldaps://ad.my.org:636/dc=ad,dc=my,dc=org"
    java.naming.security.principal="cas@ad.my.org"
    java.naming.security.credentials="password"
    Attribute="sAMAccountName";
};