JAAS Authentication

JAAS is a Java standard authentication and authorization API. JAAS is configured via externalized plain text configuration file. Using JAAS with CAS allows modification of the authentication process without having to rebuild and redeploy CAS and allows for PAM-style multi-module “stacked” authentication.

Configuration

JAAS components are provided in the CAS core module and require no additional dependencies to use. The JAAS handler delegates to the built-in JAAS subsystem to perform authentication according to the directives in the JAAS config file.

The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

  • cas.authn.jaas[0].password-encoder.encoding-algorithm=
  • The encoding algorithm to use such as MD5. Relevant when the type used is DEFAULT or GLIBC_CRYPT.

    org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties.

  • cas.authn.jaas[0].password-encoder.type=NONE
  • Define the password encoder type to use. Type may be specified as blank or NONE to disable password encoding. It may also refer to a fully-qualified class name that implements the Spring Security's PasswordEncoder interface if you wish you define your own encoder. The following types may be used:

    • NONE: No password encoding (i.e. plain-text) takes place.
    • DEFAULT: Use the DefaultPasswordEncoder of CAS. For message-digest algorithms via character-encoding and encoding-algorithm.
    • BCRYPT: Use the BCryptPasswordEncoder based on the strength provided and an optional secret.
    • SCRYPT: Use the SCryptPasswordEncoder.
    • PBKDF2: Use the Pbkdf2PasswordEncoder based on the strength provided and an optional secret.
    • STANDARD: Use the StandardPasswordEncoder based on the secret provided.
    • SSHA: Use the LdapShaPasswordEncoder supports Ldap SHA and SSHA (salted-SHA). The values are base-64 encoded and have the label {SHA</code> or {SSHA</code> prepended to the encoded hash.
    • GLIBC_CRYPT: Use the GlibcCryptPasswordEncoder based on the encoding-algorithm, strength provided and an optional secret.
    • org.example.MyEncoder: An implementation of PasswordEncoder of your own choosing.
    • file:///path/to/script.groovy: Path to a Groovy script charged with handling password encoding operations.

    org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties.

  • cas.authn.jaas[0].realm=
  • JAAS realm to use.

    org.apereo.cas.configuration.model.support.jaas.JaasAuthenticationProperties.

  • cas.authn.jaas[0].password-policy.groovy.location=
  • The location of the resource. Resources can be URLS, or files found either on the classpath or outside somewhere in the file system.

    org.apereo.cas.configuration.model.SpringResourceProperties.

  • cas.authn.jaas[0].principal-transformation.groovy.location=
  • The location of the resource. Resources can be URLS, or files found either on the classpath or outside somewhere in the file system.

    org.apereo.cas.configuration.model.SpringResourceProperties.

    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value.

  • cas.authn.jaas=
  • Collection of settings related to JAAS authentication. These settings are required to be indexed (i.e. jaas[0].xyz).

    org.apereo.cas.configuration.model.core.authentication.AuthenticationProperties.

  • cas.authn.jaas[0].credential-criteria=
  • A number of authentication handlers are allowed to determine whether they can operate on the provided credential and as such lend themselves to be tried and tested during the authentication handler selection phase. The credential criteria may be one of the following options:

    • 1) A regular expression pattern that is tested against the credential identifier.
    • 2) A fully qualified class name of your own design that implements Predicate.
    • 3) Path to an external Groovy script that implements the same interface.

    org.apereo.cas.configuration.model.support.jaas.JaasAuthenticationProperties.

  • cas.authn.jaas[0].kerberos-kdc-system-property=
  • Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file. However, if you like, you can instead specify the realm value by setting this following system property value.

    If you set the realm property, you SHOULD also configure the kerberos KDC system property.

    Also note that if you set these properties, then no cross-realm authentication is possible unless a krb5.conf file is also provided from which the additional information required for cross-realm authentication may be obtained.

    If you set values for these properties, then they override the default realm and KDC values specified in krb5.conf (if such a file is found). The krb5.conf file is still consulted if values for items other than the default realm and KDC are needed. If no krb5.conf file is found, then the default values used for these items are implementation-specific.

    org.apereo.cas.configuration.model.support.jaas.JaasAuthenticationProperties.

  • cas.authn.jaas[0].kerberos-realm-system-property=
  • Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file. However, if you like, you can instead specify the realm value by setting this following system property value.

