10

I followed this tutorial to enable REST service on my local CAS server.

However there is no Java example

"Java REST Client Example

We need a real, working, example, the previous one is useless. Many people are emailing me that it is not working, and I confirm it does not work."

I was able to find this but that unfortunately did not work for me.

Any pointers/links? Much appreciated.

Nikhil K S
  • 806
  • 1
  • 13
  • 27
krinker
  • 1,072
  • 1
  • 9
  • 23

4 Answers4

18

Got it!

Here is the complete solution on how to enable CAS REST API and be able to connect to it via JAVA REST client to benefit others

  • Get CAS source code.
  • Review this article
  • Add following to pom.xml like suggested by the article in #2

<dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-integration-restlet</artifactId> <version>${cas.version}</version> <type>jar</type> </dependency>

  • Make sure to add following to pom.xml to avoid Spring jar collisions. In my case, cas-server-integration-restlet was dependent on spring-web, which used by default older version of Spring. So, I explicitly defined

<dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>3.1.1.RELEASE</version> </dependency>

  • Compile your cas code. Should get cas.war in your target folder.
  • Upload it to your server, change permissions to tomcat and wait for it to get deployed
  • In CATALINA/conf find server.xml and uncomment 8443 port configuration so that our sever will allow SSL connections. Also, specify your certs in here.
  • Now navigate to exploded cas.war file and drill down to WEB-INF folder to find deployerConfigContext.xml file. Specify what CAS would use to authenticate. In my case, I used LDAP.
  • Add following to web.xml per article above

<servlet> <servlet-name>restlet</servlet-name> <servlet-class>com.noelios.restlet.ext.spring.RestletFrameworkServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet>

<servlet-mapping> <servlet-name>restlet</servlet-name> <url-pattern>/v1/*</url-pattern> </servlet-mapping>

  • Restart tomcat for changes to take effect.
  • Test that you can log in via standard CAS UI: https://server:8443/cas/login
  • Test that REST API was exposed via: https://server:8443/cas/v1/tickets
  • Now let's connect to it. I used this sample code. Make sure to give correct links and username/password
  • When I tried running the code as is, it complained about "Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". Basically asking you to install certs. If you have the access to the server, just copy it over. If not, I found this code that will take care of the installation for you if you dont have access or just too lazy :)
  • Now, if you run the JAVA CAS Client with valid credentials you should see something like 
201
https://server_name:8443/cas/v1/tickets/TGT-4-rhVWLapYuOYi4InSEcmfNcABzaLMCPJgGIzlKqU1vb50zxb6pp-server_name
Tgt is : TGT-4-rhVWLapYuOYi4InSEcmfNcABzaLMCPJgGIzlKqU1vb50zxb6pp-server_name.ndev.coic.mil
Service url is : service=https%3A%2F%2Fmyserver.com%2FtestApplication
https://server_name:8443/cas/v1/tickets/TGT-4-rhVWLapYuOYi4InSEcmfNcABzaLMCPJgGIzlKqU1vb50zxb6pp-server_name
Response code is:  200
200
ST-4-BZNVm9h6k3DAvSQe5I3C-server_name
  • You can see 200 code and the ticket. If you were to review logs of your cas on the server, you should see messages about successful athentication and ticket generation.
  • Change username/password to some dummy data and try to run the code. You will get 400 error message, which means that permission to access was denied.

Success!

krinker
  • 1,072
  • 1
  • 9
  • 23
  • Hi!usefull answer! can you tell me what should i put in the service url? – fnkbz May 11 '14 at 17:53
  • I assume that you are refering to String serviceURL = "https://myserver.com/testApplication"; line... If that's the case, it should refer to your requesting application that is asking CAS to athenticate current user. Check out this website: https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough In Step One, you can see their explanation: (it doesn't matter that the service is made up as the ticket you're after is part of the url and will appear in the location bar even if your browser can't find the resource. – krinker May 12 '14 at 21:58
  • Also checkout this website for step by step on CAS https://www.purdue.edu/apps/account/html/cas_presentation_20110407.pdf. This should give you good undestanding of the steps involved in the process. Hope it helps... and thank you for your feedback! – krinker May 12 '14 at 22:00
  • yes this is what i meant! thanks. so if i understand correctly i can get the ticket no matter if the service exists or not..in my case i don't have a sampleapp, i just want to test the CAS server. so it doesn't matter if the service url points in something that doesn't exists.. right? – fnkbz May 14 '14 at 08:14
  • Yep. Correct, you would still be able to test CAS and get the ticket back, and you dont need a service that actually uses this ticket. – krinker May 14 '14 at 14:57
  • Hi can you please tell me, how does my other app/client gets to know about this user and how does it(other app/client) get the ticket and know that the user is already logged into CAS ??? – Ekansh Rastogi Dec 24 '14 at 06:06
  • It's a good solution to get the ticket and test your server. But how can you access to the protected resource (i.e, myserver.com/testApplication) without cookie management? if i test >myserver.com/testApplication?ticket=ST-4-BZNVm9h6k3DAvSQe5I3C-server_name personally i get a 302 – biology.info Feb 24 '15 at 14:33
  • I did all of this -- however, when I go to `/cas/v1/tickets`, my CAS server redirects me to `/cas/login`. do you know why that is the case and where should I look to change it ? that happens even after I log in manually via the login page (which is what I am normally trying to avoid by using REST) – amphibient Nov 09 '16 at 18:10
  • also, I can't find com.noelios.restlet.ext.spring.RestletFrameworkServlet anywhere in the path. It is not in cas-server-integration-restlet-4.1.4.jar or any of its sub-dependencies. In my IDE, the only class so named is in a package org.restlet.ext.spring. see: http://stackoverflow.com/questions/40514725/cas-configured-for-rest-api-redirects-v1-tickets-to-login-html – amphibient Nov 09 '16 at 20:37
5

