Commit b61af9b1 authored by Misagh Moayyed's avatar Misagh Moayyed
Browse files

Merge pull request #1175 from Unicon/remote-authn-config

Automated remote authN config
parents c96caa14 73083ea1
......@@ -4,16 +4,24 @@ title: CAS - Remote Address Authentication
---
# Remote Address Authentication
This handler uses the request's remote address to transparently authenticate a user, having verified the address against a range of configured IP addresses. The mechanics of this approach are very similar to X.509 certificate authentication, but trust is instead placed on the client internal network address.
This handler uses the request's remote address to transparently authenticate a user, having verified
the address against a range of configured IP addresses. The mechanics of this approach are very similar
to X.509 certificate authentication, but trust is instead placed on the client internal network address.
The benefit of this approach is that transparent authentication is achieved within a large corporate network without the need to manage certificates.
The benefit of this approach is that transparent authentication is achieved within a large corporate
network without the need to manage certificates.
<div class="alert alert-danger"><strong>Be Careful</strong><p>Keep in mind that this authentication mechanism should only be enabled for internal network clients with relatively static IP addresses.</p></div>
<div class="alert alert-danger"><strong>Be Careful</strong><p>Keep in mind that this authentication
mechanism should only be enabled for internal network clients with relatively static IP addresses.</p></div>
## Caveats
This method of authentication assumes internal clients will be hitting the CAS server directly and not coming via a web proxy. In the event of the client using the web proxy the likelihood of the remote address lookup succeeding is reduced because to CAS the client address is that of the proxy server and not the client. Given that this form of CAS authentication would typically be deployed within an internal network this is generally not a problem.
This method of authentication assumes internal clients will be hitting the CAS server directly
and not coming via a web proxy. In the event of the client using the web proxy the likelihood
of the remote address lookup succeeding is reduced because to CAS the client address is that
of the proxy server and not the client. Given that this form of CAS authentication would typically
be deployed within an internal network this is generally not a problem.
## Authentication Components
......@@ -34,17 +42,12 @@ Support is enabled by including the following dependency in the Maven WAR overla
</bean>
{% endhighlight %}
This authentication handler checks the inbound client IP address to see if it falls within the internal network. The `RemoteAddressAuthenticationHandler` bean has one property:
This authentication handler checks the inbound client IP address to see if it falls within the
internal network. The `RemoteAddressAuthenticationHandler` bean has one property:
- `ipNetworkRange` - This defines the internal network parameters in the form of a subnet and netmask. e.g. `192.168.1.0/255.255.255.0` or `10.0.0.0/255.255.0.0`.
- `ipNetworkRange` - This defines the internal network parameters in the form of a subnet and
netmask. e.g. `192.168.1.0/255.255.255.0` or `10.0.0.0/255.255.0.0`.
Also declare the following bean, which extracts the client's IP address from the request.
{% highlight xml %}
<bean id="remoteAddressCheck" class="org.jasig.cas.adaptors.generic.remote.RemoteAddressNonInteractiveCredentialsAction">
<property name="centralAuthenticationService" ref="centralAuthenticationService"/>
</bean>
{% endhighlight %}
### Configuring Webflow
......
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to Apereo under one or more contributor license
agreements. See the NOTICE file distributed with this work
for additional information regarding copyright ownership.
Apereo licenses this file to you under the Apache License,
Version 2.0 (the "License"); you may not use this file
except in compliance with the License. You may obtain a
copy of the License at the following location:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<bean id="remoteAddressCheck"
class="org.jasig.cas.adaptors.generic.remote.RemoteAddressNonInteractiveCredentialsAction"
p:principalFactory-ref="principalFactory"
p:centralAuthenticationService-ref="centralAuthenticationService"/>
</beans>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment