apisaml-2.0casquarkusapereo

How to make Quarkus use Apereo CAS or SAML2 authentication


I am a computer science student and have used Quarkus for several projects in the past year. I recently received a new project where I have to create a rest API. Because I have to do a lot in a short time, I use Quarkus to easily do the job with RESTEasy for my web services.

But this API has to authenticate the user by using Apereo with protocols CAS or SAML2. Moreover I have no experience in using Java security plugins.

I also searched about how to deal with that by using keycloak, Apereo Jboss client, Apero Spring boot client or by having a service along with Quarkus like a Tomcat that will do the authentication job. But I don't know which one would be the best and even which one would actually work.

Do you have any experience around that ? Or what could I use to make my Quarkus API work with Apereo ?

Thank you very much for your time and help,

Best regards,

Thomas


Solution

  • Sorry for being late to the party, but I actually did a quarkus - apareo cas integration. Basically I added quarkus-undertow extension to be able to use src/main/resources/META-INF/web.xml. Also I used org.jasig.cas.client:cas-client-core:3.6.1 to have the cas filters. And my web.xml contains something like this:

    <context-param>
        <param-name>serverName</param-name>
        <param-value>${cas.redirect.url}</param-value>
    </context-param>
    
    <filter>
        <filter-name>CAS Authentication Filter</filter-name>
        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
        <init-param>
            <param-name>casServerLoginUrl</param-name>
            <param-value>${cas.login.url}</param-value>
        </init-param>
        <init-param>
            <param-name>ignorePattern</param-name>
            <param-value>/proxy/</param-value>
        </init-param>
        <init-param>
            <param-name>ignoreUrlPatternType</param-name>
            <param-value>CONTAINS</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>
    
    <filter>
        <filter-name>CAS Validation Filter</filter-name>
        <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
        <init-param>
            <param-name>casServerUrlPrefix</param-name>
            <param-value>${cas.base.url}</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>
    
    <filter>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
        <async-supported>true</async-supported>
    </filter>
    
    <filter-mapping>
        <filter-name>CAS Authentication Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    
    <filter-mapping>
        <filter-name>CAS Validation Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    
    <filter-mapping>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    

    Saml integration is similar, just use the SAML filters. For more information on configuration options, please see java-cas-client

    Off topic, why do you need to authenticate a API via CAS? It redirects you to that CAS login window, then it redirects you back. you cant use this API via postman or curl. Also an API doesn't store any session about the user, so this redirect dance happens every time. This is not how API's are secured. Web pages or web applications yes, but not API's.