|
|
|
|
@ -1,8 +1,10 @@
@@ -1,8 +1,10 @@
|
|
|
|
|
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="cas"><info><title>CAS Authentication</title></info> |
|
|
|
|
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="cas" |
|
|
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"> |
|
|
|
|
|
|
|
|
|
<title>CAS Authentication</title> |
|
|
|
|
|
|
|
|
|
<section xml:id="cas-overview"> |
|
|
|
|
<info><title>Overview</title></info> |
|
|
|
|
<title>Overview</title> |
|
|
|
|
|
|
|
|
|
<para>JA-SIG produces an enterprise-wide single sign on system known |
|
|
|
|
as CAS. Unlike other initiatives, JA-SIG's Central Authentication |
|
|
|
|
@ -261,26 +263,21 @@
@@ -261,26 +263,21 @@
|
|
|
|
|
|
|
|
|
|
<section xml:id="cas-client"> |
|
|
|
|
<info><title>Configuration of CAS Client</title></info> |
|
|
|
|
|
|
|
|
|
<para> |
|
|
|
|
TODO: This section needs to be reviewed following CAS client updates for Spring Security 2.0 |
|
|
|
|
</para> |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<para>The web application side of CAS is made easy due to Spring |
|
|
|
|
Security. It is assumed you already know the basics of using Spring |
|
|
|
|
Security, so these are not covered again below. Only the CAS-specific |
|
|
|
|
beans are mentioned.</para> |
|
|
|
|
Security, so these are not covered again below. We'll assume a namespace |
|
|
|
|
based configuration is being used and add in the CAS beans as required. |
|
|
|
|
</para> |
|
|
|
|
|
|
|
|
|
<para>You will need to add a <literal>ServiceProperties</literal> bean |
|
|
|
|
to your application context. This represents your service:</para> |
|
|
|
|
|
|
|
|
|
<para><programlisting> |
|
|
|
|
|
|
|
|
|
<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties"> |
|
|
|
|
<property name="service" value="https://localhost:8443/contacts-cas/j_spring_cas_security_check"/> |
|
|
|
|
<property name="sendRenew"><value>false</value></property> |
|
|
|
|
</bean> |
|
|
|
|
<para><programlisting><![CDATA[ |
|
|
|
|
<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties"> |
|
|
|
|
<property name="service" value="https://localhost:8443/cas-sample/j_spring_cas_security_check"/> |
|
|
|
|
<property name="sendRenew" value="false"/> |
|
|
|
|
</bean>]]> |
|
|
|
|
</programlisting></para> |
|
|
|
|
|
|
|
|
|
<para>The <literal>service</literal> must equal a URL that will be |
|
|
|
|
@ -294,44 +291,37 @@
@@ -294,44 +291,37 @@
|
|
|
|
|
<para>The following beans should be configured to commence the CAS |
|
|
|
|
authentication process:</para> |
|
|
|
|
|
|
|
|
|
<para><programlisting> |
|
|
|
|
<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter"> |
|
|
|
|
<property name="authenticationManager" ref="authenticationManager"/> |
|
|
|
|
<property name="authenticationFailureUrl" value="/casfailed.jsp"/> |
|
|
|
|
<property name="defaultTargetUrl" value="/"/> |
|
|
|
|
<property name="filterProcessesUrl" value="/j_spring_cas_security_check"/> |
|
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter"> |
|
|
|
|
<property name="authenticationEntryPoint" ref="casProcessingFilterEntryPoint"/> |
|
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
<bean id="casProcessingFilterEntryPoint" |
|
|
|
|
class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"> |
|
|
|
|
<property name="loginUrl" value="https://localhost:8443/cas/login"/> |
|
|
|
|
<property name="serviceProperties" ref="serviceProperties"/> |
|
|
|
|
</bean> |
|
|
|
|
<para><programlisting><![CDATA[ |
|
|
|
|
<security:authentication-manager alias="authenticationManager"/> |
|
|
|
|
|
|
|
|
|
<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter"> |
|
|
|
|