For CAS 4.0 it's a little simpler (tested on apache-tomcat-7.0.55)

in your pom.xml add following dependency

    <dependency>
        <groupId>org.jasig.cas</groupId>
        <artifactId>cas-server-integration-restlet</artifactId>
        <version>4.0.0</version>
        <scope>runtime</scope>
        <exclusions>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-webmvc</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-context</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-core</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

Direct dependency to springframework is not necesarry because exclusions prevent from duplicated packages

In your web.xml you need to add servlet mapping for restlet (mind package has changed from com.noelios.restlet... to org.restlet...

    <servlet>
        <servlet-name>restlet</servlet-name>
        <servlet-class>org.restlet.ext.spring.RestletFrameworkServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>restlet</servlet-name>
        <url-pattern>/v1/*</url-pattern>
    </servlet-mapping>

As a result of above steps in yuor WEB-INF/lib directory following new files should be added

ls target/cas/WEB-INF/lib/ | grep restlet
cas-server-integration-restlet-4.0.0.jar
org.restlet-2.1.0.jar
org.restlet.ext.servlet-2.1.0.jar
org.restlet.ext.slf4j-2.1.0.jar
org.restlet.ext.spring-2.1.0.jar
Marek Chodor
  • 51
  • 1
  • 1
2

If you wish to skip cert validation add this to your Java Client

//////////////////////////////////////////////////////////////////////////////////////
// this block of code turns off the certificate validation so the client can talk to an SSL
// server that uses a self-signed certificate
//
// !!!! WARNING make sure NOT to do this against a production site
//
// this block of code owes thanks to http://www.exampledepot.com/egs/javax.net.ssl/trustall.html
//

TrustManager[] trustAllCerts = new TrustManager[] {
    new X509TrustManager() {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType){}

        public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType){}
    }
};

SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

//
//
// end of block of code that turns off certificate validation
// ////////////////////////////////////////////////////////////////////////////////////
krinker
  • 1,072
  • 1
  • 9
  • 23
2

Usually devs are confused on how to get rest client working when accessing secured CAS web service. Most of the question out there were asking how to get restlet CAS secures a webservice and how to call those web service, because no real example were working.

Well actually there is. Groovy example is on the JASIG Cas restlet example https://wiki.jasig.org/display/casum/restful+api is clearly show how to get authenticated to call a service (its using Groovy, but converting to Java should be straight forward) . But in my opinion, it do not clearly explain that client need to authenticate to the designated web service first before accessing CAS secured web service.

For example, assume there is a JSON service that secured with CAS and build with Java and Spring. And you are using code that describe on the groovy section on https://wiki.jasig.org/display/casum/restful+api

String casUrl="https://yourcas.com/v1/tickets"
String springTicketValidation="http://yourservice.com/j_spring_cas_security_check"
String serviceToCall="http://yourservice.com/serviceToCall"

To get your service client be able to call the service, you need to follow these simple rules:

  1. Get your ticket granting ticket from CAS
  2. Get your Service Ticket from cas for the designated service call (service to call)
  3. Authenticate to your service ticket validator (at this point url specified on springTicketValidation)
  4. finally call your service

or in code perspective

String ticketGrantingTicket = getTicketGrantingTicket(casUrl, username, password)
String serviceTicket = client.getServiceTicket(casUrl, ticketGrantingTicket, serviceToCall)
// validate your ticket first to your application
getServiceCall(springTicketValidation, serviceTicket)
getServiceCall(serviceToCall, serviceTicket)

And for your note, all these operation should be done in following condition:

  1. Your call (both restlet call and service call) should be done in the same HttpClient object. It seems that CAS put "something" in the session object that validated when you call your service. Fails this, and you will always get logon page on the HTTP result.
  2. Your cas client should be able to recognized your CAS SSL certificate, otherwise it will throw you PKIX path building failed
  3. This example is based on the cas secured web service that using Spring Security to secured service with CAS. I'm not sure whether other cas secured should need ticket validation on the application side or not

Hope this help

rama3i
  • 156
  • 1
  • 7