    If you set the realm property, you SHOULD also configure the kerberos KDC system property.

    Also note that if you set these properties, then no cross-realm authentication is possible unless a krb5.conf file is also provided from which the additional information required for cross-realm authentication may be obtained.

    If you set values for these properties, then they override the default realm and KDC values specified in krb5.conf (if such a file is found). The krb5.conf file is still consulted if values for items other than the default realm and KDC are needed. If no krb5.conf file is found, then the default values used for these items are implementation-specific.

    org.apereo.cas.configuration.model.support.jaas.JaasAuthenticationProperties.

  • cas.authn.jaas[0].login-config-type=
  • Typically set to JavaLoginConfig which is the default Configuration implementation from the SUN provider. This type accepts a URI/path to a configuration file as a valid parameter type specified via #loginConfigurationFile. If this parameter is not specified, then the configuration information is loaded from the sources described in the ConfigFile class specification. If this parameter is specified, the configuration information is loaded solely from the specified URI.

    org.apereo.cas.configuration.model.support.jaas.JaasAuthenticationProperties.

  • cas.authn.jaas[0].login-configuration-file=
  • Path to the location of configuration file (i.e. jaas.conf) that contains the realms and login modules.

    org.apereo.cas.configuration.model.support.jaas.JaasAuthenticationProperties.

  • cas.authn.jaas[0].name=
  • Name of the authentication handler.

    org.apereo.cas.configuration.model.support.jaas.JaasAuthenticationProperties.

  • cas.authn.jaas[0].order=MAX_VALUE
  • Order of the authentication handler in the chain.

    org.apereo.cas.configuration.model.support.jaas.JaasAuthenticationProperties.

  • cas.authn.jaas[0].password-encoder.character-encoding=UTF-8
  • The encoding algorithm to use such as 'UTF-8'. Relevant when the type used is DEFAULT.

    org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties.

  • cas.authn.jaas[0].password-encoder.secret=
  • Secret to use with STANDARD, PBKDF2, BCRYPT, GLIBC_CRYPT password encoders. Secret usually is an optional setting.

    org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties.

  • cas.authn.jaas[0].password-encoder.strength=16
  • Strength or number of iterations to use for password hashing. Usually relevant when dealing with PBKDF2 or BCRYPT encoders. Used by GLIBC_CRYPT encoders as well.

    org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties.

  • cas.authn.jaas[0].password-policy.account-state-handling-enabled=true
  • Indicates whether account state handling should be enabled to process warnings or errors reported back from the authentication response, produced by the source.

    org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties.

  • cas.authn.jaas[0].password-policy.display-warning-on-match=true
  • Indicates if warning should be displayed, when the ldap attribute value matches the #warningAttributeValue.

    org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties.

  • cas.authn.jaas[0].password-policy.enabled=true
  • Whether password policy should be enabled.

    org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties.

  • cas.authn.jaas[0].password-policy.login-failures=5
  • When dealing with FreeIPA, indicates the number of allows login failures.

    org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties.

  • cas.authn.jaas[0].password-policy.policy-attributes=
  • Key-value structure (Map) that indicates a list of boolean attributes as keys. If either attribute value is true, indicating an account state is flagged, the corresponding error can be thrown. Example accountLocked=javax.security.auth.login.AccountLockedException

    org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties.

  • cas.authn.jaas[0].password-policy.strategy=DEFAULT
  • Decide how authentication should handle password policy changes. Available values are as follows:

    • DEFAULT: Default option to handle policy changes.
    • GROOVY: Handle account password policies via Groovy.
    • REJECT_RESULT_CODE: Strategy to only activate password policy if the authentication response code is not blocked.

    org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties.

  • cas.authn.jaas[0].password-policy.warn-all=
  • Always display the password expiration warning regardless.

    org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties.

  • cas.authn.jaas[0].password-policy.warning-attribute-name=
  • Used by an account state handling policy that only calculates account warnings in case the entry carries this attribute.

    org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties.

  • cas.authn.jaas[0].password-policy.warning-attribute-value=
  • Used by an account state handling policy that only calculates account warnings in case the entry carries an attribute #warningAttributeName whose value matches this field.

    org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties.

