How to make Quarkus use Apereo CAS or SAML2 authentication

Question

I am a computer science student and have used Quarkus for several projects in the past year. I recently received a new project where I have to create a rest API. Because I have to do a lot in a short time, I use Quarkus to easily do the job with RESTEasy for my web services.

But this API has to authenticate the user by using Apereo with protocols CAS or SAML2. Moreover I have no experience in using Java security plugins.

I also searched about how to deal with that by using keycloak, Apereo Jboss client, Apero Spring boot client or by having a service along with Quarkus like a Tomcat that will do the authentication job. But I don't know which one would be the best and even which one would actually work.

Do you have any experience around that ? Or what could I use to make my Quarkus API work with Apereo ?

Thank you very much for your time and help,

Best regards,

Thomas

mircea-cm · Accepted Answer · 2021-07-01T08:46:56.367

Sorry for being late to the party, but I actually did a quarkus - apareo cas integration. Basically I added quarkus-undertow extension to be able to use src/main/resources/META-INF/web.xml. Also I used org.jasig.cas.client:cas-client-core:3.6.1 to have the cas filters. And my web.xml contains something like this:

<context-param>
    <param-name>serverName</param-name>
    <param-value>${cas.redirect.url}</param-value>
</context-param>

<filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
    <init-param>
        <param-name>casServerLoginUrl</param-name>
        <param-value>${cas.login.url}</param-value>
    </init-param>
    <init-param>
        <param-name>ignorePattern</param-name>
        <param-value>/proxy/</param-value>
    </init-param>
    <init-param>
        <param-name>ignoreUrlPatternType</param-name>
        <param-value>CONTAINS</param-value>
    </init-param>
    <async-supported>true</async-supported>
</filter>

<filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>${cas.base.url}</param-value>
    </init-param>
    <async-supported>true</async-supported>
</filter>

<filter>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
    <async-supported>true</async-supported>
</filter>

<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Saml integration is similar, just use the SAML filters. For more information on configuration options, please see java-cas-client

Off topic, why do you need to authenticate a API via CAS? It redirects you to that CAS login window, then it redirects you back. you cant use this API via postman or curl. Also an API doesn't store any session about the user, so this redirect dance happens every time. This is not how API's are secured. Web pages or web applications yes, but not API's.

Hello, You are right, I think I took the issue the wrong way around. I was doing an App for my university and had to use the SSO (which was SAML or CAS). But we used VueJs for the front and Quarkus as an API. At the end they opened me the ldap. But I didn't manage to keep sessions by using the integrated quarkus ldap module. So I did something awful : I installed ldapsearch in my container and called it in command line and then set my own JWT to keep the session :/ To your mind, what should have I done considering this Vue / quarkus architecture ? Best regard, Thomas — Totog1nger, Jul 01 '21 at 15:50
actually, the vue quarkus arch is what we use, we use that CAS module for the login windows into the vuejs app. Also if the vue app is served from the quarkus backend then all your calls are being done quite secure if you manage to use the backend session correctly. If you have API's on a different server then just proxy the calls to that api server and use ldap for authenticating to that server. Keep in mind that quarkus ldap module does not caches the authentication, and it's quite bad for performance. Also see this for reference https://quarkus.io/blog/quarkus-and-web-ui-development-mode/ — mircea-cm, Jul 05 '21 at 08:46
Thank you very much. I'll keep that in mind for futur projects. Thomas — Totog1nger, Jul 05 '21 at 17:07

How to make Quarkus use Apereo CAS or SAML2 authentication

1 Answers1