WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
OS Service Deployment
CAS can be easily started as Unix/Linux services using either init.d
or systemd
. Windows support is also made available
via an external daemon. Note that most if not all of the below strategies attempt to run CAS via an embedded
servlet container whose configuration is explained here.
-
If CAS is built and run as a fully executable web application, then it can be used as an
init.d
service.symlink
the web application file toinit.d
to support the standardstart
,stop
,restart
andstatus
commands.The configuration built into CAS allows it to interact with the OS system configuration as such:
- Start the service as the user that owns the jar file
- Track CAS web applications’ PID using
/var/run/cas/cas.pid
- Write console logs to
/var/log/cas.log
To install CAS as an
init.d
service create a symlink:1 2
sudo ln -s /path/to/cas.war /etc/init.d/cas service cas start
You can also flag the application to start automatically using your standard operating system tools. For example, on Debian:
1
update-rc.d myapp defaults <priority>
Security
When executed as
root
, as is the case whenroot
is being used to start aninit.d
service, the CAS default executable script will run the web application as the user which owns the web application file. You should never run CAS asroot
so the web application file should never be owned byroot
. Instead, create a specific user to run CAS and usechown
to make it the owner of the file. For example:1
chown bootapp:bootapp /path/to/cas.war
You may also take steps to prevent the modification of the CAS web application file. Firstly, configure its permissions so that it cannot be written and can only be read or executed by its owner:
1
chmod 500 /path/to/cas.war
Additionally, you should also take steps to limit the damage if the CAS web application or the account that’s running it is compromised. If an attacker does gain access, they could make the web application file writable and change its contents. One way to protect against this is to make it immutable using
chattr
:1
sudo chattr +i /path/to/cas.war
This will prevent any user, including
root
, from modifying the file. -
To install CAS as a
systemd
service create a script namedcas.service
using the following example and place it in/etc/systemd/system
directory:1 2 3 4 5 6 7 8 9 10 11
[Unit] Description=CAS After=syslog.target [Service] User=bootapp ExecStart=/path/to/cas.war SuccessExitStatus=143 [Install] WantedBy=multi-user.target
Not So FastRemember to change the
Description
,User
andExecStart
fields for your deployment.The user that runs the CAS web application, PID file and console log file are managed by
systemd
itself and therefore must be configured using appropriate fields inservice
script. Consult the service unit configuration man page for more details.To flag the application to start automatically on system boot use the following command:
1
systemctl enable cas.service
Refer to
man systemctl
for more details. -
Upstart is an event-based service manager, a potential replacement for the System V init that offers more control on the behavior of the different daemons. When using Ubuntu you probably have it installed and configured already (check if there are any jobs with a name starting with
cas
in/etc/init
).We create a job
cas.conf
to start the CAS web application:1 2 3 4 5
# Place in /home/{user}/.config/cas description "CAS web application" # attempt service restart if stops abruptly respawn exec java -jar /path/to/cas.war
Now run
start cas
and your service will start. Upstart offers many job configuration options and you can find most of them here. -
CAS may be started as a Windows service using winsw.
Winsw provides programmatic means to
install/uninstall/start/stop
a service. In addition, it may be used to run any kind of executable as a service under Windows.Once you have downloaded the Winsw binaries, the
cas.xml
configuration file that defines our Windows service should look like this:1 2 3 4 5 6 7 8
<service> <id>cas</id> <name>CAS</name> <description>CAS web application.</description> <executable>java</executable> <arguments>-Xmx2048m -jar "path\to\cas.war"</arguments> <logmode>rotate</logmode> </service>
Finally, you have to rename the
winsw.exe
tocas.exe
so that its name matches with thecas.xml
configuration file. Thereafter you can install the service like so:1
cas.exe install
Similarly, you may use
uninstall
,start
,stop
, etc.Refer to this example to learn more.
CAS web applications may also be started as Windows service using Procrun of the Apache Commons Daemon project. Procrun is a set of applications that allow Windows users to wrap Java applications as Windows services. Such a service may be set to start automatically when the machine boots and will continue to run without any user being logged on.