JasperReports Server & CAS Authentication

I discovered Central Authentication Service (CAS) through an old copy of the “JasperServer External Authentication Cookbook”, about two years ago. Therefore, CAS was my first option when I was appointed to evaluate open source single-sign on products, and, of course, JasperReports Server was the first Web application to try it. Learning how to configure and deploy was relatively easy using the CAS User Manual, but the set up of JasperServer was a nightmare because the lack of documentation of the community version, that’s why I’m writing this post!

First of all, I set up a virtual machine with CAS configured to use an Active Directory user authentication, the tutorial “End-to-end Windows Example” of the CAS wiki was very useful at this point. Later on, I deployed JasperReports Server to another virtual machine. The communication between these two machines is through SSL, so I had to export the certificate used by CAS one and import into the trust store of the JasperServer one, the key points here were:

  1. Put the fully qualified domain name (FQDN) of CAS machine as the CN of the certificate.
  2. Register that FQDN into the DNS used by JasperServer machine.
  3. Import the certificate into the cacerts file of the JVM where runs the application server where JasperServer Web application is deployed.

Configuring JasperReports Server v5.2.0 was a matter of researching on forums and blogs, intuition, trial and error. Finally, the successful changes on the original JasperServer configuration were:

  • Adding the following beans to applicationContext-security.xml:

      <bean id="casAuthenticationProvider"
          class="org.springframework.security.providers.cas.CasAuthenticationProvider">
        <property name="userDetailsService"><ref local="casUserAuthorityService"/></property>
        <property name="serviceProperties"><ref local="authenticationServiceProperties"/></property>
        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="https://cas.test.com/cas" />
            </bean>
        </property>
        <property name="statelessTicketCache">
            <bean class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache">
                <property name="cache"><ref local="ticketCache"/></property>
            </bean>
        </property>
        <property name="key"><value>lam_or_lame</value></property>
    </bean>

    <bean id="authenticationServiceProperties"
          class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service">
           <value>http://jasperserver.test.com/jasperserver/j_spring_cas_security_check</value>
        </property>
        <property name="sendRenew"><value>false</value></property>
    </bean>

    <bean id="ticketCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
       <property name="cacheManager"><ref local="cacheManager"/></property>
       <property name="cacheName"><value>casTicketCache</value></property>
    </bean>

    <bean id="casUserAuthorityService"
          class="com.jaspersoft.jasperserver.api.metadata.user.service.impl.UserDetailsServiceImpl">
        <property name="adminUsers">
            <list>
                <value>fcosfc</value>
            </list>
        </property>
        <property name="defaultAdminRoles">
            <list>
                <value>ROLE_USER</value>
                <value>ROLE_ADMINISTRATOR</value>
            </list>
        </property>
        <property name="defaultInternalRoles">
            <list>
                <value>ROLE_USER</value>
            </list>
        </property>
    </bean>
  • Adding a new Authentication provider to applicationContext-security.xml:

    <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="casAuthenticationProvider"/>

                ...

            </list>
        </property>
    </bean>
  • Replacing the beans authenticationProcessingFilter and authenticationProcessingFilterEntryPoint in applicationContext-security.xml:

     <bean id="authenticationProcessingFilter"
          class="org.springframework.security.ui.cas.CasProcessingFilter">
        <property name="authenticationManager"><ref local="authenticationManager"/></property>
        <property name="authenticationFailureUrl"><value>/loginerror.html</value></property>
        <property name="defaultTargetUrl"><value>/loginsuccess.html</value></property>
        <property name="filterProcessesUrl"><value>/j_spring_cas_security_check</value></property>
    </bean>

    ...

    <bean id="authenticationProcessingFilterEntryPoint"
          class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
        <property name="loginUrl"><value>https://cas.test.com/cas/login</value></property>
        <property name="serviceProperties"><ref local="authenticationServiceProperties"/></property>
    </bean>
  • Modifying the filter chain in applicationContext-security-web.xml:

    <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
        <property name="filterInvocationDefinitionSource">
            <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                ...
                /j_spring_cas_security_check=httpSessionContextIntegrationFilter,
authenticationProcessingFilter,anonymousProcessingFilter,
exceptionTranslationFilter,filterInvocationInterceptor
                ...
                /**=httpSessionContextIntegrationFilter, ...,
delegatingRequestParameterAuthenticationFilter,JIAuthenticationSynchronizer,
anonymousProcessingFilter,...
            </value>
        </property>
    </bean>

References

Advertisements


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s