  • cas.authn.jaas[0].password-policy.warning-days=30
  • This is used to calculate a warning period to see if account expiry is within the calculated window.

    org.apereo.cas.configuration.model.core.authentication.PasswordPolicyProperties.

  • cas.authn.jaas[0].principal-transformation.blocking-pattern=
  • A regular expression that will be used against the username to match for blocking/forbidden values. If a match is found, an exception will be thrown and principal transformation will fail.

    org.apereo.cas.configuration.model.core.authentication.PrincipalTransformationProperties.

  • cas.authn.jaas[0].principal-transformation.case-conversion=NONE
  • Indicate whether the principal identifier should be transformed into upper-case, lower-case, etc. Available values are as follows:

    • NONE: No conversion.
    • LOWERCASE: Lowercase conversion.
    • UPPERCASE: Uppercase conversion.

    org.apereo.cas.configuration.model.core.authentication.PrincipalTransformationProperties.

  • cas.authn.jaas[0].principal-transformation.pattern=
  • A regular expression that will be used against the provided username for username extractions. On a successful match, the first matched group in the pattern will be used as the extracted username.

    org.apereo.cas.configuration.model.core.authentication.PrincipalTransformationProperties.

  • cas.authn.jaas[0].principal-transformation.prefix=
  • Prefix to add to the principal id prior to authentication.

    org.apereo.cas.configuration.model.core.authentication.PrincipalTransformationProperties.

  • cas.authn.jaas[0].principal-transformation.suffix=
  • Suffix to add to the principal id prior to authentication.

    org.apereo.cas.configuration.model.core.authentication.PrincipalTransformationProperties.

  • cas.authn.jaas[0].principal.active-attribute-repository-ids=
  • Activated attribute repository identifiers that should be used for fetching attributes if attribute resolution is enabled. The list here may include identifiers separated by comma.

    org.apereo.cas.configuration.model.core.authentication.PersonDirectoryPrincipalResolverProperties.

  • cas.authn.jaas[0].principal.attribute-resolution-enabled=UNDEFINED
  • Whether attribute repositories should be contacted to fetch person attributes. Defaults to true if not set.

    org.apereo.cas.configuration.model.core.authentication.PersonDirectoryPrincipalResolverProperties.

  • cas.authn.jaas[0].principal.principal-attribute=
  • Attribute name to use to indicate the identifier of the principal constructed. If the attribute is blank or has no values, the default principal id will be used determined by the underlying authentication engine. The principal id attribute usually is removed from the collection of attributes collected, though this behavior depends on the schematics of the underlying authentication strategy.

    org.apereo.cas.configuration.model.core.authentication.PersonDirectoryPrincipalResolverProperties.

  • cas.authn.jaas[0].principal.principal-resolution-conflict-strategy=last
  • In the event that the principal resolution engine resolves more than one principal, (specially if such principals in the chain have different identifiers), this setting determines strategy by which the principal id would be chosen from the chain. Accepted values are: last, first.

    org.apereo.cas.configuration.model.core.authentication.PersonDirectoryPrincipalResolverProperties.

  • cas.authn.jaas[0].principal.principal-resolution-failure-fatal=UNDEFINED
  • When true, throws an error back indicating that principal resolution has failed and no principal can be found based on the authentication requirements. Otherwise, logs the condition as an error without raising a catastrophic error.

    org.apereo.cas.configuration.model.core.authentication.PersonDirectoryPrincipalResolverProperties.

  • cas.authn.jaas[0].principal.return-null=UNDEFINED
  • Return a null principal object if no attributes can be found for the principal.

    org.apereo.cas.configuration.model.core.authentication.PersonDirectoryPrincipalResolverProperties.

  • cas.authn.jaas[0].principal.use-existing-principal-id=UNDEFINED
  • Uses an existing principal id that may have already been established in order to run person directory queries. This is generally useful in situations where authentication is delegated to an external identity provider and a principal is first established to then query an attribute source.

    org.apereo.cas.configuration.model.core.authentication.PersonDirectoryPrincipalResolverProperties.

  • cas.authn.jaas[0].state=ACTIVE
  • Define the scope and state of this authentication handler and the lifecycle in which it can be invoked or activated.

    org.apereo.cas.configuration.model.support.jaas.JaasAuthenticationProperties.