Magnolia 4.5 reached end of life on June 30, 2016. This branch is no longer supported, see End-of-life policy.
Central Authentication Service (CAS) is a single sign-on protocol for the web. CAS enables applications to authenticate users without needing to access users' security credentials (login and password details). Note that all references to CAS in Magnolia are for the CAS Module that enables the CAS service. The CAS module requires, and only works in conjunction with, the LDAP Connector module 1.4.
CAS Connector is an enterprise module available in the
add-ons folder of the Enterprise Edition bundle. To install the module, see the general .
You can configure the location of your
cas.properties file as necessary. To do this, add a new property
jndi.ldap.config in the and then set the value to a relative path to the webapp.
Unlike most modules, installing the CAS module doesn't trigger upgrade or installation tasks. The CAS modules will quietly make the necessary classes available for your configuration, but you won't see it listed in the modules section of your configuration, nor will it trigger the "Upgrade Needed" notification.
CASAuthenticationModule : this module can be used to authenticate against any LDAP directory. Use this together with
MagnoliaRoleResolver (users replicated in the JCR repository) or with specific
NameResolver implementations to resolve groups and roles for your LDAP users.
The Central Authentication Service is a single sign-on (SSO) web protocol. With single sign-on a user can log in once to a system and then automatically gain access to all related systems (for which they have been granted access rights as per their credentials) without being prompted and/or required to log in to each system individually. Note that you can download the JASIF CAS server from the Central Authentication Service project website.
tGTticket that ensures that the user does not have to log in for each redirect to the CAS server.
ticket=ST-xxxservice ticket in the url for Magnolia CAS client to check.
Note that at present the CAS module requires - and only works in conjunction with - the Magnolia LDAP Connector Module 1.4. The LDAP Connector is a standard JAAS login module, which connects to any LDAP V3 supported directory service. This module is useful when deploying Magnolia in large intranet environments where an enterprise-grade user management infrastructure already exists. The JAAS standard support enables you to meet single sign-on requirements.
The following properties have to be configured in
ad.properties) for the CAS module to function:
A fully qualified URL to your LDAP server.
Password encryption type:
IMPORTANT - This value must be left blank.
This is the account used to query the user roles.
This is the password for the account used to query the user roles.
This string is used to build an initial search against the server, for example
The class responsible for resolvin groups assigned to a user. The class must implement the
The class responsible for resolving roles assigned to a user. The class must implement the
Distinguished name of an admin user who has permissions to search the tree defined in
Password of the admin user.
Name mapping (multiple properties)
Mapping between Magnolia-defined attributes and how these attributes are named in your specific LDAP installation.
Other properties are defined and documented in
If you run JBoss application server edit login-config.xml instead.
JAAS is a standard authentication and authorization API provided by Java 1.4 and higher. An external file is used to configure JAAS. Using JAAS with CAS allows modification of the authentication process without having to rebuild and redeploy CAS.
jaas.config file, split
info.magnolia.jaas.sp.ldap.ADAuthenticationModule into different JAAS chains:
In Magnolia configuration, set the
jaasChain property to