WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
Configure Proxy Authentication Policy
Each registered application in the registry may be assigned a proxy policy to determine whether the service is allowed for proxy authentication. This means that a PGT will not be issued to a service unless the proxy policy is configured to allow it. Additionally, the policy could also define which endpoint urls are in fact allowed to receive the PGT.
Note that by default, the proxy authentication is disallowed for all applications.
This feature specifically applies to applications that understand and use the CAS protocol. Think VERY CAREFULLY before allowing an application to exercise proxy authentication. Blindly authorizing an application to receive a proxy-granting ticket may produce an opportunity for security leaks and attacks. Make sure you actually need to enable those features and that you understand the why. Avoid where and when you can.
-
Disallows proxy authentication for a service. This is default policy and need not be configured explicitly.
1 2 3 4 5 6 7 8 9
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "testId", "name" : "testId", "id" : 1, "proxyPolicy" : { "@class" : "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy" } }
-
A proxy policy that only allows proxying to PGT urls that match the specified regex pattern.
1 2 3 4 5 6 7 8 9 10 11 12
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "testId", "name" : "testId", "id" : 1, "proxyPolicy" : { "@class" : "org.apereo.cas.services.RegexMatchingRegisteredServiceProxyPolicy", "pattern" : "^https?://.*", "useServiceId": false, "exactMatch": false } }
As noted earlier, the
pattern
must be specified as a valid regular expression. Furthermore,- If the pattern used here is identical to the pattern used by the registered service itself as specified by the
serviceId
, you may be able to reuse the same existing regular expression here via theuseServiceId
setting. - The setting
exactMatch
treats the regular expression pattern as an exact literal and turns off the evaluation of the pattern as a regular expression in favor of a literal comparison.
- If the pattern used here is identical to the pattern used by the registered service itself as specified by the
-
A proxy policy that reaches out to an external REST endpoint to determine proxy authorization.
1 2 3 4 5 6 7 8 9 10 11 12 13 14
{ "@class" : "org.apereo.cas.services.CasRegisteredService", "serviceId" : "testId", "name" : "testId", "id" : 1, "proxyPolicy" : { "@class":"org.apereo.cas.services.RestfulRegisteredServiceProxyPolicy", "endpoint":"http://localhost:9222", "headers": { "@class":"java.util.LinkedHashMap", "header": "value" } } }
Endpoints must be designed to accept/process
application/json
, where the request body will contain the contents of the registered service definition, and the requesting PGT url is passed aspgtUrl
request parameter. A successful200
status code will allow proxy authentication to proceed.