<security:custom-filter after="CAS_PROCESSING_FILTER"/> |
|
|
|
|
<property name="authenticationManager" ref="authenticationManager"/> |
|
|
|
|
<property name="authenticationFailureUrl" value="/casfailed.jsp"/> |
|
|
|
|
<property name="defaultTargetUrl" value="/"/> |
|
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
<bean id="casProcessingFilterEntryPoint" |
|
|
|
|
class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"> |
|
|
|
|
<property name="loginUrl" value="https://localhost:9443/cas/login"/> |
|
|
|
|
<property name="serviceProperties" ref="serviceProperties"/> |
|
|
|
|
</bean> |
|
|
|
|
]]> |
|
|
|
|
|
|
|
|
|
</programlisting></para> |
|
|
|
|
|
|
|
|
|
<para>You will also need to add the <literal>CasProcessingFilter</literal> to web.xml:</para> |
|
|
|
|
|
|
|
|
|
<para><programlisting> |
|
|
|
|
<filter> |
|
|
|
|
<filter-name>casProcessingFilter</filter-name> |
|
|
|
|
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> |
|
|
|
|
</filter> |
|
|
|
|
|
|
|
|
|
<filter-mapping> |
|
|
|
|
<filter-name>casProcessingFilter</filter-name> |
|
|
|
|
<url-pattern>/*</url-pattern> |
|
|
|
|
</filter-mapping> |
|
|
|
|
</programlisting></para> |
|
|
|
|
|
|
|
|
|
<para> |
|
|
|
|
The <classname>CasProcessingFilterEntryPoint</classname> should be selected to |
|
|
|
|
drive authentication using <link xlink:href="ns-entry-point-ref"><literal>entry-point-ref</literal></link>. |
|
|
|
|
|
|
|
|
|
</para> |
|
|
|
|
|
|
|
|
|
<para>The <literal>CasProcessingFilter</literal> has very similar |
|
|
|
|
properties to the <literal>AuthenticationProcessingFilter</literal> |
|
|
|
|
(used for form-based logins). Each property is |
|
|
|
|
self-explanatory.</para> |
|
|
|
|
self-explanatory. Note that we've also used the namespace syntax |
|
|
|
|
for setting up an alias to the authentication mnager, since the |
|
|
|
|
<literal>CasProcessingFilter</literal> needs a reference to it.</para> |
|
|
|
|
|
|
|
|
|
<para>For CAS to operate, the |
|
|
|
|
<literal>ExceptionTranslationFilter</literal> must have its |
|
|
|
|
@ -343,70 +333,35 @@
@@ -343,70 +333,35 @@
|
|
|
|
|
which provides the URL to the enterprise's CAS login server. This is |
|
|
|
|
where the user's browser will be redirected.</para> |
|
|
|
|
|
|
|
|
|
<para>Next you need to add an <literal>AuthenticationManager</literal> |
|
|
|
|
that uses <literal>CasAuthenticationProvider</literal> and its |
|
|
|
|
collaborators:</para> |
|
|
|
|
|
|
|
|
|
<para><programlisting> |
|
|
|
|
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> |
|
|
|
|
<property name="providers"> |
|
|
|
|
<list> |
|
|
|
|
<ref bean="casAuthenticationProvider"/> |
|
|
|
|
</list> |
|
|
|
|
</property> |
|
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
<bean id="casAuthenticationProvider" |
|
|
|
|
class="org.springframework.security.providers.cas.CasAuthenticationProvider"> |
|
|
|
|
<property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property> |
|
|
|
|
<property name="casProxyDecider"><ref bean="casProxyDecider"/></property> |
|
|
|
|
<property name="ticketValidator"><ref bean="casProxyTicketValidator"/></property> |
|
|
|
|
<property name="statelessTicketCache"><ref bean="statelessTicketCache"/></property> |
|
|
|
|
<property name="key"><value>my_password_for_this_auth_provider_only</value></property> |
|
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
<bean id="casProxyTicketValidator" |
|
|
|
|
class="org.springframework.security.providers.cas.ticketvalidator.CasProxyTicketValidator"> |
|
|
|
|
<property name="casValidate"><value>https://localhost:8443/cas/proxyValidate</value></property> |
|
|
|
|
<property name="proxyCallbackUrl"><value>https://localhost:8443/contacts-cas/casProxy/receptor</value></property> |
|
|
|
|
<property name="serviceProperties"><ref bean="serviceProperties"/></property> |
|
|
|
|
<!-- <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> --> |
|
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> |
|
|
|
|
<property name="configLocation"> |
|
|
|
|
<value>classpath:/ehcache-failsafe.xml</value> |
|
|
|
|
</property> |
|
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> |
|
|
|
|
<property name="cacheManager"> |
|
|
|
|
<ref local="cacheManager"/> |
|
|
|
|
</property> |
|
|
|
|
<property name="cacheName"> |
|
|
|
|
<value>ticketCache</value> |
|
|
|
|
</property> |
|
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
<bean id="statelessTicketCache" class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache"> |
|
|
|
|
<property name="cache"><ref local="ticketCacheBackend"/></property> |
|
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
<bean id="casAuthoritiesPopulator" |
|
|
|
|
class="org.springframework.security.providers.cas.populator.DaoCasAuthoritiesPopulator"> |
|
|
|
|
<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> |
|
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
<bean id="casProxyDecider" class="org.springframework.security.providers.cas.proxy.RejectProxyTickets"/> |
|
|
|
|
|
|
|
|
|
</programlisting></para> |
|
|
|
|
<para>Next you need to add a <literal>CasAuthenticationProvider</literal> and its |
|
|
|
|
collaborators: |
|
|
|
|
<programlisting><![CDATA[ |
|
|
|
|
<bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider"> |
|
|
|
|
<security:custom-authentication-provider /> |
|
|
|
|
<property name="userDetailsService" ref="userService"/> |
|
|
|
|
<property name="serviceProperties" ref="serviceProperties" /> |
|
|
|
|
<property name="ticketValidator"> |
|
|
|
|
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> |
|
|
|
|
<constructor-arg index="0" value="https://localhost:9443/cas" /> |
|
|
|
|
</bean> |
|
|
|
|
</property> |
|
|
|
|
<property name="key" value="an_id_for_this_auth_provider_only"/> |
|
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
<security:user-service id="userService"> |
|
|
|
|
<security:user name="joe" password="joe" authorities="ROLE_USER" /> |
|
|
|
|
... |
|
|
|
|
</security:user-service>]]> |
|
|
|
|
</programlisting> |
|
|
|
|
The <classname>CasAuthenticationProvider</classname> uses a <interfacename>UserDetailsService</interfacename> |
|
|
|
|
instance to load the authorities for a user, once they have been authentiated by CAS. We've shown a simple |
|
|
|
|
in-memory setup here. |
|
|
|
|
</para> |
|
|
|
|
|
|
|
|
|
<para>The beans are all reasonable self-explanatory if you refer back |
|
|
|
|
to the "How CAS Works" section. Careful readers might notice one |
|
|
|
|
surprise: the <literal>statelessTicketCache</literal> property of the |
|
|
|
|
<literal>CasAuthenticationProvider</literal>. This is discussed in |
|
|
|
|
detail in the "Advanced CAS Usage" section.</para> |
|
|
|
|
|
|
|
|
|
to the "How CAS Works" section.</para> |
|
|
|
|
</section> |
|
|
|
|
<!-- |
|
|
|
|
<para>Note the <literal>CasProxyTicketValidator</literal> has a |
|
|
|
|
remarked out <literal>trustStore</literal> property. This property |
|
|
|
|
might be helpful if you experience HTTPS certificate issues. Also note |
|
|
|
|
@ -501,5 +456,7 @@
@@ -501,5 +456,7 @@
|
|
|
|
|
|
|
|
|
|
<para>It is hoped you find CAS integration easy and useful with Spring |
|
|
|
|
Security classes. Welcome to enterprise-wide single sign on!</para> |
|
|
|
|
|
|
|
|
|
</section> |
|
|
|
|
--> |
|
|
|
|
</chapter> |
Luke Taylor
18 years ago