Apache Fortress Authentication

Services connected to CAS can use Apache Fortress to handle the authentication and authorization with Apache Fortress. The idea of this is because Apache Fortress does not have any SSO mechanism. However, Apache Fortress is complied for ANSI INCITS 359 RBAC.
See this link for background and history.

Overview

The following diagram is a typical CAS deployment integrated with Apache Fortress:

In the above diagram, CAS will delegate the authentication to Fortress on behalf the Fortress admin user, which is configured in the fortress.properties file. CAS automatically search for this file (assuming classpath) and constructs an access manager component with the admin user as the default communication user to fortress.

To enable this feature, ensure Apache Fortress is installed.

Next include the following module in the WAR overlay:

1
2
3
4
5
<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-fortress</artifactId>
    <version>${cas.version}</version>
</dependency>

At this time, Apache Fortress support is limited to Apache Tomcat as the web container. Support for additional containers such as Jetty will be worked out in future releases.

CAS Configuration

  • Configure fortress.properties file and put it under your $TOMCAT_HOME/lib or you can append your own classpath configuration. An example configuration file follows:
1
2
3
4
5
http.user=fortress-super-user
http.pw=verysecretpassword
http.host=localhost
http.port=8080
http.protocol=http
  • Put Fortress Realm Proxy under your $TOMCAT_HOME/lib.
  • Add -Dversion=<your.fortress.version> to JAVA_OPTS or CATALINA_OPTS.

Client Configuration

The fortress session is stored as a principal attribute fortressSession. As the client you need to extract this key in order to get Session in xml form. With Fortress session later you can get the roles or get the permission dynamically by calling fortress rest.