Tuesday, January 30, 2018

Programatically get files protected by a CAS SSO Server

My company uses Apereo CAS as a single sign on server.  It also protects our files from being download unless a user is logged in.  I have a number of background tasks that run that need to make some HTTP calls to one of our systems to pages that are protected by CAS

Whats the answer?

I decided to go with Basic Authentication.  You cannot use the proxy mechanism since you don;t have a logged in user.

Enable Basic Authentication on Server

You will need to rebuild your CAS overlay war. Add the following dependency to your pom.xml file.


Java Utility Class

This class sets up a Apache Http Client.  It is also used to set the headers on the request.  I found that preemptively sending the Basic Authentication headers was the way to get it to work.

package org.yfu.security;

import java.io.IOException;
import java.nio.charset.Charset;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;

import org.apache.http.HttpHeaders;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.CookieStore;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLContextBuilder;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.BasicCookieStore;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.AbstractHttpMessage;

public class CasBasicAuthUtil {
 private String username;
 private String password;

 public CasBasicAuthUtil(String username, String password) {
  this.username = username;
  this.password = password;

 public HttpClient getHttpClient() throws ClientProtocolException, IOException, 
                  NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
  // Create a local instance of cookie store
  CookieStore cookieStore = new BasicCookieStore();
   SSLContextBuilder builder = new SSLContextBuilder();
      builder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
      SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
      CredentialsProvider provider = new BasicCredentialsProvider();
      UsernamePasswordCredentials credentials
       = new UsernamePasswordCredentials(username, password);
      provider.setCredentials(AuthScope.ANY, credentials);
      CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(

  return httpclient;
 public void addHeaders(AbstractHttpMessage request) {
  String auth = username + ":" + password;
  byte[] encodedAuth = Base64.getEncoder().encode(
  String authHeader = "Basic " + new String(encodedAuth);
  request.setHeader(HttpHeaders.AUTHORIZATION, authHeader);


How to use the Utility

                CasBasicAuthUtil casUtil = new CasBasicAuthUtil("Usename", "Password");
  HttpClient client = casUtil.getHttpClient();
  final String url = getDocUrl(fileId);
  HttpGet httpGet = new HttpGet(url);
  HttpResponse response = client.execute(httpGet);
  final int statusCode = response.getStatusLine().getStatusCode();
  if (statusCode == 200) {
   //  we got the file.  Do something with it.